Not everyone in your organization has administrator privileges on your information systems. The creation and assignment of administrative rights to your organization's team members should be carefully considered and given to only the people that need to have the permissions. When creating these accounts, bear in mind the following guidelines:

• Accounts with global impact, such as enterprise admins and domain admins, should be given to very few individuals:
  • Well-intentioned administrators can make serious, inadvertent misconfigurations on your enterprise network
  • Malicious administrators will essentially have full control over your network and can make changes and access information as they see fit
  • Provide the necessary permissions for administrators to do their daily jobs while ensuring access to elevated permissions is available if needed to address emergencies
• Create a strong password and disable the built-in local administrator's account in Windows:
  • This account is frequently targeted by malicious users because it can be attacked if it is renamed.
  • There are special cases where the built-in administrator account must be used for operating system changes. For this reason, make sure that you securely store the password so that it can be accessed in the future. Other than these special use cases, the built-in administrator account should not be used.
  • While you are at it, disable the built-in guest account following the same guidance given for the built-in administrator account.