RE: Renaming Administrator account

DavidsonBK.Ctr_at_bic.usmc.mil
Date: 11/16/05

  • Next message: Dubber, Drew B: "RE: Renaming Administrator account" 
    Date: Wed, 16 Nov 2005 10:48:24 -0500
To: <jbeauford@EightInOnePet.com>, <danderson@vikus.com>

    Jason you are correct that the account admin accounts retain the SID.
    The only true way to mask the admin accounts is to create a completely
    new user
    account that has the correct elevated privileges for the account. This
    gives the account
    a unique SID that does not have the identifying information on the
    account as an admin
    account on the domain. If you look at the SID of an admin account out
    of the box you will
    see that the last 3 digits in the SID is -500. This designates that the
    account is an admin
    account. If you look at a user account it will have 4 digits (example
    -4553 last digits in SID)
    and is not recognized by a hacker as an admin account.

    Brian K Davidson, Contractor, Network Security Specialist
    Information Systems
    Mailto:DavidsonBK.Ctr@bic.usmc.mil

    -----Original Message-----
    From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
    Sent: Tuesday, November 15, 2005 5:35 PM
    To: Derick Anderson; focus-ms@securityfocus.com
    Subject: RE: Renaming Administrator account

    Accounts retain their SID's when you rename them. Renaming the admin
    account defeats "dumb" worms/virus/trojans etc, and that's about it.
    Determined black hats will know what to look for.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330

    JMB

            | -----Original Message-----
            | From: Derick Anderson [mailto:danderson@vikus.com]
            | Sent: Tuesday, November 15, 2005 4:21 PM
            | To: focus-ms@securityfocus.com
            | Subject: Renaming Administrator account
            |
            | A question for the list, inspired by the server
            | hardening/break in
            | threads:
            |
            | Is changing the Administrator account name really
            | worthwhile or not? My largely unfounded, sparsely
            | researched opinion is this:
            |
            | So far I haven't read a convincing argument for
            | changing the name of the administrator account, and
            | there's one reason I've chosen not to - account
            | lockout policy. Only the domain Administrator
            | account is exempt from lockout unless there's a
            | special dispensation for Domain/Enterprise admins I
            | don't know about. So choosing another account (and
            | thus changing the SID) would take away the
            | protection(?) against a DoS attack on the
            | Administrator account.
            |
            | As for providing extra security, I believe it's
            | security by obscurity.
            | In order to access password-based systems, you have
            | a set of public knowledge (username) and private
            | knowledge (password): known * unknown = unknown, or
            | in a (non)mathematical sense for brute force attacks, 1 * ?
            | = ?. Now let's say you change the Administrator
            | password, what have you gotten? Unknown * unknown =
            | unknown, or ? * ? = ?. You've changed the equation
            | but not the outcome. I realize that changing the
            | name prevents automated attacks but can't this be
            | defeated by not allowing direct remote Administrator
            | access? (no VPN account, no OWA account, servers
            | locked up in a datacenter...)
            |
            | Basically what I'm asking is whether changing the
            | account name is a fundamental princple or just icing
            | on the cake.
            |
            | Derick Anderson

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Dubber, Drew B: "RE: Renaming Administrator account"

    Relevant Pages

    • Re: How to use "Administrative Privilges" To unlock an account
      ... Get Windows XP Service Pack 2 with Advanced Security Technologies: ... I have the password policy (Invalid log-on attempts) set to 2. ... I get the message "This account has been locked due ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Users changing their Account Type
      ... net localgroup administrators ... these must be used to change a limited account to admin. ... inventorying the admin accounts and making sure the ... > have changed my user password several times. ...
      (microsoft.public.windowsxp.security_admin)
    • User account permissions bugs?
      ... The first issue is being able to access the files of another account. ... don't currently have permission to access this folder. ... I know my admin accounts are admin accounts because it lets me elevate ... So I checked the user permissions on the folder C:\Users\User2. ...
      (microsoft.public.windows.vista.general)
    • RE: Policy enforcement- Admin accounts
      ... Subject: Policy enforcement- Admin accounts ... Charles is correct in regards to the inability to set password policies on ... He is not correct in regards to the default domain Administrator account ...
      (Security-Basics)
    • Re: for the Geeks
      ... Both are Admin accounts, to facilitate installing programs. ... I had set her up with a normal account, but I wanted to install some ... options/advanced/reuse windows for launching shortcuts>, ...
      (rec.outdoors.fishing.fly)