RE: Renaming Administrator account
From: Derick Anderson (danderson_at_vikus.com)
Date: 11/16/05
- Previous message: Thor (Hammer of God): "Re: ISA Server or Firewall Appliance?"
- Maybe in reply to: Derick Anderson: "Renaming Administrator account"
- Next in thread: Laura A. Robinson: "RE: Renaming Administrator account"
- Reply: Laura A. Robinson: "RE: Renaming Administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 12:57:35 -0500 To: <larobins@bellatlantic.net>, "Dubber, Drew B" <drew.dubber@eds.com>, <focus-ms@securityfocus.com>
Inline...
> -----Original Message-----
> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> Sent: Wednesday, November 16, 2005 12:43 PM
> To: 'Dubber, Drew B'; Derick Anderson; focus-ms@securityfocus.com
> Subject: RE: Renaming Administrator account
>
> Yes.
>
> Therefore, if you have your DCs in a secure site and still
> allow TS access to them, then you don't really have them in a
> secure site, at least as it pertains to locking out the
> Administrator account. This is why Win2K3 allows you to just
> disable the darned thing altogether. It's a lot easier than
> going through all the bending and twisting required to make
> your Administrator account actually "lockout-able". I made
> that word up. :-)
Surely you can remove the Administrator/Administrators group from TS
access using Group Policy? It's standard practice on Linux machines to
disable root login for SSH, the same principle would apply here I
suppose. I ask because while we don't allow Administrator VPN access (or
OWA for that matter), we do allow it for Terminal Services. TS isn't
available from the Internet though - I don't care what its service
record has been, there's not a chance that port is getting opened up.
I can understand why someone might want to be able to lock out the
administrator account, but isn't it a potential DoS if I can lock out
EVERY account in the domain? How (besides a restart in DSR mode) could
control be regained of the system? Personally I'm glad Administrator
can't get locked out - I'm sure someone would have done it already.
> By the way, if you copy the Administrator account, the copied
> account *is* subject to account lockout policies.
>
> Laura
>
Which would make it subject to our rather severe 5-attempt lockout
policy, enacted as the result of a SAS70 audit for the overly curious.
With a couple sys admins and a very complex password, it wouldn't be too
long before someone hit the limit (which is cleared once a day). I
suppose the answer will be, "It depends on your particular situation..."
=)
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Thor (Hammer of God): "Re: ISA Server or Firewall Appliance?"
- Maybe in reply to: Derick Anderson: "Renaming Administrator account"
- Next in thread: Laura A. Robinson: "RE: Renaming Administrator account"
- Reply: Laura A. Robinson: "RE: Renaming Administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
