Re: Renaming Administrator account

From: James Eaton-Lee (james.mailing_at_gmail.com)
Date: 11/16/05

  • Next message: Nick Wells: "RE: ISA Server or Firewall Appliance?" 
    To: Derick Anderson <danderson@vikus.com>
Date: Tue, 15 Nov 2005 23:14:51 +0000

    On Tue, 2005-11-15 at 16:21 -0500, Derick Anderson wrote:
    > A question for the list, inspired by the server hardening/break in
    > threads:
    >
    > Is changing the Administrator account name really worthwhile or not? My
    > largely unfounded, sparsely researched opinion is this:
    >
    > So far I haven't read a convincing argument for changing the name of the
    > administrator account, and there's one reason I've chosen not to -
    > account lockout policy. Only the domain Administrator account is exempt
    > from lockout unless there's a special dispensation for Domain/Enterprise
    > admins I don't know about. So choosing another account (and thus
    > changing the SID) would take away the protection(?) against a DoS attack
    > on the Administrator account.

    I would imagine (hope) that the lockout is based on the SID rather than
    the username - perhaps someone more knowledgeable / from microsoft can
    confirm this?

    > As for providing extra security, I believe it's security by obscurity.
    > In order to access password-based systems, you have a set of public
    > knowledge (username) and private knowledge (password): known * unknown =
    > unknown, or in a (non)mathematical sense for brute force attacks, 1 * ?
    > = ?. Now let's say you change the Administrator password, what have you
    > gotten? Unknown * unknown = unknown, or ? * ? = ?. You've changed the
    > equation but not the outcome. I realize that changing the name prevents
    > automated attacks but can't this be defeated by not allowing direct
    > remote Administrator access? (no VPN account, no OWA account, servers
    > locked up in a datacenter...)

    It is security through obscurity - sorry to repeat old material, but to
    save myself some typing, this is from another thread I posted to today:

    [starts]
    Whilst 'security through obscurity' as a *sole* security measure is a
    bad idea, obscurity actually plays (and historically has played) a very
    important part in security not just of IT systems.

    As a few examples, renaming the administrator account, non-obvious
    forward or reverse DNS, whois sanitisation, and actually even encryption
    are all security measures which are commonly accepted and have a greater
    or lesser amount of 'obscurity' involved. The important thing is that
    you don't rely on them - something which applies just as much to relying
    on any one vendor's shiny, snakeoil security panacea as it does to
    policies and reconfigurations like this.
    [ends]

    Although you can authenticate via SID in some instances (specifically on
    the local machine and via kerberos, which uses the SID as the
    identifier, I think), there are plenty of circumstances (such as RDP,
    SMB and possibly also RPC - again, I may be wrong) in which the username
    is used, and in these circumstances changing the administrative username
    does raise the bar in terms of difficulty to break into the system.

    > Basically what I'm asking is whether changing the account name is a
    > fundamental princple or just icing on the cake.

    I don't think it's a fundamental principle, but I think describing it as
    'icing on the cake' is perhaps understating it - I wouldn't go quite as
    far as to describe it as best practice, but I'd certainly classify it as
    a commonly deployed and recommended security measure. Given the
    difficulty of implementation (zero) and the net result (greater than
    zero), I'd say there's no reason not to implement it unless you have a
    specific reason not to.

     - James.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Nick Wells: "RE: ISA Server or Firewall Appliance?"

    Relevant Pages

    • Re: Want to restrict teenagers ability to download programs etc
      ... The standard security practice is to rename the account, set a strong password on it, and use it only to create another account for regular use, reserving the Administrator account as a "back door" in case something corrupts your regular account. ... HOW TO Use the Internet Explorer 6 Content Advisor to Control Access ...
      (microsoft.public.windowsxp.security_admin)
    • Re: renaming administrator account
      ... >> This is why renaming the administrator account is more security theater than ... > as security consultants) think they really have broken admin account ...
      (microsoft.public.windows.server.security)
    • Re: which virus Ive got:Everyone is allowed to change administrators password!
      ... You don't have a virus or anything else wrong with your system. ... The EVERYONE security principal is ... Change Password should not be confused with Reset Password. ... > in SECURITY option of my administrator account, ...
      (microsoft.public.win2000.security)
    • Re: Local Security Policies
      ... This small VB Script will make the registry change necessary for the Administrator account to be available on the Welcome Screen. ... There is a space between Windows and NT in the above Key. ... I am having problems with> the Local Security Policy options after an upgrade. ... I found that> several options in the Local Security Policy / Security Options were> desensitized and they could not be set. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Rename Administrator Account
      ... I checked the article -- it doesn't suggest anywhere to change SID. ... administrator account. ... Microsoft MVP - Windows Security ... While I believe it is usefeul to rename administrator account -- it has ...
      (microsoft.public.windows.server.general)