BCY-ADV-2026-012 CONFIG

Default & Predictable Account Names
CWE-798 / CWE-521 · First Target in Every Automated Scan · Zero Cost to Fix

CWE-798CWE-521Default AccountsPassword PolicyConfigurationWindows
Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026
What This Is
Default Windows account names — Administrator, Guest, DefaultAccount — are hardcoded into every attacker toolset, every automated scanner, and every brute-force wordlist. They are the first credential combination attempted in any automated attack. A single rename operation and a password policy eliminates this entire attack class at zero cost and zero performance impact.
CWE Details
CWE-798: Use of Hard-coded Credentials — attackers know these account names exist on every Windows machine
CWE-521: Weak Password Requirements — no enforced complexity or length policy
No CVE: Configuration weakness — not a patchable software bug
Risk: First credential pair in every automated credential attack against Windows
How It Works
Every Windows machine has a built-in Administrator account and a Guest account. Every attacker knows this. Automated credential attacks — whether via RDP brute force, SMB authentication spray, or network scanner — attempt Administrator with common passwords first. If the account name is Administrator and the password is weak, the machine is compromised before any sophisticated technique is needed. Renaming the account does not prevent compromise by a sophisticated attacker who already has code execution — but it defeats every automated and opportunistic attack that targets the known account name.
Detection
Check local account names and status (PowerShell):
Get-LocalUser | Select-Object Name, Enabled, PasswordRequired, PasswordLastSet, LastLogon
# Safe result — no account named "Administrator" or "Guest" enabled: Name Enabled PasswordRequired ---- ------- ---------------- [RENAMED] False True # Built-in admin renamed and disabled Guest False False # Guest disabled
Check password policy:
net accounts
# Safe result: Minimum password length: 12 Password complexity: Enabled Maximum password age: 90 days
Event log — detect brute force against default account names:
# Event ID 4625 — failed logon — watch for repeated failures against "Administrator" Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625} | Where-Object {$_.Message -match "Administrator"} | Select-Object TimeCreated, Message | Format-List
IOCs
Attack Pattern Repeated Event ID 4625 failures against "Administrator" Brute Force Sequential password attempts against known account names Account "Administrator" still enabled = first brute force target Account "Guest" enabled = low-privilege foothold Logon Type Type 3 (Network) failures = remote credential spray Tools Hydra, Medusa, CrackMapExec, ncrack — all target default names
Mitigation — PowerShell Commands

Step 1 — Rename the built-in Administrator account:

Rename-LocalUser -Name "Administrator" -NewName "[CHOOSE A NON-OBVIOUS NAME]"

Step 2 — Disable Guest account:

Disable-LocalUser -Name "Guest"

Step 3 — Set strong password policy via secpol.msc or via command:

net accounts /minpwlen:12 /maxpwage:90 /uniquepw:5

Step 4 — Enable account lockout after failed attempts:

net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30

Verify no default names are active:

Get-LocalUser | Select-Object Name, Enabled, PasswordRequired # Confirm: no enabled account named "Administrator" or "Guest"

Sources
CWE-798 — Use of Hard-coded Credentials
CWE-521 — Weak Password Requirements
MITRE ATT&CK — T1110 Brute Force
Microsoft — Password Policy
BCY-ADV-2026-012 · Published May 2026 · Barr Cyber LLC · Kalispell, MT
Questions? warren@barr-cyber.com
Barr Cyber — Endpoint Hardening & System Configuration

Default account renaming and password policy enforcement are baseline controls in every Barr Cyber endpoint build. Documented with command output — not assumed, verified.

Get in Touch →
← USB AutoRun Malware All Advisories