HomeUser requestng help w MBSA 2.1 results

Hello everyone,

I'm a home user and I got some STARTLING results after running a security
scan using Microsoft's Baseline Security Analyzer Beta 2.1

It spotted a user account on my computer that I didn't even know existed !

In the UAC, I set up a standard user account (called "P & L") for everyday
use. I also set up an administrator account (called "root"), to use whenever
I have to make system changes. The report from MBSA showed an additional
administrator account called "administrator" !

How did it get there ? More importantly, how do I get rid of it ? We do
not need two administrators.

I forgot to mention that this "administrator" account does not show up in the
UAC. The "root" account appears there, "P & L" appears, "guest" appears but
is turned off. I'm running Vista home basic.
____________________________________
"Paul" wrote:

> Hello everyone,
>
> I'm a home user and I got some STARTLING results after running a security
> scan using Microsoft's Baseline Security Analyzer Beta 2.1
>
> It spotted a user account on my computer that I didn't even know existed !
>
> In the UAC, I set up a standard user account (called "P & L") for everyday
> use. I also set up an administrator account (called "root"), to use whenever
> I have to make system changes. The report from MBSA showed an additional
> administrator account called "administrator" !
>
> How did it get there ? More importantly, how do I get rid of it ? We do
> not need two administrators.

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:F9DCF2FB-12E8-4748-BBB1-4CA5CF08F28A@microsoft.com...
> Hello everyone,
>
> I'm a home user and I got some STARTLING results after running a security
> scan using Microsoft's Baseline Security Analyzer Beta 2.1
>
> It spotted a user account on my computer that I didn't even know existed !
>
> In the UAC, I set up a standard user account (called "P & L") for everyday
> use. I also set up an administrator account (called "root"), to use
> whenever
> I have to make system changes. The report from MBSA showed an additional
> administrator account called "administrator" !
>
> How did it get there ? More importantly, how do I get rid of it ? We do
> not need two administrators.

"Administrator" is the real default admin account that is disabled by
default on your system. it is that only account that is not subject to UAC
or any of the other restrictions that are placed even on accounts such as
your root that re members of the administrators local group - so as you
think of hem as admin accounts.
It is meant to be there and disabled by default.
It should not be used except in extreme circumstances as your "root\2 will
do for all your admin needs.
--

Mike Brannigan

Paul wrote:
> Hello everyone,
>
> I'm a home user and I got some STARTLING results after running a security
> scan using Microsoft's Baseline Security Analyzer Beta 2.1
>
> It spotted a user account on my computer that I didn't even know existed !
>
> In the UAC, I set up a standard user account (called "P & L") for everyday
> use. I also set up an administrator account (called "root"), to use whenever
> I have to make system changes. The report from MBSA showed an additional
> administrator account called "administrator" !
>
> How did it get there ? More importantly, how do I get rid of it ? We do
> not need two administrators.

Hello,

This is normal.

The "Administrator" account is the built-in admin account. It is
disabled by default, and in fact, the only time it becomes visible and
usable (by default) is if you delete/disable all your other
administrator accounts and restart the computer in safe mode.

If you're hooked to a domain, this account is never available for use by
default.

You can view and tinker with this account using an elevated command
prompt with the "net user" command.

- JB

This is interesting, Mike. Perhaps I should delete "root" and make this
"administrator" account my new "root" account. You say it shouldn't be used
unless there are 'extreeme circustances'. What are these extreeme
circmstances ?

I rarely log into my "root" account. I log into my "root" account when I
have to do a series of administrative tasks that would, otherwise, require me
to right-click and "run as administrator" many times in succession.

Funny, I thought that my "root" gave me complete and unhindered access to
all files and folders. I didn't realize there was something "higher up".

Sincerely,
Paul
______________________________

"Mike Brannigan" wrote:

>
> "Administrator" is the real default admin account that is disabled by
> default on your system. it is that only account that is not subject to UAC
> or any of the other restrictions that are placed even on accounts such as
> your root that re members of the administrators local group - so as you
> think of hem as admin accounts.
> It is meant to be there and disabled by default.
> It should not be used except in extreme circumstances as your "root\2 will
> do for all your admin needs.
> --
>
> Mike Brannigan
>

Hello Jimmy, this is all news. Wow. The question now is whether or not I
should delete the "root" acount that I have been been using, and use this
"Administrator" account as my new root account. Are there any hazards to
doing this? I'm asking this because I'd like a minimum of administrator
accounts floating around.
_______________________________________

"Jimmy Brush" wrote:

> Hello,
>
> This is normal.
>
> The "Administrator" account is the built-in admin account. It is
> disabled by default, and in fact, the only time it becomes visible and
> usable (by default) is if you delete/disable all your other
> administrator accounts and restart the computer in safe mode.
>
> If you're hooked to a domain, this account is never available for use by
> default.
>
> You can view and tinker with this account using an elevated command
> prompt with the "net user" command.
>
> - JB
>

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
> This is interesting, Mike. Perhaps I should delete "root" and make this
> "administrator" account my new "root" account. You say it shouldn't be
> used
> unless there are 'extreeme circustances'. What are these extreeme
> circmstances ?
>


Interesting question - the "Administrator" account could be enabled or day
to day use - but is extremely highly privileged in that it will ignore
pretty much all the other security protections that are even in place around
your root account. While some people object to the User Account Control
popping up and checking if you really want to do something it is there for
your protection so using the Administrator account may pose a risk to you
and your system - imagine accidently opening a file with a day zero exploit
root kit or virus in it and this is now going to execute with absolutely
nothing to stop it doing anything to hide itself and damage your system,
etc.

I would advise keep your root account and use that as you day to day admin -
you are unlikely to even need the big A admin account.

> I rarely log into my "root" account. I log into my "root" account when I
> have to do a series of administrative tasks that would, otherwise, require
> me
> to right-click and "run as administrator" many times in succession.
>
> Funny, I thought that my "root" gave me complete and unhindered access to
> all files and folders. I didn't realize there was something "higher up".
>

Indeed an account that is made an administrator (small "a") is indeed an
admin account but it is still subject to UAC and potentially requiring you
to confirm some actions etc and some applications may require addiotnal
confirming permission elevation etc. The Administrator account bypasses all
of this but obviously there is an inherent risk too, to your systems
security by running asks under extremely highly privileged accounts.

> Sincerely,
> Paul



--

Mike Brannigan
"Paul" <Paul@discussions.microsoft.com> wrote in message
news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
> This is interesting, Mike. Perhaps I should delete "root" and make this
> "administrator" account my new "root" account. You say it shouldn't be
> used
> unless there are 'extreeme circustances'. What are these extreeme
> circmstances ?
>
> I rarely log into my "root" account. I log into my "root" account when I
> have to do a series of administrative tasks that would, otherwise, require
> me
> to right-click and "run as administrator" many times in succession.
>
> Funny, I thought that my "root" gave me complete and unhindered access to
> all files and folders. I didn't realize there was something "higher up".
>
> Sincerely,
> Paul
> ______________________________
>
> "Mike Brannigan" wrote:
>
>>
>> "Administrator" is the real default admin account that is disabled by
>> default on your system. it is that only account that is not subject to
>> UAC
>> or any of the other restrictions that are placed even on accounts such as
>> your root that re members of the administrators local group - so as you
>> think of hem as admin accounts.
>> It is meant to be there and disabled by default.
>> It should not be used except in extreme circumstances as your "root\2
>> will
>> do for all your admin needs.
>> --
>>
>> Mike Brannigan
>>

Paul wrote:
> Hello Jimmy, this is all news. Wow. The question now is whether or not I
> should delete the "root" acount that I have been been using, and use this
> "Administrator" account as my new root account. Are there any hazards to
> doing this? I'm asking this because I'd like a minimum of administrator
> accounts floating around.
> _______________________________________
>

Well, there are some "negatives" to using the Administrator account.

1) By default, it runs outside of UAC. This reduces the security of your
computer while you are logged in with that account. However, you can use
local security policy to change this behavior and leave UAC on while
logged in to this account.

2) It is well known by attackers - it's better IMHO to have and use a
custom admin account with a custom name and account id.

- JB

I see your point, Mike, and it makes sense. It's foolish not to have the UAC
security safety net. However, is there a way to configure UAC and those
other protections so that they run while logged into, or using priveleges of,
that "big Administrator" account. Would this be secure? If it's a BIG
production to do this, then I'll just forget about it.

The reason why I'm asking is that security people say there should be a
minimum of administrator accounts floating around.

One last question on a slightly different topic. Since the discovery of
this account, I did some exploring around. I discovered the existence of a
SYSTEM user group and the existence of an INTERACTIVE user group. What are
these groups ? These are in the security properties of many files.

Regards,

Paul

▬▬▬▬▬▬▬▬▬▬
"Mike Brannigan" wrote:

> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
> > This is interesting, Mike. Perhaps I should delete "root" and make this
> > "administrator" account my new "root" account. You say it shouldn't be
> > used
> > unless there are 'extreeme circustances'. What are these extreeme
> > circmstances ?
> >
>
>
> Interesting question - the "Administrator" account could be enabled or day
> to day use - but is extremely highly privileged in that it will ignore
> pretty much all the other security protections that are even in place around
> your root account. While some people object to the User Account Control
> popping up and checking if you really want to do something it is there for
> your protection so using the Administrator account may pose a risk to you
> and your system - imagine accidently opening a file with a day zero exploit
> root kit or virus in it and this is now going to execute with absolutely
> nothing to stop it doing anything to hide itself and damage your system,
> etc.
>
> I would advise keep your root account and use that as you day to day admin -
> you are unlikely to even need the big A admin account.
>
> > I rarely log into my "root" account. I log into my "root" account when I
> > have to do a series of administrative tasks that would, otherwise, require
> > me
> > to right-click and "run as administrator" many times in succession.
> >
> > Funny, I thought that my "root" gave me complete and unhindered access to
> > all files and folders. I didn't realize there was something "higher up".
> >
>
> Indeed an account that is made an administrator (small "a") is indeed an
> admin account but it is still subject to UAC and potentially requiring you
> to confirm some actions etc and some applications may require addiotnal
> confirming permission elevation etc. The Administrator account bypasses all
> of this but obviously there is an inherent risk too, to your systems
> security by running asks under extremely highly privileged accounts.
>

This implies that even with UAC configured to run on this account, this
account would be less secure that my "root" account. It probably is a good
idea to forget this idea altogether.

A last question, do you know what the SYSTEM and INTERACTIVE user groups
are ? I find that they are in the right-click security properties of many
files and programs.

Sincerely,

Paul

▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
"Jimmy Brush" wrote:

> Paul wrote:
> > Hello Jimmy, this is all news. Wow. The question now is whether or not I
> > should delete the "root" acount that I have been been using, and use this
> > "Administrator" account as my new root account. Are there any hazards to
> > doing this? I'm asking this because I'd like a minimum of administrator
> > accounts floating around.
> > _______________________________________
> >
>
> Well, there are some "negatives" to using the Administrator account.
>
> 1) By default, it runs outside of UAC. This reduces the security of your
> computer while you are logged in with that account. However, you can use
> local security policy to change this behavior and leave UAC on while
> logged in to this account.
>
> 2) It is well known by attackers - it's better IMHO to have and use a
> custom admin account with a custom name and account id.
>
> - JB
>