RE: Renaming Administrator account

From: Derick Anderson (danderson_at_vikus.com)
Date: 11/16/05

  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
    Date: Wed, 16 Nov 2005 12:57:35 -0500
    To: <larobins@bellatlantic.net>, "Dubber, Drew B" <drew.dubber@eds.com>, <focus-ms@securityfocus.com>
    
    

     
    Inline...

    > -----Original Message-----
    > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    > Sent: Wednesday, November 16, 2005 12:43 PM
    > To: 'Dubber, Drew B'; Derick Anderson; focus-ms@securityfocus.com
    > Subject: RE: Renaming Administrator account
    >
    > Yes.
    >
    > Therefore, if you have your DCs in a secure site and still
    > allow TS access to them, then you don't really have them in a
    > secure site, at least as it pertains to locking out the
    > Administrator account. This is why Win2K3 allows you to just
    > disable the darned thing altogether. It's a lot easier than
    > going through all the bending and twisting required to make
    > your Administrator account actually "lockout-able". I made
    > that word up. :-)

    Surely you can remove the Administrator/Administrators group from TS
    access using Group Policy? It's standard practice on Linux machines to
    disable root login for SSH, the same principle would apply here I
    suppose. I ask because while we don't allow Administrator VPN access (or
    OWA for that matter), we do allow it for Terminal Services. TS isn't
    available from the Internet though - I don't care what its service
    record has been, there's not a chance that port is getting opened up.

    I can understand why someone might want to be able to lock out the
    administrator account, but isn't it a potential DoS if I can lock out
    EVERY account in the domain? How (besides a restart in DSR mode) could
    control be regained of the system? Personally I'm glad Administrator
    can't get locked out - I'm sure someone would have done it already.

    > By the way, if you copy the Administrator account, the copied
    > account *is* subject to account lockout policies.
    >
    > Laura
    >

    Which would make it subject to our rather severe 5-attempt lockout
    policy, enacted as the result of a SAS70 audit for the overly curious.
    With a couple sys admins and a very complex password, it wouldn't be too
    long before someone hit the limit (which is cleared once a day). I
    suppose the answer will be, "It depends on your particular situation..."
    =)

    Derick Anderson

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"

    Relevant Pages

    • RE: W2000 Server lockout issue
      ... Are there any services that are using the Administrator account? ... Has the machine been left logged in as Administrator and just locked? ... Subject: W2000 Server lockout issue ... I have a W2000 server set to lock out on three attempts. ...
      (Focus-Microsoft)
    • Administrator password during WinXP installation?
      ... password when WinXP Professional boots up to the WinXP ... Professional installation for the Administrator account ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Help - administrator locked out!
      ... a DC the local administrator account 'goes away'. ... pretty sure I should be able to remember the local admin password. ... The Administrator account shouldn't have it's password set to expire ... I'm not knocking your career choice but it's your practices that got ...
      (microsoft.public.windows.server.general)
    • RE: Corrupt Administrator Account?
      ... Thank you for posting in SBS newsgroup. ... Standard SP1 and an Administrator account can not log onto any client ... it will have the administrator privilege on your workstation. ...
      (microsoft.public.windows.server.sbs)
    • Re: Document and settingsAdministrator folder missing
      ... If your computer is working fine, having the Administrator account active on ... Booting into Safe Mode should not be a problem as your other accounts would be ... I have this folder before and I have logged in as administartor when I first ...
      (microsoft.public.windowsxp.general)