Lock it down!  Okay… let’s say you’re an IT Professional (and who wouldn’t want to be, really) responsible for managing user and administrative accounts in your office or for your company.  But you sometimes ask yourself:

“Do I use my administrative accounts wisely?”

“Am I granting too many people too many rights in my organization?”

And then you ask us:

“What do YOU suggest I do about it, Kevin?  Does Microsoft have some prescriptive guidance for me?”

I’m glad you asked! 

I found a new document that might help.  It’s called “The Administrator Accounts Security Planning Guide”.  It is “designed to be an indispensable resource when organizations plan their strategy to secure administrator level accounts in Microsoft Windows NT-based operating systems such as Windows Server 2003 and Windows XP.” 

It’s only 25 pages long, so it’s an easy read.  Here is the table of contents from the document, to give you a better idea of the topics covered:

Chapter 1: Introduction
Executive Summary
Overview
Who Should Read This Guide
Planning Guide Overview
Chapter 2: The Approach to Making Administrator Accounts More Secure
Why Making Administrator Accounts More Secure Is Important
Why You Should Not Log On To Your Computer as an Administrator
Administrative Accounts and Groups Overview
Administrator Account Types
The Principles for Making Administrator Accounts More Secure
Principle of Least Privilege
Best Practices for Making Administrative Accounts More Secure
Chapter 3: Guidelines for Making Administrator Accounts More Secure
Overview of Guidelines for Making Administrator Accounts More Secure
Separate Domain Administrator and Enterprise Administrator Roles
Separate User and Administrator Accounts
Use the Secondary Logon Service
Run a Separate Terminal Services Session for Administration
Rename the Default Administrator Account
Create a Decoy Administrator Account
Create a Secondary Administrator Account and Disable the Built-in Account
Enable Account Lockout for Remote Administrator Logons
Create a Strong Administrator Password
Automate Scanning for Weak Passwords
Use Administrative Credentials on Trusted Computers Only
Audit Accounts and Passwords on a Regular Basis
Prohibit Account Delegation
Control the Administrative Logon Process
Chapter 4: Summary
Next Steps
Further Reading

Give it a look and let me know what you think!