Built-In Accounts
Most network operating systems come preconfigured with two built-in accounts, named "Administrator" and "Guest." In addition, some server services, such as Web or database servers, create their own user accounts under which to run. The following sections describe the characteristics of these accounts.
The Administrator account
The Administrator account is the King of the Network. This user account is not subject to any of the account restrictions to which other, mere mortal accounts must succumb. If you log in as the administrator, you can do anything.
Because the Administrator account has unlimited access to your network, it is imperative that you secure it immediately after you install the server. When the NOS Setup program asks for a password for the Administrator account, start off with a good random mix of uppercase and lowercase letters, numbers, and symbols. Don't pick some easy-to-remember password to get started, thinking you will change it to something more cryptic later. You will forget, and in the meantime, someone will break in and reformat the server's C: drive or steal your customer's credit card numbers. Here are a few additional things worth knowing about the Administrator account:
- You can't delete it. The system must always have an administrator.
- You can grant administrator status to other user accounts. However, you should do so only for users who really need to be administrators.
- You should use it only when you really need to do tasks that require administrative authority. Many network administrators grant administrative authority to their own user accounts. That is not a very good idea. If you are killing some time surfing the Web or reading your e-mail while logged in as an administrator, you are just inviting viruses or malicious scripts to take advantage of your administrator access. Instead, you should set yourself up with two accounts: a normal account that you use for day-to-day work, and an Administrator account that you use only when you need it.
- The default name for the Administrator account is usually simply "Administrator." You may want to consider changing this name. Better yet, change the name of the Administrator account to something more obscure and then create an ordinary user account that has few - if any - rights and give that account the name "Administrator." That way, hackers who spend weeks trying to crack your Administrator account password will discover that they' have been duped, once they finally break the password. In the meantime, you will have a chance to discover their attempts to breach your security and take appropriate action.
- Above all, do not forget the Administrator account password. Write it down in permanent ink and store it in Fort Knox, a safe deposit box, or some other secure location.
The Guest account
Another commonly created default account is called the Guest account. This account is set up with a blank password and few - if any - access rights. The Guest account is designed to allow anyone to step up to a computer and log on, but after they do, it then prevents them from doing anything.
Service accounts
Some users are actually software processors that require access to secure resources and therefore require user accounts. These user accounts are usually created automatically for you when you install or configure server software.
For example, when you install Microsoft's Web server (IIS), an Internet user account called IUSR is created. The complete name for this account
is IUSR_<servername>. So if the server is named WEB1, the account is named IUSR_WEB1. IIS uses this account to allow anonymous Internet users
to access the files of your Web site.
As a general rule, you should not mess with these accounts unless you know what you are doing. For example, if you delete or rename the IUSR account, you must reconfigure IIS to use the changed account. If you don't, IIS will deny access to anyone trying to reach your site. (Assuming that you do know what you are doing, renaming these accounts can increase your network's security. However, don't start playing with these accounts until you have researched the ramifications.)
