Rename the Administrator

What is a one sentence summary of your feature request?

Check if the Administrator Account has been renamed

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Create a new rule “P-AdminName”

The idea is based on two aspects:

1. General security recommendations (for example, as stated in the CIS Baseline), and
2. An account lockout issue involving the built-in domain administrator caused by local administrators on other computers.

Regarding point 1:

2.3.1.3 (L1) Configure ‘Accounts: Rename administrator account’

The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console). On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Administrator account that was established when the domain was first created.

Source: Center for Internet Security, non-commercial download area: CIS Benchmarks )

Regarding point 2:
Logged-on sessions that (accidentally) attempt to authenticate to a domain controller or member server may send the local user “Administrator” and its credentials via NTLM to the target. This can lead to validation against a local “Administrator” account and, in some cases, authentication attempts against the Active Directory “Administrator” account as well.

How do you currently solve the challenges you have by not having this feature?

• Verify manually whether the built-in Administrator account (SID -500) still uses the default name “Administrator” or “Administrador” (as seen in spanish environments).
• Address point 2 in combination with the LAPS (Local Administrator Password Solution) configuration, to ensure proper handling of local admin accounts and prevent credential overlap.

Conclusion
Rename the domain administrator account and ensure that local usernames differ from administrative accounts.

Additional Links

• STIG: Windows Server 2022 built-in administrator account must be renamed.
  
• Tenable / CIS

Great Idea. Simple and effective. We would probably just stick with the checking the RID 500 account to see if it has a known variation of Administrator as there are a bunch.