Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

renaming the Default Administrator account

Status
Not open for further replies.
Rockstar101

Rockstar101

MIS
Jan 11, 2008
67
US
Hello all,

I am thinking about renaming our default Admin acct on our root servers as well as changing the password.

Has anyone experienced any problems after renaming the default Administrator acct or know of anything I should look out for?

Thanks!
 
Sort by date Sort by votes
I understand the process and benefits and disadvanges but just would like to know if anyone in the "real world" has experienced any trouble in doing so.

Thank you.
 
Upvote 0 Downvote
We're planning on doing g this soon also, but haven't actuly done it yet. One of the big things you need to look at is whether you have any jobs/services running under the domain admin account. The most obvious one is your backup jobs. As far as I remember, there's also a "credentials" tab on the DHCP server properties which is used for updating DNS records from DHCP leases - that might be another one to check. Sorry, I'm working from memory here, but I'll post back next week when I can check our documentation.

Once you've checked everything, I'd change the password. Once you're running OK for a week of two without any problems, then you could also rename the account. But bear in mind that renaming it will mean a new profile will be created on every machine the account logs onto.

Ideally, I'd create separate accounts for each admin to use (at a minimum). I'd then only use the admin account i emergencies/special circumstances only. This would also make auditing better.

I think you're less likely to run jobs/services under the administrator account if you don't use the account very often.

Hope this helps

Good Luck :)

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Upvote 0 Downvote
But bear in mind that renaming it will mean a new profile will be created on every machine the account logs onto.
Click to expand...

This should not be the case. Accounts are based on Security IDs. When you change the account name, you are not changing the SID. The registry and NTFS security maps the accounts based on the SIDs. So no new profile should be created.

As for the process, I would actually suggest doing things the other way around - Rename the account first - do not change the password first. Depending on potential password policies, you might have difficulty resetting the password back. But renaming the account should be easily done. Meaning if you rename it today, check your logs and reboot systems. If problems appear, you can rename it back and you'll have an opportunity to identify what needs updating.

I completely agree - best security practices have each admin with their own admin accounts. I would reset the password on the "standard" admin account (after it's renamed) and write it on a paper sealed in a security envelope. Leave this in a relatively secure place so that if your admins aren't available, you can talk a non-admin through something using that account without giving them your info (this isn't generally a problem if you have admins working 24x7).

And start making it standard practice - when a system comes in or a domain is built, the FIRST thing you do is rename the admin account. By doing so, you increase your level of security at least a little because now a hacker must identify the account as well as the password.

-Lee

Those who ask why, learn
 
Upvote 0 Downvote
Upvote 0 Downvote
I administer almost 6000 windows servers and we have renamed the admin account on all of them. We have modified the name in the local security policy and have not had issues. I have heard of issues when folks have modified the settings another way....

or i suppose you could use a GPO to do it.

Tamra Graver --CNA, Network+
*************************************
It is my job to comfort the disturbed
and disturb the comfortable..........
 
Upvote 0 Downvote
Renaming the account doesn't provide much security, since it still has the original SID, and that SID is always the same (and known). A hacker needs only target that SID.

A recommended practice is to copy the administrator account. Then, rename and disable the original administrator account. Use the new account for administration.

Much more secure.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Can you illustrate or provide a link to how a hacker can logon using the SID? I have never seen that. I'm not saying there aren't exploits, but you still need to know the domain SID and have local access to the network.

-Lee

Those who ask why, learn
 
Upvote 0 Downvote
Good information in that link... but it's not quite addressing my point. You STILL don't know the domain SID so even though you may know a good portion of it, you're missing several significant digits. Further, you haven't illustrated or linked to a method of using the sid over the user ID to compromise a system.

Again, I'm not saying that there aren't exploits, but it's certainly safer to rename the admin account than to leave it as "administrator" - I've seen plenty of log files that repeatedly try the "administrator" account on script... if it's not there, they can't use it.

I may be misremembering, but I thought at least in NT, you could not/should not disable the administrator account. And wouldn't that create problems on a system restore?

-Lee

Those who ask why, learn
 
Upvote 0 Downvote
Using tools like user2sid and sid2user you can easily get SID for user accounts and vice versa and as an attacker knows they are looking for a specific SID, ie one that ends in 500, they have the administrator user no matter what it has been renamed to. These tools can be run remotely against machines with no credentials necessary using null sessions which Windows are still susceptible to.

Most firewalls block the ability to create null sessions from outside the network, UDP 137, 138, TCP 139 and another TCP which I can't recall right now but you are still vulnerable internally and if the attacker manages to compromise your firewall.



Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
Let's be clear - there is no such thing as a secure system - it's all managing risk. I'm still not seeing how you can use a PARTIAL SID - which is all one would have - to get the user name or a non-valid user name to get a full sid. If the account is named "administrator" then a tool like user2sid can display the SID information for the admin account... but how can you get the user name if the SID is only PARTIALLY known?

I'm not trying to hijack the question - I sincerely hope that the debate/discussion presented is proving of value both the original asker and any subsequent readers.

-Lee

Those who ask why, learn
 
Upvote 0 Downvote
By using the tools mentioned before all SIDS can be enumerated from AD. So an attacker sees a SID ending in 500 and knows it is the administrator user, then using sid2user it will reveal the name of the administrator account even if you have renamed it.



Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
Thanks Pagy, I found a whitepaper on this at windowsecurity.com

Now, that answers part of my question about this issue... HOWEVER, knowing the SIDs, I still don't see how you can exploit the SID to gain access. Further, with a firewall blocking the appropriate ports, no one outside the domain will be able to access that information anyway.

To remind us all, I'm trying to understand, on behalf of myself and the asker, why simply renaming the admin account isn't at least a positive step.


-Lee

Those who ask why, learn
 
Upvote 0 Downvote
Thank you for all the information guys, I will certainly take it all into consideration during the planning phase of this change.

Once again I'm thankful to belong to a forum that has users ready to give expert advise from different points of view as I do myself.

Thanks again fellas!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
328
goombawaho
goombawaho
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
383
gbaughma
gbaughma
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
165
DeepuM
DeepuM
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
394
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
203
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top