RE: Renaming Administrator account

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 11/16/05

  • Next message: Laura A. Robinson: "RE: Renaming Administrator account"
    Date: Wed, 16 Nov 2005 12:04:55 -0500
    To: <DavidsonBK.Ctr@bic.usmc.mil>, <jbeauford@EightInOnePet.com>, <danderson@vikus.com>
    
    

    As a side note, if we're talking Win2k3, IMO the simplest and perhaps most
    effective approach to dealing with the built-in Administrator account is
    this:

    1. Copy the built-in Administrator account (yes, you can do this).
    2. Name the copied account whatever you like, require smartcard
    authentication, whatever.
    3. Disable the built-in Administrator account (yes, you can do this, too).

    Of course, you'd want to do this before anybody had starting using that
    built-in account (which, while people really shouldn't be, they invariably
    do) for various services, applications, etc.

    If you choose to rename the now-disabled built-in Administrator account,
    great. If not, no biggie there, either. Regardless, you end up with an
    unusable Administrator account and still have another account that has all
    of its groups memberships and rights, but you haven't had to configure it
    yourself. Since Microsoft is pretty good at using "Administrators" for
    ACLing rather than the Administrator account, the copied account still
    retains permissions of the original account, as well.

    Laura

    > -----Original Message-----
    > From: DavidsonBK.Ctr@bic.usmc.mil
    > [mailto:DavidsonBK.Ctr@bic.usmc.mil]
    > Sent: Wednesday, November 16, 2005 10:48 AM
    > To: jbeauford@EightInOnePet.com; danderson@vikus.com
    > Cc: focus-ms@securityfocus.com
    > Subject: RE: Renaming Administrator account
    >
    > Jason you are correct that the account admin accounts retain the SID.
    > The only true way to mask the admin accounts is to create a
    > completely new user account that has the correct elevated
    > privileges for the account. This gives the account a unique
    > SID that does not have the identifying information on the
    > account as an admin account on the domain. If you look at
    > the SID of an admin account out of the box you will see that
    > the last 3 digits in the SID is -500. This designates that
    > the account is an admin account. If you look at a user
    > account it will have 4 digits (example
    > -4553 last digits in SID)
    > and is not recognized by a hacker as an admin account.
    >
    > Brian K Davidson, Contractor, Network Security Specialist
    > Information Systems Mailto:DavidsonBK.Ctr@bic.usmc.mil
    >
    >
    > -----Original Message-----
    > From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
    > Sent: Tuesday, November 15, 2005 5:35 PM
    > To: Derick Anderson; focus-ms@securityfocus.com
    > Subject: RE: Renaming Administrator account
    >
    >
    > Accounts retain their SID's when you rename them. Renaming
    > the admin account defeats "dumb" worms/virus/trojans etc, and
    > that's about it.
    > Determined black hats will know what to look for.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
    >
    > JMB
    >
    > | -----Original Message-----
    > | From: Derick Anderson [mailto:danderson@vikus.com]
    > | Sent: Tuesday, November 15, 2005 4:21 PM
    > | To: focus-ms@securityfocus.com
    > | Subject: Renaming Administrator account
    > |
    > | A question for the list, inspired by the server
    > | hardening/break in
    > | threads:
    > |
    > | Is changing the Administrator account name really
    > | worthwhile or not? My largely unfounded, sparsely
    > | researched opinion is this:
    > |
    > | So far I haven't read a convincing argument for
    > | changing the name of the administrator account, and
    > | there's one reason I've chosen not to - account
    > | lockout policy. Only the domain Administrator
    > | account is exempt from lockout unless there's a
    > | special dispensation for Domain/Enterprise admins I
    > | don't know about. So choosing another account (and
    > | thus changing the SID) would take away the
    > | protection(?) against a DoS attack on the
    > | Administrator account.
    > |
    > | As for providing extra security, I believe it's
    > | security by obscurity.
    > | In order to access password-based systems, you have
    > | a set of public knowledge (username) and private
    > | knowledge (password): known * unknown = unknown, or
    > | in a (non)mathematical sense for brute force attacks, 1 * ?
    > | = ?. Now let's say you change the Administrator
    > | password, what have you gotten? Unknown * unknown =
    > | unknown, or ? * ? = ?. You've changed the equation
    > | but not the outcome. I realize that changing the
    > | name prevents automated attacks but can't this be
    > | defeated by not allowing direct remote Administrator
    > | access? (no VPN account, no OWA account, servers
    > | locked up in a datacenter...)
    > |
    > | Basically what I'm asking is whether changing the
    > | account name is a fundamental princple or just icing
    > | on the cake.
    > |
    > | Derick Anderson
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Laura A. Robinson: "RE: Renaming Administrator account"

    Relevant Pages