Re: best practices: builtin administrator account in AD

From: ] (dlaflotte_at_criticalsites.com)
Date: 05/25/05 

Date: Wed, 25 May 2005 10:12:41 -0400

Mocity,
     I'm the lead hacker in a corporate hacking division for a consulting
group. So I can tell you that renaming the account is a good first step but
will only stop the entry level hackers. The Administrative SID will always
be the same even if the account is renamed (and the SID can be used for many
devious things). I usually recommend you not disable the account but
instead use VERY strong passwords for this account. You are allowed a 127
character password (last byte is used for null termination). So I would say
you take an entire paragraph from a book with odd characters or just 127 odd
characters and make that the password. Then write this down and lock it in
a safe somewhere. At 127 characters there is no known array of computers
that would be able to crack that password in our lifetime. Keep in mind
that passwords that are under 14 characters are very bad (NTLM Hash is
stored under 14 chars and is easy to crack).
Hope this helps,

Duane Laflotte
MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I
dlaflotte@criticalsites.com
http://www.criticalsites.com/dlaflotte

"mocity" <mocity@discussions.microsoft.com> wrote in message
news:EB7BFBE9-A467-4BC3-8F1F-6284EF9A3DE9@microsoft.com...
> Hi,
> I understand that renaming the builtin AD administrator account is a good
> idea, but is disabling this account and additional good security measure?
I
> would have no problem disabling this account, except for the fact if all
> other Domain Administrative accounts got locked out I would have no way of
> logging to the domain with admin privileges except through rebooting a DC
> into Safe Mode which enables the builtin administrator account---but this
> would be a hassle. (i'm sort of paranoid of a scenario where a malicious
user
> locked out all my admin accounts, and me having to do this).
> is having this account enabled a security risk, because it cannot be
locked
> and thus gives a person infinite attempts at cracking the password?
> thanks.

Relevant Pages

  • Re: RWW Security was compromised.
    ... is that much longer increase exponentially the amount of "crank" time on ... Weird characters ... password for that Administrator account. ... >>part of all this is the renaming of the administrator account. ...
    (microsoft.public.windows.server.sbs)
  • Re: PING: Former AGDers
    ... She has been a pretty decent D2 player and has some ... Remember, if the wife gets addicted, you can register another account ... what would be the ideal characters for me and her to try to ... if you want to discover the teamplay fast, go build a druid, you'll be ...
    (alt.games.warcraft)
  • Re: Account hacked
    ... Two of his most senior characters, a 70 Druid and a 66 Warrior ... most account hacks to my knowledge involved the person ... to steal an ATM by chaining it to the bumper of their truck. ... off...leaving their bumper with the license plate on it chained to the ...
    (alt.games.warcraft)
  • Re: What is the maximal length of usernames on Solaris?
    ... > characters is limiting to some users. ... >> It is quite common for users to want a shorter login ... can't have a name that's already taken, and nobody has to have meetings ... appeared as part of an account name. ...
    (comp.sys.sun.admin)
  • Re: Tough password question!
    ... w2k/wxp/w2k3 support pwds up to 128 characters ... it will not login when the admin ... >>> account and it will login if I change the domain admin password to ... >>> on a normal user account, or even another domain admin. ...
    (microsoft.public.windows.server.active_directory)