HomeUser requestng help w MBSA 2.1 results

[Paul]

Hello everyone,

I'm a home user and I got some STARTLING results after running a security
scan using Microsoft's Baseline Security Analyzer Beta 2.1

It spotted a user account on my computer that I didn't even know existed !

In the UAC, I set up a standard user account (called "P & L") for everyday
use. I also set up an administrator account (called "root"), to use whenever
I have to make system changes. The report from MBSA showed an additional
administrator account called "administrator" !

How did it get there ? More importantly, how do I get rid of it ? We do
not need two administrators.

 

[Paul]

Forgot to mention one thing . . .

I forgot to mention that this "administrator" account does not show up in the
UAC. The "root" account appears there, "P & L" appears, "guest" appears but
is turned off. I'm running Vista home basic.
____________________________________
"Paul" wrote:

> Hello everyone,
>
> I'm a home user and I got some STARTLING results after running a security
> scan using Microsoft's Baseline Security Analyzer Beta 2.1
>
> It spotted a user account on my computer that I didn't even know existed !
>
> In the UAC, I set up a standard user account (called "P & L") for everyday
> use. I also set up an administrator account (called "root"), to use whenever
> I have to make system changes. The report from MBSA showed an additional
> administrator account called "administrator" !
>
> How did it get there ? More importantly, how do I get rid of it ? We do
> not need two administrators.

 

[Mike Brannigan]

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:F9DCF2FB-12E8-4748-BBB1-4CA5CF08F28A@microsoft.com...
> Hello everyone,
>
> I'm a home user and I got some STARTLING results after running a security
> scan using Microsoft's Baseline Security Analyzer Beta 2.1
>
> It spotted a user account on my computer that I didn't even know existed !
>
> In the UAC, I set up a standard user account (called "P & L") for everyday
> use. I also set up an administrator account (called "root"), to use
> whenever
> I have to make system changes. The report from MBSA showed an additional
> administrator account called "administrator" !
>
> How did it get there ? More importantly, how do I get rid of it ? We do
> not need two administrators.

"Administrator" is the real default admin account that is disabled by
default on your system. it is that only account that is not subject to UAC
or any of the other restrictions that are placed even on accounts such as
your root that re members of the administrators local group - so as you
think of hem as admin accounts.
It is meant to be there and disabled by default.
It should not be used except in extreme circumstances as your "root\2 will
do for all your admin needs.
--

Mike Brannigan

 

[Jimmy Brush]

Paul wrote:
> Hello everyone,
>
> I'm a home user and I got some STARTLING results after running a security
> scan using Microsoft's Baseline Security Analyzer Beta 2.1
>
> It spotted a user account on my computer that I didn't even know existed !
>
> In the UAC, I set up a standard user account (called "P & L") for everyday
> use. I also set up an administrator account (called "root"), to use whenever
> I have to make system changes. The report from MBSA showed an additional
> administrator account called "administrator" !
>
> How did it get there ? More importantly, how do I get rid of it ? We do
> not need two administrators.

Hello,

This is normal.

The "Administrator" account is the built-in admin account. It is
disabled by default, and in fact, the only time it becomes visible and
usable (by default) is if you delete/disable all your other
administrator accounts and restart the computer in safe mode.

If you're hooked to a domain, this account is never available for use by
default.

You can view and tinker with this account using an elevated command
prompt with the "net user" command.

- JB

 

[Paul]

This is interesting, Mike. Perhaps I should delete "root" and make this
"administrator" account my new "root" account. You say it shouldn't be used
unless there are 'extreeme circustances'. What are these extreeme
circmstances ?

I rarely log into my "root" account. I log into my "root" account when I
have to do a series of administrative tasks that would, otherwise, require me
to right-click and "run as administrator" many times in succession.

Funny, I thought that my "root" gave me complete and unhindered access to
all files and folders. I didn't realize there was something "higher up".

Sincerely,
Paul
______________________________

"Mike Brannigan" wrote:

>
> "Administrator" is the real default admin account that is disabled by
> default on your system. it is that only account that is not subject to UAC
> or any of the other restrictions that are placed even on accounts such as
> your root that re members of the administrators local group - so as you
> think of hem as admin accounts.
> It is meant to be there and disabled by default.
> It should not be used except in extreme circumstances as your "root\2 will
> do for all your admin needs.
> --
>
> Mike Brannigan
>

 

[Paul]

Hello Jimmy, this is all news. Wow. The question now is whether or not I
should delete the "root" acount that I have been been using, and use this
"Administrator" account as my new root account. Are there any hazards to
doing this? I'm asking this because I'd like a minimum of administrator
accounts floating around.
_______________________________________

"Jimmy Brush" wrote:

> Hello,
>
> This is normal.
>
> The "Administrator" account is the built-in admin account. It is
> disabled by default, and in fact, the only time it becomes visible and
> usable (by default) is if you delete/disable all your other
> administrator accounts and restart the computer in safe mode.
>
> If you're hooked to a domain, this account is never available for use by
> default.
>
> You can view and tinker with this account using an elevated command
> prompt with the "net user" command.
>
> - JB
>

 

[Mike Brannigan]

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
> This is interesting, Mike. Perhaps I should delete "root" and make this
> "administrator" account my new "root" account. You say it shouldn't be
> used
> unless there are 'extreeme circustances'. What are these extreeme
> circmstances ?
>


Interesting question - the "Administrator" account could be enabled or day
to day use - but is extremely highly privileged in that it will ignore
pretty much all the other security protections that are even in place around
your root account. While some people object to the User Account Control
popping up and checking if you really want to do something it is there for
your protection so using the Administrator account may pose a risk to you
and your system - imagine accidently opening a file with a day zero exploit
root kit or virus in it and this is now going to execute with absolutely
nothing to stop it doing anything to hide itself and damage your system,
etc.

I would advise keep your root account and use that as you day to day admin -
you are unlikely to even need the big A admin account.

> I rarely log into my "root" account. I log into my "root" account when I
> have to do a series of administrative tasks that would, otherwise, require
> me
> to right-click and "run as administrator" many times in succession.
>
> Funny, I thought that my "root" gave me complete and unhindered access to
> all files and folders. I didn't realize there was something "higher up".
>

Indeed an account that is made an administrator (small "a") is indeed an
admin account but it is still subject to UAC and potentially requiring you
to confirm some actions etc and some applications may require addiotnal
confirming permission elevation etc. The Administrator account bypasses all
of this but obviously there is an inherent risk too, to your systems
security by running asks under extremely highly privileged accounts.

> Sincerely,
> Paul



--

Mike Brannigan
"Paul" <Paul@discussions.microsoft.com> wrote in message
news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
> This is interesting, Mike. Perhaps I should delete "root" and make this
> "administrator" account my new "root" account. You say it shouldn't be
> used
> unless there are 'extreeme circustances'. What are these extreeme
> circmstances ?
>
> I rarely log into my "root" account. I log into my "root" account when I
> have to do a series of administrative tasks that would, otherwise, require
> me
> to right-click and "run as administrator" many times in succession.
>
> Funny, I thought that my "root" gave me complete and unhindered access to
> all files and folders. I didn't realize there was something "higher up".
>
> Sincerely,
> Paul
> ______________________________
>
> "Mike Brannigan" wrote:
>
>>
>> "Administrator" is the real default admin account that is disabled by
>> default on your system. it is that only account that is not subject to
>> UAC
>> or any of the other restrictions that are placed even on accounts such as
>> your root that re members of the administrators local group - so as you
>> think of hem as admin accounts.
>> It is meant to be there and disabled by default.
>> It should not be used except in extreme circumstances as your "root\2
>> will
>> do for all your admin needs.
>> --
>>
>> Mike Brannigan
>>

 

[Jimmy Brush]

Paul wrote:
> Hello Jimmy, this is all news. Wow. The question now is whether or not I
> should delete the "root" acount that I have been been using, and use this
> "Administrator" account as my new root account. Are there any hazards to
> doing this? I'm asking this because I'd like a minimum of administrator
> accounts floating around.
> _______________________________________
>

Well, there are some "negatives" to using the Administrator account.

1) By default, it runs outside of UAC. This reduces the security of your
computer while you are logged in with that account. However, you can use
local security policy to change this behavior and leave UAC on while
logged in to this account.

2) It is well known by attackers - it's better IMHO to have and use a
custom admin account with a custom name and account id.

- JB

 

[Paul]

I see your point, Mike, and it makes sense. It's foolish not to have the UAC
security safety net. However, is there a way to configure UAC and those
other protections so that they run while logged into, or using priveleges of,
that "big Administrator" account. Would this be secure? If it's a BIG
production to do this, then I'll just forget about it.

The reason why I'm asking is that security people say there should be a
minimum of administrator accounts floating around.

One last question on a slightly different topic. Since the discovery of
this account, I did some exploring around. I discovered the existence of a
SYSTEM user group and the existence of an INTERACTIVE user group. What are
these groups ? These are in the security properties of many files.

Regards,

Paul

▬▬▬▬▬▬▬▬▬▬
"Mike Brannigan" wrote:

> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
> > This is interesting, Mike. Perhaps I should delete "root" and make this
> > "administrator" account my new "root" account. You say it shouldn't be
> > used
> > unless there are 'extreeme circustances'. What are these extreeme
> > circmstances ?
> >
>
>
> Interesting question - the "Administrator" account could be enabled or day
> to day use - but is extremely highly privileged in that it will ignore
> pretty much all the other security protections that are even in place around
> your root account. While some people object to the User Account Control
> popping up and checking if you really want to do something it is there for
> your protection so using the Administrator account may pose a risk to you
> and your system - imagine accidently opening a file with a day zero exploit
> root kit or virus in it and this is now going to execute with absolutely
> nothing to stop it doing anything to hide itself and damage your system,
> etc.
>
> I would advise keep your root account and use that as you day to day admin -
> you are unlikely to even need the big A admin account.
>
> > I rarely log into my "root" account. I log into my "root" account when I
> > have to do a series of administrative tasks that would, otherwise, require
> > me
> > to right-click and "run as administrator" many times in succession.
> >
> > Funny, I thought that my "root" gave me complete and unhindered access to
> > all files and folders. I didn't realize there was something "higher up".
> >
>
> Indeed an account that is made an administrator (small "a") is indeed an
> admin account but it is still subject to UAC and potentially requiring you
> to confirm some actions etc and some applications may require addiotnal
> confirming permission elevation etc. The Administrator account bypasses all
> of this but obviously there is an inherent risk too, to your systems
> security by running asks under extremely highly privileged accounts.
>

 

[Paul]

This implies that even with UAC configured to run on this account, this
account would be less secure that my "root" account. It probably is a good
idea to forget this idea altogether.

A last question, do you know what the SYSTEM and INTERACTIVE user groups
are ? I find that they are in the right-click security properties of many
files and programs.

Sincerely,

Paul

▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
"Jimmy Brush" wrote:

> Paul wrote:
> > Hello Jimmy, this is all news. Wow. The question now is whether or not I
> > should delete the "root" acount that I have been been using, and use this
> > "Administrator" account as my new root account. Are there any hazards to
> > doing this? I'm asking this because I'd like a minimum of administrator
> > accounts floating around.
> > _______________________________________
> >
>
> Well, there are some "negatives" to using the Administrator account.
>
> 1) By default, it runs outside of UAC. This reduces the security of your
> computer while you are logged in with that account. However, you can use
> local security policy to change this behavior and leave UAC on while
> logged in to this account.
>
> 2) It is well known by attackers - it's better IMHO to have and use a
> custom admin account with a custom name and account id.
>
> - JB
>

 

[Jimmy Brush]

Paul wrote:
> This implies that even with UAC configured to run on this account, this
> account would be less secure that my "root" account. It probably is a good
> idea to forget this idea altogether.
>
> A last question, do you know what the SYSTEM and INTERACTIVE user groups
> are ? I find that they are in the right-click security properties of many
> files and programs.
>
> Sincerely,
>
> Paul

SYSTEM is a user account, not a group. Actually, it is better to
consider it as a "system account" instead of a user account. The SYSTEM
account is the most privileged account on the local computer.

There are a few other system accounts, including local service and
network service. These other accounts have less power than SYSTEM, and
they are used when access to all privileges are not needed.

Operating system processes, services, and task scheduler entries can run
in the system accounts.

These are not traditional user accounts in the sense that users do not
log in as them - only the programs that I just mentioned. These accounts
do not have a password, and a program can only run inside of a system
account if it is started by the operating system or another program
running inside of a system account.

The "INTERACTIVE" group is an implicit group.

An implicit group is a group where its members are controlled by the
operating system. You cannot add/remove a user from implicit groups.

These groups are used by the Operating System to "tag" user accounts as
they are logged in, and they generally describe the type of logon that
the user did (e.g., network, interactive, ntlm authentication,
authenticated user).

These groups are used in security permissions to assign rights based on
this information. For example, using these groups, you can allow
interactive logins but disallow other types (such as people logged in
via networking [smb]).

- JB

 

[Paul]

That does answer my question. All these accounts are obviously things that I
have no reason to fool around with.

Thanks for your time and help.

Sincerely,

Paul
_________________________________

"Jimmy Brush" wrote:

> Paul wrote:
> > This implies that even with UAC configured to run on this account, this
> > account would be less secure that my "root" account. It probably is a good
> > idea to forget this idea altogether.
> >
> > A last question, do you know what the SYSTEM and INTERACTIVE user groups
> > are ? I find that they are in the right-click security properties of many
> > files and programs.
> >
> > Sincerely,
> >
> > Paul
>
> SYSTEM is a user account, not a group. Actually, it is better to
> consider it as a "system account" instead of a user account. The SYSTEM
> account is the most privileged account on the local computer.
>
> There are a few other system accounts, including local service and
> network service. These other accounts have less power than SYSTEM, and
> they are used when access to all privileges are not needed.
>
> Operating system processes, services, and task scheduler entries can run
> in the system accounts.
>
> These are not traditional user accounts in the sense that users do not
> log in as them - only the programs that I just mentioned. These accounts
> do not have a password, and a program can only run inside of a system
> account if it is started by the operating system or another program
> running inside of a system account.
>
> The "INTERACTIVE" group is an implicit group.
>
> An implicit group is a group where its members are controlled by the
> operating system. You cannot add/remove a user from implicit groups.
>
> These groups are used by the Operating System to "tag" user accounts as
> they are logged in, and they generally describe the type of logon that
> the user did (e.g., network, interactive, ntlm authentication,
> authenticated user).
>
> These groups are used in security permissions to assign rights based on
> this information. For example, using these groups, you can allow
> interactive logins but disallow other types (such as people logged in
> via networking [smb]).
>
> - JB
>

 

[Mike Brannigan]

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:52CA08BD-EF64-4B2C-B204-BE9AF8FF4B66@microsoft.com...
>I see your point, Mike, and it makes sense. It's foolish not to have the
>UAC
> security safety net. However, is there a way to configure UAC and those
> other protections so that they run while logged into, or using priveleges
> of,
> that "big Administrator" account. Would this be secure? If it's a BIG
> production to do this, then I'll just forget about it.
>

No you cannot do that. The Administrator account is there to bypass those
restrictions. If you want an admin account that is covered by UAC etc then
just create a admin account - which you did as your root account.

> The reason why I'm asking is that security people say there should be a
> minimum of administrator accounts floating around.
>

Correct and you have ONE on your system that is actually usable and that is
your root account as Administrator is disabled by default.

> One last question on a slightly different topic. Since the discovery of
> this account, I did some exploring around. I discovered the existence of
> a
> SYSTEM user group and the existence of an INTERACTIVE user group. What
> are
> these groups ? These are in the security properties of many files.
>

Correct - they are system level security principals - do not remove them
from any access control lists or permissions property sheets as they are
required for Windows to do what it needs to do.
You can find out more about them on any internet search engine, if you are
that interested, otherwise leave them alone.

> Regards,
>
> Paul

--

Mike Brannigan

>
> ▬▬▬▬▬▬▬▬▬▬
> "Mike Brannigan" wrote:
>
>> "Paul" <Paul@discussions.microsoft.com> wrote in message
>> news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
>> > This is interesting, Mike. Perhaps I should delete "root" and make
>> > this
>> > "administrator" account my new "root" account. You say it shouldn't be
>> > used
>> > unless there are 'extreeme circustances'. What are these extreeme
>> > circmstances ?
>> >
>>
>>
>> Interesting question - the "Administrator" account could be enabled or
>> day
>> to day use - but is extremely highly privileged in that it will ignore
>> pretty much all the other security protections that are even in place
>> around
>> your root account. While some people object to the User Account Control
>> popping up and checking if you really want to do something it is there
>> for
>> your protection so using the Administrator account may pose a risk to you
>> and your system - imagine accidently opening a file with a day zero
>> exploit
>> root kit or virus in it and this is now going to execute with absolutely
>> nothing to stop it doing anything to hide itself and damage your system,
>> etc.
>>
>> I would advise keep your root account and use that as you day to day
>> admin -
>> you are unlikely to even need the big A admin account.
>>
>> > I rarely log into my "root" account. I log into my "root" account when
>> > I
>> > have to do a series of administrative tasks that would, otherwise,
>> > require
>> > me
>> > to right-click and "run as administrator" many times in succession.
>> >
>> > Funny, I thought that my "root" gave me complete and unhindered access
>> > to
>> > all files and folders. I didn't realize there was something "higher
>> > up".
>> >
>>
>> Indeed an account that is made an administrator (small "a") is indeed an
>> admin account but it is still subject to UAC and potentially requiring
>> you
>> to confirm some actions etc and some applications may require addiotnal
>> confirming permission elevation etc. The Administrator account bypasses
>> all
>> of this but obviously there is an inherent risk too, to your systems
>> security by running asks under extremely highly privileged accounts.
>>
>

 

[Paul]

Well, I learned a few things here; this was informative. I will definitely
leave this alone.

Thanks for your time and help,

Paul

▬▬▬▬▬▬▬▬▬▬

"Mike Brannigan" wrote:

> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news:52CA08BD-EF64-4B2C-B204-BE9AF8FF4B66@microsoft.com...
> >I see your point, Mike, and it makes sense. It's foolish not to have the
> >UAC
> > security safety net. However, is there a way to configure UAC and those
> > other protections so that they run while logged into, or using priveleges
> > of,
> > that "big Administrator" account. Would this be secure? If it's a BIG
> > production to do this, then I'll just forget about it.
> >
>
> No you cannot do that. The Administrator account is there to bypass those
> restrictions. If you want an admin account that is covered by UAC etc then
> just create a admin account - which you did as your root account.
>
> > The reason why I'm asking is that security people say there should be a
> > minimum of administrator accounts floating around.
> >
>
> Correct and you have ONE on your system that is actually usable and that is
> your root account as Administrator is disabled by default.
>
> > One last question on a slightly different topic. Since the discovery of
> > this account, I did some exploring around. I discovered the existence of
> > a
> > SYSTEM user group and the existence of an INTERACTIVE user group. What
> > are
> > these groups ? These are in the security properties of many files.
> >
>
> Correct - they are system level security principals - do not remove them
> from any access control lists or permissions property sheets as they are
> required for Windows to do what it needs to do.
> You can find out more about them on any internet search engine, if you are
> that interested, otherwise leave them alone.
>
> > Regards,
> >
> > Paul
>