RE: Renaming Administrator account

From: Derick Anderson (danderson_at_vikus.com)
Date: 11/16/05

  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
    Date: Wed, 16 Nov 2005 12:57:35 -0500
    To: <larobins@bellatlantic.net>, "Dubber, Drew B" <drew.dubber@eds.com>, <focus-ms@securityfocus.com>
    
    

     
    Inline...

    > -----Original Message-----
    > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    > Sent: Wednesday, November 16, 2005 12:43 PM
    > To: 'Dubber, Drew B'; Derick Anderson; focus-ms@securityfocus.com
    > Subject: RE: Renaming Administrator account
    >
    > Yes.
    >
    > Therefore, if you have your DCs in a secure site and still
    > allow TS access to them, then you don't really have them in a
    > secure site, at least as it pertains to locking out the
    > Administrator account. This is why Win2K3 allows you to just
    > disable the darned thing altogether. It's a lot easier than
    > going through all the bending and twisting required to make
    > your Administrator account actually "lockout-able". I made
    > that word up. :-)

    Surely you can remove the Administrator/Administrators group from TS
    access using Group Policy? It's standard practice on Linux machines to
    disable root login for SSH, the same principle would apply here I
    suppose. I ask because while we don't allow Administrator VPN access (or
    OWA for that matter), we do allow it for Terminal Services. TS isn't
    available from the Internet though - I don't care what its service
    record has been, there's not a chance that port is getting opened up.

    I can understand why someone might want to be able to lock out the
    administrator account, but isn't it a potential DoS if I can lock out
    EVERY account in the domain? How (besides a restart in DSR mode) could
    control be regained of the system? Personally I'm glad Administrator
    can't get locked out - I'm sure someone would have done it already.

    > By the way, if you copy the Administrator account, the copied
    > account *is* subject to account lockout policies.
    >
    > Laura
    >

    Which would make it subject to our rather severe 5-attempt lockout
    policy, enacted as the result of a SAS70 audit for the overly curious.
    With a couple sys admins and a very complex password, it wouldn't be too
    long before someone hit the limit (which is cleared once a day). I
    suppose the answer will be, "It depends on your particular situation..."
    =)

    Derick Anderson

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"