Accounts: Local Administrator account should be disabled

822e9bf2-405a-42cb-9566-8532df68939f

It is best practice that the local Administrator account is disabled due to several known vulnerabilities:

  1. The built-in administrator account cannot be locked out no matter how many failed logons it accrues, making it a prime target for brute-force attacks that attempt to guess passwords.
  2. The account has a well-known security identifier (SID), and many non-Microsoft tools allow authentication by using only the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on.

All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logins exceeds its configured maximum.

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ Security Options
|_ Accounts: Administrator account status to "Disabled".

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status
https://www.technipages.com/windows-administrator-account-login-screen

Desktop:
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2022-06-24/finding/V-253432
W10: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63619 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220908

CIS CSC v6: 5.1,16,16.8
NIST 800-53: IA-2,
DISA CAT: II
CCI: CCI-000764
Stif Rule-ID: SV-220908r569187_rule,
STIG-ID: WN10-SO-000005,
STIG-Legacy: SV-78091, V-63601
Vuln-ID: V-63619, V-220908