RE: Renaming Administrator account
From: Dubber, Drew B (drew.dubber_at_eds.com)
Date: 11/16/05
- Previous message: DavidsonBK.Ctr_at_bic.usmc.mil: "RE: Renaming Administrator account"
- Maybe in reply to: Derick Anderson: "Renaming Administrator account"
- Next in thread: Laura A. Robinson: "RE: Renaming Administrator account"
- Reply: Laura A. Robinson: "RE: Renaming Administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 16:06:44 -0000 To: "Derick Anderson" <danderson@vikus.com>, <focus-ms@securityfocus.com>
Have a look at passprop, that allows you to make the admin account
subject to lockout. Whether you want to or not is another matter...
In my opinion, I like icing on cakes! :) At the very least someone has
to make a conscious effort to find the admin account first.
Kind regards
Drew
-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
Sent: 16 November 2005 03:02
To: Derick Anderson; focus-ms@securityfocus.com
Subject: RE: Renaming Administrator account
If you rename the domain administrator account, it is still the
"administrator" account and is not subject to account lockout policies.
This policy utilizes the administrator well known sid to determine the
administrator account, not the name of the account. While it is
security through obscurity, it will protect you against most worms that
are in the wild that target the administrator account.
Dennis
-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Sent: Tuesday, November 15, 2005 4:21 PM
To: focus-ms@securityfocus.com
Subject: Renaming Administrator account
A question for the list, inspired by the server hardening/break in
threads:
Is changing the Administrator account name really worthwhile or not? My
largely unfounded, sparsely researched opinion is this:
So far I haven't read a convincing argument for changing the name of the
administrator account, and there's one reason I've chosen not to -
account lockout policy. Only the domain Administrator account is exempt
from lockout unless there's a special dispensation for Domain/Enterprise
admins I don't know about. So choosing another account (and thus
changing the SID) would take away the protection(?) against a DoS attack
on the Administrator account.
As for providing extra security, I believe it's security by obscurity.
In order to access password-based systems, you have a set of public
knowledge (username) and private knowledge (password): known * unknown =
unknown, or in a (non)mathematical sense for brute force attacks, 1 * ?
= ?. Now let's say you change the Administrator password, what have you
gotten? Unknown * unknown = unknown, or ? * ? = ?. You've changed the
equation but not the outcome. I realize that changing the name prevents
automated attacks but can't this be defeated by not allowing direct
remote Administrator access? (no VPN account, no OWA account, servers
locked up in a datacenter...)
Basically what I'm asking is whether changing the account name is a
fundamental princple or just icing on the cake.
Derick Anderson
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: DavidsonBK.Ctr_at_bic.usmc.mil: "RE: Renaming Administrator account"
- Maybe in reply to: Derick Anderson: "Renaming Administrator account"
- Next in thread: Laura A. Robinson: "RE: Renaming Administrator account"
- Reply: Laura A. Robinson: "RE: Renaming Administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
