User Account Control: Switch to the secure desktop when prompting for elevation-Enabled User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode-Prompt for consent on the secure desktop It is a best practice to enable UAC for the Administrator account also. By default, the first option is set to disabled if you are logged on as Administrator, everything is running with elevated privileges. These two settings control whether UAC is enabled or not. User Account Control: Run all administrators in Admin Approval Mode-Enabled User Account Control: Admin Approval Mode for the Built-in Administrator account-Enabled If you are working offline, this setting is not applied. For example, disabling a user account means no one can use it any longer to unlock a previously logged-on session. Interactive logon: Require Domain Controller authentication to unlock workstation-EnabledĮnabling this setting ensures that changes to user accounts apply to users already logged on. It is not very common that a domain-joined server can't reach domain controllers to authenticate a user. If an attacker gains access to the filesystem, he can also find these cached logons. Interactive logon: Number of previous logons to cache (in case domain controller is not available)-2Ĭached logons are stored on the local filesystem. This well-known key combination prevents exploits that present users with a fake logon screen, capturing entered credentials. Interactive logon: Do not require CTRL+ALT+DEL-Disabled An attacker could use it to discover your naming convention and then guess other usernames.
Normally, when Windows boots up, it shows the username of the last logged-on user.
Interactive logon: Do not display last user name-Disabled Settings related to built in accounts Interactive logon ^ Physical access to the keyboard (or VMware console) is required to use such accounts.
Enabling this setting ensures no one can use such accounts for Remote Desktop Protocol (RDP) connections or network access to a share. There may be some leftover local accounts with no passwords, which is far from secure. This may slow down an attack.Īccounts: Limit local account use of blank passwords to console logon only-Enabled TIP: Renaming the Guest account to Administrator is a good trick on attackers-they think they are trying to hack the Administrator account, but in reality, they are hacking an account with no permissions. This option will prevent access to Microsoft online accounts.Įven though the Guest account has no rights by default, it is a best practice to disable it completely and rename it with the Accounts: Rename guest account option. Users should be able to use only accounts your organization provides. Note that in case of issues like a broken domain trust, you will need to reboot the system to safe mode, where the account is always enabled, or have another local account with administrator privileges available.Īccounts: Block Microsoft accounts-Users can't add or log on with Microsoft accounts Enumerating user account names is one of the first steps attackers undertake.
Despite the fact you can rename the account with the Accounts: Rename administrator account setting, the recommended approach is to disable this account. Furthermore, the account lockout policy does not apply to this account, so brute-force attacks will not lock it. The built-in Administrator account is often a target of attackers because it is a well-known account with complete control of the system.