This isn’t a rant, but more so me explaining why I’ve chosen this route in basic English. Before we began assigning random passwords to our Administrator accounts using solutions like Local Administrator Password Solution (LAPS), it was encouraged to disable the built-in Administrator account. Now that we have such solutions that are easy to use and more secure, should we still disable the built-in Administrator account?
The latest [Windows] LAPS has been a hit. It’s been easy to use since it’s baked into the latest versions of the Windows operating systems and able to work with Entra and Active Directory joined devices. The hardest decision most have is whether to use the built-in Administrator account or create another account. This has been the debate, because we’ve been told to not use the built-in Administrator account forever. Should we still be doing this?
What’s really the functional benefit now? I can’t really argue why we should continue with this practice. With Windows LAPS you are able use secure passwords that are unique to each machine. One feature of Windows LAPS is the ability to have the password change automatically after its used.
When using a custom Administrator account, it is tracked by the name. If the account is renamed Windows LAPS can no longer manage it. One of the security risks with using the built-in Administrator account was it’s well known SID. But this SID is also how Windows LAPS tracks the account meaning if the account was renamed LAPS is able to continue managing it. If you are using Windows LAPS you are not concerned
Windows LAPS should be thought of as a disaster recovery solution. Technicians should have another account they use for day-to-day administration. Renaming the built-in Administrator account has no effect on Windows LAPS ability to manage the password. The built-in Administrator account also can’t be locked out. Windows LAPS can also manage the account even if it’s disabled, so if you want LAPS to manage the password but leave it disabled until you need it, that is an option.
So…
Is it insecure? Should we be updating these security baselines? Does this topic require reevaluating?