CHAPTER 5Local User Accounts
All Microsoft Windows operating system versions have number of pre-defined built-in local user accounts. These accounts have different purposes depending on which operating system version is in use or which OS features, software, and roles are installed/enabled. All these accounts have different default property values that depend on many variables, which we discuss further in this chapter.
Some of these local user accounts, such as the built-in “Guest” account, are disabled by default and, in most companies, should remain disabled. Some other accounts, such as the built-in local “Administrator” account on the Microsoft Windows server family operating systems, are enabled by default and usually remain enabled in most companies.
Highly privileged local accounts, such as the built-in local Administrator account, should also be monitored for each modification and action performed by such accounts.
This chapter provides information about different built-in local user accounts on Microsoft Windows operating systems and specific monitoring scenarios for the most important operations/changes done to these accounts.
Built-in Local User Accounts
As a first step in the process of learning about possible anomalous behavior related to built-in local user accounts you should, first of all, know which built-in local user accounts exist on different Microsoft Windows operating system versions. You should know their default settings, purpose, group membership ...
Get Windows Security Monitoring now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.