RE: Renaming Administrator account

From: Beauford, Jason (jbeauford_at_EightInOnePet.com)
Date: 11/15/05

  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?" 
    Date: Tue, 15 Nov 2005 17:34:49 -0500
To: "Derick Anderson" <danderson@vikus.com>, <focus-ms@securityfocus.com>

    Accounts retain their SID's when you rename them. Renaming the admin
    account defeats "dumb" worms/virus/trojans etc, and that's about it.
    Determined black hats will know what to look for.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330

    JMB

            | -----Original Message-----
            | From: Derick Anderson [mailto:danderson@vikus.com]
            | Sent: Tuesday, November 15, 2005 4:21 PM
            | To: focus-ms@securityfocus.com
            | Subject: Renaming Administrator account
            |
            | A question for the list, inspired by the server
            | hardening/break in
            | threads:
            |
            | Is changing the Administrator account name really
            | worthwhile or not? My largely unfounded, sparsely
            | researched opinion is this:
            |
            | So far I haven't read a convincing argument for
            | changing the name of the administrator account, and
            | there's one reason I've chosen not to - account
            | lockout policy. Only the domain Administrator
            | account is exempt from lockout unless there's a
            | special dispensation for Domain/Enterprise admins I
            | don't know about. So choosing another account (and
            | thus changing the SID) would take away the
            | protection(?) against a DoS attack on the
            | Administrator account.
            |
            | As for providing extra security, I believe it's
            | security by obscurity.
            | In order to access password-based systems, you have
            | a set of public knowledge (username) and private
            | knowledge (password): known * unknown = unknown, or
            | in a (non)mathematical sense for brute force attacks, 1 * ?
            | = ?. Now let's say you change the Administrator
            | password, what have you gotten? Unknown * unknown =
            | unknown, or ? * ? = ?. You've changed the equation
            | but not the outcome. I realize that changing the
            | name prevents automated attacks but can't this be
            | defeated by not allowing direct remote Administrator
            | access? (no VPN account, no OWA account, servers
            | locked up in a datacenter...)
            |
            | Basically what I'm asking is whether changing the
            | account name is a fundamental princple or just icing
            | on the cake.
            |
            | Derick Anderson

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"