Disable built-in Administrator account (create alternative admin account)
All Windows Servers come with the built-in Administrator account (SID 500) by default and all administrator accounts have RDP access by default (when RDP is enabled overall). Therefore the Administrator account, if port 3389 is open, is frequently the target of repeated brute-force hack attempts against this account name. Options include disabling the Administrator account completely and setup a separate account that has administrator rights, or removing RDP access from the Administrator account. Make sure you have a different account with admin rights available before disabling the Administrator account so you don’t get locked out. Generally it is better to disable the Administrator account (and replace with a different account with administration rights) rather than just renaming the Administrator account because the SID remains 500 when you rename it and there are some non-Microsoft tools that allow authentication by using SID rather than account name (but renaming is still better than doing nothing….you can rename the Administrator account in Local Security Policy (Security Settings, Local Policies, Security Options, Accounts: Rename administrator account) or via gpedit.msc). We noted on a test server with port 3389 open that over 50% of the failed login attempts were using the “administrator” user name, followed by admin, user, test, user1, etc.