Windows 10 October Update Can Now Disable Your Administrator Account

[leadeater]

8 hours ago, LAwLz said:

Got a link to where it says it's best practice to keep it disabled? All I know is that they used to recommend disabling the automatically generated Administrator account in the domain, but they now recommend keeping it enabled because it is the only account that works in certain disaster recovery scenarios.

That's a different account, the built-in administrator account on the computer itself should stay disabled. Domain administrator account should also not be used, needs to stay enabled, but is not disabled by default. 

 

8 hours ago, LAwLz said:

If I were you, I'd not allow any RDP from the Internet inside my network. Make people connect with VPN if they want to access RDP instead. Having RDP exposed to the world is in general a pretty bad idea from a security standpoint. But I guess that depends on how peoples' workflow looks.

VPN can be worse, depending on how you've got it setup and firewall rules etc. We use RDP Gateway which runs over HTTPS so you're not exposing servers directly to the internet which is about the safest you can do for remote App and Desktop access and not give more network access than you actually need with a VPN. Not everyone uses RDP gateway or likes it because you have to go in to the advanced setting of the RDP client to input the gateway settings, non IT user issue.

[LAwLz]

6 minutes ago, leadeater said:

VPN can be worse, depending on how you've got it setup and firewall rules etc. We use RDP Gateway which runs over HTTPS so you're not exposing servers directly to the internet which is about the safest you can do for remote App and Desktop access and not give more network access than you actually need with a VPN. Not everyone uses RDP gateway or likes it because you have to go in to the advanced setting of the RDP client to input the gateway settings, non IT user issue. 

When you say RDP Gateway, do you mean something like Citrix? Because that's how I'd do it in the case of not wanting users to VPN. And if you do that then the local accounts are completely protected from password attacks from the Internet because Citrix will only check the domain accounts, not local accounts.

[leadeater]

24 minutes ago, LAwLz said:

When you say RDP Gateway, do you mean something like Citrix? Because that's how I'd do it in the case of not wanting users to VPN. And if you do that then the local accounts are completely protected from password attacks from the Internet because Citrix will only check the domain accounts, not local accounts.

Yea very much the same, it's a Server Role feature of RDS that you can enable.

 

[perplex]

think im just going to do a clean install of 1809 to skip all these issues from upgrading

[angarato_surion]

On 1/4/2019 at 3:46 PM, jammiescone said:

Source: https://www.eteknix.com/windows-10-october-update-may-ruin-admin-account/?fbclid=IwAR1etKL1YiWwgzVF9t1hAX8TihPk27RAfPfD50NdTqACZc7lTwE1SqnbZb8

 

It looks like the Windows 10 October Update is not out of the woods yet with new bugs still rearing their heads. 

 

This time, it's being reported that under a specific set of conditions, the default Administrator account can end up being invalidated after upgrading from 1803 to 1809. According to the reports, originally from GHacks:

 

 

The biggest thing for me on this is that Microsoft's recommended fix is that you either:

• Create a separate account with admin privileges BEFORE installing the update, to use going forward, or;
• Avoid meeting the criteria

Neither of these feel like real solutions to me, and there is no advice offered for anyone who might already be in this position. 

 

I can't imagine this having too much of a drastic effect for most people, but it's just another issue to add to a long line of issues, and I'm not a big fan of Microsoft's response.

 

Anyone here who uses the default administrator account and could be affected by this?

 

so  if we along with administrator ( the one the windows has already ) we have another user with admin rights (and is the only user except the one named administrator) we are screwed ?.

also is it possible to re-enable the administrator user after the update?

[Jito463]

1 hour ago, angarato_surion said:

so  if we along with administrator ( the one the windows has already ) we have another user with admin rights (and is the only user except the one named administrator) we are screwed ?

This ONLY affects the built in account named Administrator.

On 1/8/2019 at 5:37 AM, perplex said:

think im just going to do a clean install of 1809 to skip all these issues from upgrading

1 hour ago, angarato_surion said:

also is it possible to re-enable the administrator user after the update?

You can re-enable the account afterwards, if you wish.

 

net users Administrator /active:Yes