RE: Renaming Administrator account

From: Derick Anderson (
Date: 11/16/05

  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
    Date: Wed, 16 Nov 2005 12:57:35 -0500
    To: <>, "Dubber, Drew B" <>, <>


    > -----Original Message-----
    > From: Laura A. Robinson []
    > Sent: Wednesday, November 16, 2005 12:43 PM
    > To: 'Dubber, Drew B'; Derick Anderson;
    > Subject: RE: Renaming Administrator account
    > Yes.
    > Therefore, if you have your DCs in a secure site and still
    > allow TS access to them, then you don't really have them in a
    > secure site, at least as it pertains to locking out the
    > Administrator account. This is why Win2K3 allows you to just
    > disable the darned thing altogether. It's a lot easier than
    > going through all the bending and twisting required to make
    > your Administrator account actually "lockout-able". I made
    > that word up. :-)

    Surely you can remove the Administrator/Administrators group from TS
    access using Group Policy? It's standard practice on Linux machines to
    disable root login for SSH, the same principle would apply here I
    suppose. I ask because while we don't allow Administrator VPN access (or
    OWA for that matter), we do allow it for Terminal Services. TS isn't
    available from the Internet though - I don't care what its service
    record has been, there's not a chance that port is getting opened up.

    I can understand why someone might want to be able to lock out the
    administrator account, but isn't it a potential DoS if I can lock out
    EVERY account in the domain? How (besides a restart in DSR mode) could
    control be regained of the system? Personally I'm glad Administrator
    can't get locked out - I'm sure someone would have done it already.

    > By the way, if you copy the Administrator account, the copied
    > account *is* subject to account lockout policies.
    > Laura

    Which would make it subject to our rather severe 5-attempt lockout
    policy, enacted as the result of a SAS70 audit for the overly curious.
    With a couple sys admins and a very complex password, it wouldn't be too
    long before someone hit the limit (which is cleared once a day). I
    suppose the answer will be, "It depends on your particular situation..."

    Derick Anderson


  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"