Even bigger bonus? Never in the history of automated malware -- the campaigns usually mounted against
workstations and servers -- has an attack attempted to use anything but built-in account names. By renaming your
privileged accounts, you defeat hackers and malware in one step. Plus, it's easier to monitor and alert on log-on
attempts to the original privileged account names when they're no longer in use.
Innovative security technique No. 2: Getting rid of adminsAnother recommendation
is to get rid of all
wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group
that has built-in, widespread, privileged permissions by default.
When this is suggested, most network administrators laugh and protest, the same response security experts got
when they recommended local Administrator accounts be disabled on Windows computers. Then Microsoft followed this
recommendation, disabling local Administrator accounts by default on every version of Windows starting with
Vista/Server 2008 and later. Lo and behold, hundreds of millions of computers later, the world hasn't come crashing
True, Windows still allows you to create an alternate Administrator account, but today's most aggressive
computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still,
many network admins see this as going a step too far, an overly draconian measure that won't work. Well, at least
one Fortune 100 company has eliminated all built-in privileged
accounts, and it's working great. The company presents no evidence of having been compromised by an APT
(advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user
side or from IT. Why would they? They aren't getting hacked.