On Tue, 2005-11-15 at 16:21 -0500, Derick Anderson wrote: > A question for the list, inspired by the server hardening/break in > threads: > > Is changing the Administrator account name really worthwhile or not? My > largely unfounded, sparsely researched opinion is this: > > So far I haven't read a convincing argument for changing the name of the > administrator account, and there's one reason I've chosen not to - > account lockout policy. Only the domain Administrator account is exempt > from lockout unless there's a special dispensation for Domain/Enterprise > admins I don't know about. So choosing another account (and thus > changing the SID) would take away the protection(?) against a DoS attack > on the Administrator account.
I would imagine (hope) that the lockout is based on the SID rather than the username - perhaps someone more knowledgeable / from microsoft can confirm this? > As for providing extra security, I believe it's security by obscurity. > In order to access password-based systems, you have a set of public > knowledge (username) and private knowledge (password): known * unknown = > unknown, or in a (non)mathematical sense for brute force attacks, 1 * ? > = ?. Now let's say you change the Administrator password, what have you > gotten? Unknown * unknown = unknown, or ? * ? = ?. You've changed the > equation but not the outcome. I realize that changing the name prevents > automated attacks but can't this be defeated by not allowing direct > remote Administrator access? (no VPN account, no OWA account, servers > locked up in a datacenter...) It is security through obscurity - sorry to repeat old material, but to save myself some typing, this is from another thread I posted to today: [starts] Whilst 'security through obscurity' as a *sole* security measure is a bad idea, obscurity actually plays (and historically has played) a very important part in security not just of IT systems. As a few examples, renaming the administrator account, non-obvious forward or reverse DNS, whois sanitisation, and actually even encryption are all security measures which are commonly accepted and have a greater or lesser amount of 'obscurity' involved. The important thing is that you don't rely on them - something which applies just as much to relying on any one vendor's shiny, snakeoil security panacea as it does to policies and reconfigurations like this. [ends] Although you can authenticate via SID in some instances (specifically on the local machine and via kerberos, which uses the SID as the identifier, I think), there are plenty of circumstances (such as RDP, SMB and possibly also RPC - again, I may be wrong) in which the username is used, and in these circumstances changing the administrative username does raise the bar in terms of difficulty to break into the system. > Basically what I'm asking is whether changing the account name is a > fundamental princple or just icing on the cake. I don't think it's a fundamental principle, but I think describing it as 'icing on the cake' is perhaps understating it - I wouldn't go quite as far as to describe it as best practice, but I'd certainly classify it as a commonly deployed and recommended security measure. Given the difficulty of implementation (zero) and the net result (greater than zero), I'd say there's no reason not to implement it unless you have a specific reason not to. - James. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
