RE: Renaming Administrator account

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 11/16/05

  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?" 
    Date: Wed, 16 Nov 2005 13:54:39 -0500
To: "'Derick Anderson'" <danderson@vikus.com>, "'Dubber, Drew B'" <drew.dubber@eds.com>, <focus-ms@securityfocus.com>

    > I can understand why someone might want to be able to lock
    > out the administrator account, but isn't it a potential DoS
    > if I can lock out EVERY account in the domain?

    Any account lockout policy opens you to a potential DoS, Administrator
    account being included or not. Example: one of my credit card companies
    implements a three-attempt lockout policy for the web interface they provide
    for customers to manager their CC accounts. I have a LOT of logins and a lot
    of passwords, and I don't always remember the correct combination for every
    site I hit, especially those I use infrequently. I've only used that CC
    company's web UI three times due to the fact that they have what I consider
    to be a ridiculous lockout policy that I've been hit by every time I've used
    their web site.

    If your account gets locked out on this particular site, you have to call
    customer service and sit on hold for eons, then get somebody to reset your
    password, log in using it, change your password (and their history
    requirements mean that you can't even reset it to what you thought was your
    password for that account because the history is so long that you're likely
    to try to use one that you had, at some point, actually used for the
    account) and then do your thing. This whole process infuriates me because I
    think it's ridiculous that they have a policy that restrictive in place, so
    I don't use their web UI, and I don't use that credit card, either, because
    I'm tired of the B.S. involved with their lockout policy and it preventing
    me from managing my account online. Could I simply write down my user
    credentials for that site? Sure, but the problem there is that I have to
    remember that this site is one where I forget my credentials, then remember
    where I wrote down the username/password, then remember whether or not I
    changed it in my cheat *** after my last lockout-and-reset, etc. Besides,
    I just don't like writing down my credentials.

    Their overly restrictive lockout policy loses them money, because even if
    I'm the only person who doesn't use their credit card because of this
    annoyance, they're still losing MY business. I don't use that credit card.
    One of these days I'll get around to cancelling it- the last time I called
    to do so, they gave me all kinds of goodies to try to convince me to stay,
    so I gave in. Next time I think of it, though, I am just going to cancel it.
    And I *will* be cancelling it solely because of their lockout policy and the
    hassles it causes me. Not because of the interest rate, credit limit, or
    anything else related to the actual credit card. I'll cancel it purely
    because I am sick and tired of having to dig up their customer service
    number and go through all the hold-wait-verification crap just to get them
    to give me a temporary password that I'm then going to spend fifteen minutes
    trying to change to something that I can remember- which brings me back to
    why I forget the stinking thing in the first place.)

    My real point is this- I can go to their site and start typing in random
    usernames that are highly likely to be in use (jsmith, lrobinson [I *know*
    this one is in use because I wasn't able to choose it as my username since
    it's in use by somebody else already], jjones, etc.). I do this three times
    and I've locked out that customer. If I feel like it, I can either automate
    this or I can just sit there typing junk until the cows come home, and I've
    just denied service to every single one of those customers whose usernames I
    tried, and the administrator account is irrelevant in this scenario. Service
    has been denied. A DoS doesn't inherently mean a denial of ALL service or
    denial of service to ALL accounts.

    Whether or not you utilize an administrator account that can be locked out
    is, in the end, not always relevant, because as far as denying service,
    you're going to hear a lot sooner from regular users who are DoS'd than you
    will from some admin discovering that the Administrator account got locked
    out for non-interactive logons. Yes, it can be problematic if every single
    account in your domain can be locked out, which is why you should implement
    policies that don't put you in the position that that happens. Maybe you
    copy the Administrator account and just require the built-in one to use
    smart card login (which you can do in Win2K3). Maybe you copy the
    Administrator account, require smart card login for that account and disable
    the Administrator account (which you can do in Win2K3). Maybe you look at
    account lockout policies and decide whether or not they're actually helping
    or hindering. I'm not espousing one approach over another; I'm just pointing
    out that each has its pros, cons and risks.

    > How (besides a
    > restart in DSR mode) could control be regained of the system?
    > Personally I'm glad Administrator can't get locked out - I'm
    > sure someone would have done it already.

    Well, if we're dealing with minutae, I've actually forced the built-in
    Administrator account to delete itself without leaving a tombstone or any
    way to recover it, so again, the lockout or not issue becomes irrelevant. I
    believe the mechanism that I used to cause the Administrator account to
    self-implode has been fixed in Win2K3 SP1, but I've not done the
    self-imploding-Administrator-account trick since SP1 was released and
    therefore can't verify this. Trust me on this, however- at least prior to
    SP1, I can kill your Administrator account and hose your environment
    regardless of whether or not you allow it to be locked out.

    In answer to your question, however, if you have locked out every single
    account in your domain and if you require manual re-enabling of locked-out
    accounts, you've got a problem on your hands. Again, though, if you hadn't
    noticed this before every account in your domain got locked out, you either
    have a small domain or you have terrible auditing and review processes.

    >
    > > By the way, if you copy the Administrator account, the
    > copied account
    > > *is* subject to account lockout policies.

    >
    > Which would make it subject to our rather severe 5-attempt lockout
    > policy, enacted as the result of a SAS70 audit for the overly curious.
    > With a couple sys admins and a very complex password, it
    > wouldn't be too
    > long before someone hit the limit (which is cleared once a day). I
    > suppose the answer will be, "It depends on your particular
    > situation..."
    > =)

    This is one of the reasons that I think there should be an administrative
    account (or two) that is severely restricted in its logon parameters, such
    as requiring smart card logon, allowing it logon to a specific set of
    machines only (you can do this with a copied Administrator account, but not
    with the built-in one), etc. If you're going to tweak this stuff, you want
    to leave yourself an out (or, as the case may be, an "in") so that you can
    fix what you muck up accidentally or because of the side effects of
    regulatory stringence or whatever. :-)

    I could debate this all day, but I'm even boring myself now.

    Laura

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
    • Quantcast