There are a number of articles on how to secure the local administrator account on Windows computers and most of the have the same advice, rename it, make the password very strong, etc.  But I was asked this question a few days ago and after doing some reading and research I don’t really care for this approach.  I think I prefer the idea of setting a very strong password, using a tool that generates a password based on criteria you supply for the local admin account and then disabling the account all together. 

Here is some of my thinking on this. 

If you rename the account and setup a fake Administrator account the GUID is not the same as the real thing and this cannot be changed.  There are a number of tools that can tell you right away which accounts GUID is the real administrators account.

 If you set the password to a strong password but it gets compromised then assuming it is the same for all your computers they can all be compromised.

Disabling the account means that it cannot be used at all and only those listed in the local Administrators group could change it.  Assuming that is only domain admins and the owner those accounts would have to be hacked and if that happens you have more serious issues to worry about.

You could set the local admin account to have a blank password rendering it useless on the network, but why?  The local admin account is only useful when you have not joined a computer to a domain, after that it is just a big target. 

Note that when you disable the local admin account in the recovery console and in Safe mode it is no longer disabled.

I would like to hear what others think about my theory and if there are some real life scenarios where this may cause real issues, the only one I have heard so far was if the computer loses trust with the domain but I think that I have figured out a way around that but have not tested it yet.

Tell me what you think.