Re: best practices: builtin administrator account in AD
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/26/05
- Next message: Duane Laflotte: "Re: Worm vs a Trojan Horse -- differences?"
- Previous message: Steven L Umbach: "Re: Which persmisison to rename domain workstation"
- In reply to: mocity: "best practices: builtin administrator account in AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 15:09:50 -0500
It is only a risk if you are using weak passwords in your domain. A lot of
networks are also taking another look at account lockouts because of what
you just described - all my accounts are locked out. There is a RK utility
called passprop that can allow the built in administrator account to be
locked out to network logons only if that is what you really want. I have
not tested it on Windows 2003 yet.
A better strategy may be to enforce strong and complex passwords or better
yet pass phrases. Users can remember a pass phrase better than a password
like yT55)x8t. A pass phrase such as I forget my stupid password! is much
stronger due to the length and it still has upper case, lower case, and
punctuation character. You also may want to consider smart cards for at
least your critical administrator accounts. In Windows 2003 you can
configure the built in administrator account to require a smart card logon.
If strong passwords are enforced in the domain then you can consider
disabling account lockout [ if not required by external organizations] and
be vigilant in monitoring your domain controller security logs for failed
logon attempts. If you still want to use account lockout then consider a
very short lockout period such as three minutes which would be plenty long
to deter brute force password attempts while not inconveniencing users too
much. Other concerns would be that your administrators are trained to not
logon to non admin workstations as a domain admin due to the risk of
keyboard logger, malware, malicious scripts installed, etc. A regular domain
user account should be used to admin domain computers and that account can
easily be added with Group Policy Restricted Groups. --- Steve
"mocity" <mocity@discussions.microsoft.com> wrote in message
news:EB7BFBE9-A467-4BC3-8F1F-6284EF9A3DE9@microsoft.com...
> Hi,
> I understand that renaming the builtin AD administrator account is a good
> idea, but is disabling this account and additional good security measure?
> I
> would have no problem disabling this account, except for the fact if all
> other Domain Administrative accounts got locked out I would have no way of
> logging to the domain with admin privileges except through rebooting a DC
> into Safe Mode which enables the builtin administrator account---but this
> would be a hassle. (i'm sort of paranoid of a scenario where a malicious
> user
> locked out all my admin accounts, and me having to do this).
> is having this account enabled a security risk, because it cannot be
> locked
> and thus gives a person infinite attempts at cracking the password?
> thanks.
- Next message: Duane Laflotte: "Re: Worm vs a Trojan Horse -- differences?"
- Previous message: Steven L Umbach: "Re: Which persmisison to rename domain workstation"
- In reply to: mocity: "best practices: builtin administrator account in AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
