Heh, this thread is killing me. :oP
As mentioned by the others, use the domain admins group,
not any specific domain admin user. The actual built in administrator account on
the domain really shouldn't be used. In fact best practices say set the password
on that object to some password/phrase > 15 characters (or > 25 or >
40, etc) with insane mix of special characters and upper/lower case and numbers
that isn't possible to memorize and then test it to make sure it actually works
and THEN place that password in an envelope and give it to someone in the IT org
high enough up the chain that it would be painful to get it back. Then the
standard is if you do get it back, you change that password following the same
rules again that same day. It should be the key under your matt that you use
only in dire emergencies. You should actually go years without logging into that
account. You should do daily monitoring of the last Logon and password last set
values to make sure someone isn't holding out on you, that is just a script that
does the dump and compares.
I think the overall drift of this whole thing has been, how
do I prevent people from knowing my built-in administrator ID... If that is it,
I am not entirely sure it can be done. You can do things like specially ACL the
admin groups so that the group memberships can't be enumerated keeping in mind
that the groups you are talking about are Admin groups so AdminSDHolder
functionality comes into play so you will have to modify the adminSDHolder
object's perms. You would also have to block the users from viewing the actual
user accounts as well (think memberof) and again, think AdminSDHolder. You
would also probably prevent anonymous resolution of SIDS. The thing that kills
all of this however is how do you stop non-anonymous resolution of SIDS. I am
not entirely sure this is possible and the built-in administrator ID has a known
SID so as long as they can get the domain SID (multiple methods) they can get
the administrator ID name. You can and could block someone from doing an LDAP
lookup pretty easily, but if they use the system API calls to resolve a SID I
believe that all gets handled by the localsystem account and I am not about to
tell anyone to remove localsystem access to anything in their AD even if it were
actually worked and prevented the system from seeing something (which I doubt it
would).
So the act of getting secure shouldn't be, how do I hide my
admin ID, it should be, how do I make the password so secure that even if
someone does know the ID they don't have a chance of using the account... That
means using a seriously strong password and not using the ID so that methods
that depend on it being used are foiled (think trojans or sniffing of some older
type authentication traffic, etc).
Also to say it one more time, ACL to groups, do not ACL to
users. No good can come of ACLing to users.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, July 22, 2004 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account
Deji,
You
know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of
course joe, and all the other heavyweights), but, we're not confused on the
accounts and their memberships. I just feel it's important to have the
Domain Admin (the individual) as Full Control on everything. As such, its
pointless to rename him because he can be seen.
However, you might just convince me to try it if you will tell me how to
keep Users from viewing membership in AD of the Microsoft native groups, like
Domain Administrators. ;-)
That
might be enough for me to try it.
RH
_________________________________
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji Akomolafe
Sent: Thursday, July 22, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin AccountIf you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this:Computername\AdministratorS - FSystem - Fetc, etc.You will NOT need to add the following to the ACL:ComputerName\Administrator (notice the missing "S")Domain AdminsDomain\AdministratorWhy? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. "Domain\Administrator" is a member of "Domain Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS".Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed.Now, as to how your ACL "may" be messed up by an account rename. You need to remember that an account's name is not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename.As to the problem you encountered after renaming a DA, I can only speculate that there was "something else" causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem.Are you convinced yet?Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Rocky Habeeb
Sent: Thu 7/22/2004 8:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin AccountRob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to "JohnDoe" and then create a bogus account called "Administrator", obviously, when we go set permissions on a system, we are not going to select the "Administrator" account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select "JohnDoe" and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH ____________________________________________________________
