Re: Renaming W2K AD Administrator Account
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/17/05
- Previous message: Steven L Umbach: "Re: VPN users not prompted to change their domain passwords"
- In reply to: Les: "Re: Renaming W2K AD Administrator Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Mar 2005 22:23:27 -0700
"Les" <Les@discussions.microsoft.com> wrote in message
news:3C85BF01-0215-4227-838C-A7A415D132E9@microsoft.com...
> "Roger Abell" wrote:
>
> > You may also want to ask them just what they believe this will
> > accomplish. Doing as they recommend was pretty standard back
> > in NT 4 days, but in a deeper analysis one most often finds that
> > in a properly deployed/secured AD doing this does not really
> > gain one much if anything.
>
> All my study material says to do this to lessen the chance of a brute
force
> attack on the administrator password since the account name is known to
> hackers. You probably shouldn't name the 'new' admin account admin or root
> either as those are popular too.
>
> I'm not sure why you'd leave the administrator account active though (even
> with minimal access/rights/permissions) unless the event log wouldn't log
any
> irregularities if the account wasn't there.
Granted.
Some ideas die hard once training texts latch onto them.
Often the bigger threat is from inside, and one with an account
for domain login and an infected machine can end up hammering
authentication interfaces with all of the actual accounts. If it is
just guess / blind attempts, this type of thing most commonly
comes from machines without access to enumerate the accounts,
which often means from outside - and these should really not
be able to hammer on the most commonly programmed authentication
interfaces.
In any case, lockout seems to be falling out of favor due to its
rather high expense when accounts do get locked. Instead,
more strong methods for credential management are coming
into play (two factor forms, lengthy passphrases, etc.)
I used to advocate renaming Administrator, defining a Junk
group, defining a new Administrator account making its primary
and only group membership be in Junk (which was used nowhere
other than for this), and to then disable the account.
I now question the value of doing this. Back then one could not
disallow use of Adminstrator over the network as one now can.
I also do not use the built-in Administrator account, but rather just
hold it in reserve with a long, strong passphrase.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA
- Previous message: Steven L Umbach: "Re: VPN users not prompted to change their domain passwords"
- In reply to: Les: "Re: Renaming W2K AD Administrator Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
