I would concur that both ideas are flawed. I would caution on account lockout because its easy to do a DDOS against accounts with lockout enabled.
What I would recommend: Renaming the account and putting in a dummy administrator account which is disabled and only a member of the guest group is a idea: (Can look for attempts to login as administrator which will show up in the log and will tip you off as to something or someone trying to use local credentials to access a system. The article is correct if you can run code on the system to obtain the hashes then you can play pass the hash as the article shows, which definitely can be done and works ( TruSec Security guys showed me that one a few Tech Ed's ago) Also probably should disable the LM hash of the passwords on the system, via the following article: http://support.microsoft.com/kb/299656 Also when you rename your administrator accounts make sure you assign each system a different complex password and run the passwords through rainbow tables and hash crackers to test the password complexity. And I think your VP might want to take your input to heart... Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] From: Christopher Bodnar [mailto:[email protected]] Sent: Thursday, June 14, 2012 9:05 AM To: NT System Admin Issues Subject: What is your take on this (built-in admin password and account lockout) One of our VP's just ran across this article and is asking for my input: http://technet.microsoft.com/en-us/library/cc512606.aspx <http://technet.microsoft.com/en-us/library/cc512606.aspx> Which seems to be recommending two things: Leave the built-in administrator password blank There is no need for account lockout to be enabled I disagree with both assumptions. I also find it odd that this is a MS recommendation. I'd like to hear others thoughts on these comments. Thanks, Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] <mailto:> The Guardian Life Insurance Company of America www.guardianlife.com <http://www.guardianlife.com/> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
