Re: Rename Domain Admin Account
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Mon, 16 Jun 2008 22:03:44 +0200
some people believe in it, some don't. what's the main reason?
of course you can rename the account. however, before the attack I would search for the account that contains the RID of 500.
read the rootDSE to get domain part of the SID
16-Jun-2008 22:01:42.51
[RFSRWDC1] C:\>adfind -default -s base objectSid
AdFind V01.37.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2007
Using server: RFSRWDC1.ADCORP.LAB:389
Directory: Windows Longhorn
Base DN: DC=ADCORP,DC=LAB
dn:DC=ADCORP,DC=LAB
objectSid: S-1-5-21-2524662531-667181895-3648062849
1 Objects returned
add the -500 part to the domain SID which is the default administrator accounts
16-Jun-2008 22:01:44.67
[RFSRWDC1] C:\>adfind -default -f "objectSID=S-1-5-21-2524662531-667181895-36480
62849-500" sAMAccountName
AdFind V01.37.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2007
Using server: RFSRWDC1.ADCORP.LAB:389
Directory: Windows Longhorn
Base DN: DC=ADCORP,DC=LAB
dn:CN=ADM.ROOT,CN=Users,DC=ADCORP,DC=LAB
sAMAccountName: ADM.ROOT
1 Objects returned
16-Jun-2008 22:01:55.15
[RFSRWDC1] C:\>
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Thor Kottelin" <thor@xxxxxxxx> wrote in message news:Och$Dc1zIHA.4876@xxxxxxxxxxxxxxxxxxxxxxx
"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in message news:4EE787A3-3873-4A08-88FD-73780453DD43@xxxxxxxxxxxxxxxx
Renaming the account doesn't increase its security. Use a good (meaning long) passphrase and leave the account name at its default.
Hi Steve,
According to Microsoft, renaming the Administrator account is a "very simple yet effective procedure that should be a standard part of the hardening process for all servers" [1].
Since there usually, AFAIK, is no drawback, I do not see why renaming should be discouraged.
--
Thor Kottelin
http://www.anta.net/
Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
[1] http://www.microsoft.com/technet/serviceproviders/hmc4/CMSU_CM_Plan_CONC_Baseline_Server_Hardening.mspx?mfr=true
.
- References:
- Rename Domain Admin Account
- From: create_share
- Re: Rename Domain Admin Account
- From: Steve Riley [MSFT]
- Re: Rename Domain Admin Account
- From: Thor Kottelin
- Rename Domain Admin Account
- Prev by Date: Re: Rename Domain Admin Account
- Next by Date: Re: Rename Domain Admin Account
- Previous by thread: Re: Rename Domain Admin Account
- Next by thread: Re: Rename Domain Admin Account
- Index(es):
Relevant Pages
|
