Network Administration: Built-In Accounts
Most network operating systems come preconfigured with two built-in accounts, named Administrator and Guest. In addition, some server services, such as web or database servers, create their own user accounts under which to run. The following sections describe the characteristics of these accounts.
The Administrator account is the King of the Network. This user account isn’t subject to any of the account restrictions to which other, mere mortal accounts must succumb. If you log on as the administrator, you can do anything.
Because the Administrator account has unlimited access to your network, it’s imperative that you secure it immediately after you install the server. When the NOS Setup program asks for a password for the Administrator account, start off with a good random mix of uppercase and lowercase letters, numbers, and symbols.
Don’t pick some easy-to-remember password to get started, thinking you’ll change it to something more cryptic later. You’ll forget.
Here are a few additional things worth knowing about the Administrator account:
You can’t delete it. The system must always have an administrator.
You can grant administrator status to other user accounts when truly necessary.
You should use it only when you really need to do tasks that require administrative authority. Many network administrators grant administrative authority to their own user accounts. That isn’t a very good idea. If you’re reading your e-mail while logged on as an administrator, you’re just inviting viruses or malicious scripts to take advantage of your administrator access.
Instead, you should set yourself up with two accounts: a normal account that you use for day-to-day work, and an Administrator account.
The default name for the Administrator account is usually simply Administrator. You may want to consider changing this name. Better yet, change the name of the Administrator account to something obscure and then create an ordinary user account named Administrator which has few rights.
Above all, don’t forget the Administrator account password. Write it down in permanent ink and store it in Fort Knox, a safe-deposit box, or some other secure location.
The Guest account
Another commonly created default account is called the Guest account. This account is set up with a blank password and few — if any — access rights. The Guest account is designed to allow people to step up to a computer and log on, but after they do, it then prevents them from doing anything. Sounds like a waste of time, just disable the Guest account.
Some network users aren’t actual people, not that some of your users are subhuman. Rather, some users are actually software processors that require access to secure resources and therefore require user accounts. These user accounts are usually created automatically for you when you install or configure server software.
For example, when you install Microsoft’s web server (IIS), an Internet user account called IUSR is created. The complete name for this account is IUSR_<servername>. So if the server is named WEB1, the account is named IUSR_WEB1. IIS uses this account to allow anonymous Internet users to access the files of your website.
As a general rule, you shouldn’t mess with these accounts. unless you know what you’re doing. For example, if you delete or rename the IUSR account, you must reconfigure IIS to use the changed account. If you don’t, IIS will deny access to anyone trying to reach your site.
Assuming that you do know what you’re doing, renaming these accounts can increase your network’s security. However, don’t start playing with these accounts until you’ve researched the ramifications.