RE: XP admin shares

From: Schuler, Jeff (Jeff.Schuler@hit.cendant.com)
Date: 12/10/02

  • Next message: Colleen Nelson: "RE: Single sign on" 
    From: "Schuler, Jeff" <Jeff.Schuler@hit.cendant.com>
To: security-basics@securityfocus.com
Date: Tue, 10 Dec 2002 14:45:55 -0700

    It's a somewhat little-known (though probably well known around here) fact
    that renaming the administrator account only buys you a limited increase in
    security.

    The administrator RID (relative ID) is ALWAYS 500. Even if you rename it, by
    enumerating the SID for the Domain Users group and then changing out the
    last few numbers with 500 and re-enumerating the box will quickly reveal
    that the renamed account as well as what it was renamed to. This can be
    done by using a tool like user2sid or sid2user will quickly let you know who
    the Administrator account really is.

    Mike makes a good password here though so that does buy you the increased
    security. Better to leave the admin account alone and get a bulletproof
    (though none truly are) password. That way if you get hit by a truck the
    company you work for isn't sitting there trying to figure out why their
    administrator account can't even change the screen saver. (thought it would
    be funny to watch)

    Its important to change the enumeration of accounts, shares, etc.. so that
    only people with explicit permissions can enumerate them. Otherwise the
    Everyone group has rights to enumerate the SID of any user on your box.

    A truly secure box is a powered down box, locked in a safe, guarded by
    dogs!!! :)

    Seriously though, I'm of the opinion that it's important to lock down the
    network access to the box so that people cannot even query the info. If
    someone can enumerate your user accounts, then they have a good list of
    people's accounts to social engineer from.

    -----Original Message-----
    From: Mike Cole [mailto:ColeM@ohca.state.ok.us]
    Sent: Monday, December 09, 2002 12:38 PM
    To: security-basics@securityfocus.com
    Subject: RE: XP admin shares

    Leon,

    What you can do is Secure the built-in accounts (which constitute much
    greater than average targets of attack) by going to the Control Panel,
    Administrative Tools, Computer Management, System Tools, Local Users and
    Groups, then Users:

    - Rename the default Administrator account to a nonconspicuous name,
    change the account description to "User account," and enter a very long
    (up to 104 characters) and as difficult-to-guess a password as possible.
    Record the password on the piece of paper that you place in an extremely
    secure location, e.g., in your wallet or purse. Do not share this
    password with anyone else and do not leave the slip of paper on which
    the password is written where anyone else might see it. Use the built-in
    Administrator account, which in Windows XP (as in Windows 2000) does not
    lock after excessive bad logon attempts, only for emergency access.

    - Create one additional account that is a member of the Administrators
    group for yourself and another for each person who needs to administer
    your system. Create an unprivileged account for each Administrator,
    also. Use the unprivileged account when you are engaged in normal
    activities such as web surfing, obtaining ftp access, and downloading
    mail. Use the privileged account only when you are performing system
    administration tasks.

    - Create a new, unprivileged account named "Administrator," a decoy
    account designed to deflect attacks designed to give unauthorized access
    to the Administrator account. Ensure that this account is in only the
    Guest group. Enter the description of "Built-in account for
    administering the system" (even though this is not true). Inspect your
    Event Logs often to determine whether people are trying to logon to this
    account.

    Michael

    |-----Original Message-----
    |From: Leon Pholi [mailto:L.Pholi@secureinteractive.com]
    |Sent: Sunday, December 08, 2002 6:28 PM
    |To: security-basics@securityfocus.com
    |Subject: XP admin shares
    |
    |Hi everyone,
    |
    |Just a quick one, does anyone know how to stop the default
    administrative
    |file shares in Win XP (professional edition)? One would think this
    would be
    |a standard part of locking down a box, but can't find much on it for
    XP.
    |
    |You can do it through Computer Management but they'll be re-enabled at
    |reboot, and the Win2k key of
    |HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShar
    eWks
    |doesn't seem to exist. Any ideas?
    |
    |Thanks,
    |Leon
    Disclaimer - 12/09/2002, 13:38:08
    This message contains confidential information and is intended only for
    security-basics@securityfocus.com. If you are not the named addressee you
    should not disseminate, distribute or copy this e-mail. Please notify the
    sender immediately by e-mail if you have received this e-mail by mistake and
    delete this e-mail from your system. E-mail transmission cannot be
    guaranteed to be secured or error-free as information could be intercepted,
    corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
    The sender therefore does not accept liability for any errors or omissions
    in the contents of this message, which arise as a result of e-mail
    transmission. If verification is required please request a hard-copy
    version.