Thanks for all the replies , this gives me a lot to think about. Some things that we do in our environment:
Local Admin account is renamed Local admin account has a complex password Local guest account is renamed Local guest account is disabled. Procedure is to never use the local admin account unless there is no other way to logon to the box. So it's only ever used in a troubleshooting scenario. We also have controls in place to monitor this usage. Our SIEM consumes the logs from all the servers and we generate a weekly report that shows usage of the local admin account. If it's used, it needs to match up to a ticket in our system for the user of the account. If one is not found, an investigation is initiated. My main problem with the blank password is that any password should be better than a blank one. Again, thanks for all of your input. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: "Ziots, Edward" <[email protected]> To: "NT System Admin Issues" <[email protected]> Date: 06-14-12 11:35 AM Subject: RE: What is your take on this (built-in admin password and account lockout) I would concur that both ideas are flawed. I would caution on account lockout because its easy to do a DDOS against accounts with lockout enabled. What I would recommend: Renaming the account and putting in a dummy administrator account which is disabled and only a member of the guest group is a idea: (Can look for attempts to login as administrator which will show up in the log and will tip you off as to something or someone trying to use local credentials to access a system. The article is correct if you can run code on the system to obtain the hashes then you can play pass the hash as the article shows, which definitely can be done and works ( TruSec Security guys showed me that one a few Tech Ed’s ago) Also probably should disable the LM hash of the passwords on the system, via the following article: http://support.microsoft.com/kb/299656 Also when you rename your administrator accounts make sure you assign each system a different complex password and run the passwords through rainbow tables and hash crackers to test the password complexity. And I think your VP might want to take your input to heart… Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] From: Christopher Bodnar [mailto:[email protected]] Sent: Thursday, June 14, 2012 9:05 AM To: NT System Admin Issues Subject: What is your take on this (built-in admin password and account lockout) One of our VP's just ran across this article and is asking for my input: http://technet.microsoft.com/en-us/library/cc512606.aspx Which seems to be recommending two things: Leave the built-in administrator password blank There is no need for account lockout to be enabled I disagree with both assumptions. I also find it odd that this is a MS recommendation. I'd like to hear others thoughts on these comments. Thanks, Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image/jpeg>>
<<image/jpeg>>
