admin secutity

[owilbur]

I want to protect the Domain Administrator account. Just renaming it does not serve my purpose. Can I rename the Administrator account so it appears as a regular user account and rename a regular user account as the Administrator account?

Let me explain. I give you the 'Administrator' password. You think you can logon as Administrator. You stop trying to guess the Administrator password.

I rename Bob as Administrator. I dont give Bob the usual Administrator access, but just enough access so that in a limited stab at trying it, you dont immediately recognize it as a decoy (certain shares). In other words the account is not a disabled renamed account but one that works, kind of.

So would I rename Administrator as Joe and rename Bob as Administrator? If I logon as Joe would I have Administrator access or does the rename thing only work as far as hiding the real Administrator account, not being able to use it under a different name?

 

[mrdenny]

Yes you can do that. It can be controlled through a GPO.

What I've seen some companies do, is change the Administrator account to a normal user name that fits with the normal username format, then rename the Guest account to Administrator leaving the guest account disabled. This way there is an account called Administrator, but it is disabled so when someone tries to log in as "Administrator" they get an account disabled error.

The name used on workstations should be different from the one used on servers so that normal users can't find out the actual admin username.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog

 

[owilbur]

The account disabled error is what Im want to avoid. If you think you have the Administrator password and want to give it a quick try and you get the error, then you know you dont have it you keep doing what you do to get it.

If you think you have the key to the storage room full of Twinkies and the suspense is killing you, when nobody's looking you might walk by and put the key in the lock to see if it turns. When it does, you move on, thinking you can get to the Twinkies when you feel like it. Its not MI but in certain environments, it can slow down what may be an eventual inevitability.

GPO? You mean instead of doing it manually? Whats youre recommended strategy as to what gets renamed to what?

 

[58sniper]

My best practice has always been to create a different account with appropriate rights. Then rename and disable the default domain admin account. The default domain admin account has a known SID, so even if you rename it, it can be searched for, from what I've read.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[pagy]

Yep, the default domain administrator always has a SID ending in 500 so using a program called sid2user an attacker has your administrator user name, even if you have renamed it, in a couple of minutes.

You can check out all the well known SIDS here;

http://support.microsoft.com/kb/243330

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[owilbur]

Do you mean rename and disable the domain admin account? The plan requires that the intruder uses an account called "Administrator" and does not get the disable error.

 

[owilbur]

Anybody??

 

[dbustamante]

heres what i would do go to your AD create a new user *bob* give *bob* all the admin rights then take your administrator acount and give it user rights. if someone wanted to find out what your admin acount is their going to have to look through all your user acounts. let me know if this works.