Windows 7 offers several sets of policies that affect
user accounts. There are three kinds of account policies: security
options, user rights, and account lockout policies. The next three
sections take you through these policies.
Setting Account Security Policies
To see these policies, launch the Local Security Settings snap-in (select Start, type secpol.msc, and press Enter) and select Security Settings, Local Policies, Security Options, as shown in Figure 1.
The Accounts grouping has five policies:
Administrator Account Status—
Use this policy to enable or disable the Administrator account. This is
useful if you think someone else might be logging on as the
administrator. (A less-drastic solution is to change the administrator
password or rename the Administrator account.)
Note
The Administrator account is always used during a Safe mode boot, even if you disable the account.
Guest Account Status— Use this option to enable or disable the Guest account.
Limit Local Account Use of Blank Passwords to Console Logon Only—
When this option is enabled, Windows 7 allows users with blank
passwords to log on to the system directly only by using the Welcome
screen. Such users can’t log on via either the RunAs command or remotely over a network. This policy modifies the following Registry setting:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse
Rename Administrator Account— Use this option to change the name of the Administrator account.
Rename Guest Account— Use this option to change the name of the Guest account.
Caution
The Administrator
account is all-powerful on Windows 7, so the last thing you want is for
some malicious user to gain control of the system with administrator
access. Fortunately, Windows 7 disables the Administrator account by
default. However, it’s worth taking a few minutes now to ensure that the
Administrator account is disabled on your Windows 7 machine. Open the
Local Users and Groups snap-in, as described earlier, double-click the
Administrator account to open the Administrator Properties dialog box,
and then make sure the Account Is Disabled check box is activated.
Tip
Black-hat
hackers have one foot in your digital door already because they know
that every Windows 7 machine comes with an account named Administrator.
If you’ve disabled the Administrator account, you almost certainly have
no worries. However, you can close the door completely on malicious
intruders by taking away the one piece of information they know: the
name of the account. By changing the account name from Administrator to
something completely unexpected, you add an extra layer of security to
Windows 7. The Guest account also has an obvious and well-known name, so
if you’ve enabled the Guest account, be sure to rename it, too.