RE: Renaming Administrator account
From: Dubber, Drew B (drew.dubber_at_eds.com)
Date: 11/16/05
- Previous message: Laura A. Robinson: "RE: Renaming Administrator account"
- Maybe in reply to: Derick Anderson: "Renaming Administrator account"
- Next in thread: Laura A. Robinson: "RE: Renaming Administrator account"
- Reply: Laura A. Robinson: "RE: Renaming Administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 17:24:51 -0000 To: <larobins@bellatlantic.net>, "Derick Anderson" <danderson@vikus.com>, <focus-ms@securityfocus.com>
Hmmm going completely off on a tangent here, does this mean that if you
run a MSTSC console session to a DC you are exempt from the lockout
policies set by passprop? Interesting (almost anyway!!!) I wouldn't be
too bothered about the log on locally thing otherwise cos if you aint
got your DC's site secure you're kinda asking for trouble anyway :)
Kind regards
Drew
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: 16 November 2005 17:10
To: Dubber, Drew B; 'Derick Anderson'; focus-ms@securityfocus.com
Subject: RE: Renaming Administrator account
I was going to mention passprop, as well, but it does have some issues
such as a bit of flakiness if you use the NT4 version of it on a post-NT
system, and the Win2K version is buried in a .cab file in the reskit for
Win2K.
Also, of course, passprop only allows for over-the-network Administrator
account lockout; the account can still log on locally to DCs regardless.
Of course, this all leads me to want to discuss the pros and cons of
account lockout policies themselves, but I don't have enough time right
now to be all locquacious and brilliant and starting big long
philosophical discussions. :-)
Laura
> -----Original Message-----
> From: Dubber, Drew B [mailto:drew.dubber@eds.com]
> Sent: Wednesday, November 16, 2005 11:07 AM
> To: Derick Anderson; focus-ms@securityfocus.com
> Subject: RE: Renaming Administrator account
>
> Have a look at passprop, that allows you to make the admin account
> subject to lockout. Whether you want to or not is another matter...
>
> In my opinion, I like icing on cakes! :) At the very least someone has
> to make a conscious effort to find the admin account first.
>
> Kind regards
> Drew
>
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> Sent: 16 November 2005 03:02
> To: Derick Anderson; focus-ms@securityfocus.com
> Subject: RE: Renaming Administrator account
>
> If you rename the domain administrator account, it is still the
> "administrator" account and is not subject to account lockout
> policies.
> This policy utilizes the administrator well known sid to determine the
> administrator account, not the name of the account. While it is
> security through obscurity, it will protect you against most worms
> that are in the wild that target the administrator account.
>
> Dennis
>
> -----Original Message-----
> From: Derick Anderson [mailto:danderson@vikus.com]
> Sent: Tuesday, November 15, 2005 4:21 PM
> To: focus-ms@securityfocus.com
> Subject: Renaming Administrator account
>
> A question for the list, inspired by the server hardening/break in
> threads:
>
> Is changing the Administrator account name really worthwhile or not?
> My largely unfounded, sparsely researched opinion is this:
>
> So far I haven't read a convincing argument for changing the name of
> the administrator account, and there's one reason I've chosen not to -
> account lockout policy. Only the domain Administrator account is
> exempt from lockout unless there's a special dispensation for
> Domain/Enterprise admins I don't know about. So choosing another
> account (and thus changing the SID) would take away the protection(?)
> against a DoS attack on the Administrator account.
>
> As for providing extra security, I believe it's security by obscurity.
> In order to access password-based systems, you have a set of public
> knowledge (username) and private knowledge (password):
> known * unknown = unknown, or in a (non)mathematical sense for brute
> force attacks, 1 * ?
> = ?. Now let's say you change the Administrator password, what have
> you gotten? Unknown * unknown = unknown, or ? * ? = ?. You've changed
> the equation but not the outcome. I realize that changing the name
> prevents automated attacks but can't this be defeated by not allowing
> direct remote Administrator access? (no VPN account, no OWA account,
> servers locked up in a datacenter...)
>
> Basically what I'm asking is whether changing the account name is a
> fundamental princple or just icing on the cake.
>
> Derick Anderson
>
>
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: Renaming Administrator account"
- Maybe in reply to: Derick Anderson: "Renaming Administrator account"
- Next in thread: Laura A. Robinson: "RE: Renaming Administrator account"
- Reply: Laura A. Robinson: "RE: Renaming Administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
