It’s a well known sid aka 500, but if you can't enumerate the users on the system how are you going to tell in the first place?
Disable the Null Sessions, which I hope people are doing and proper ACLing of traffic cuts down on that stuff. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, June 14, 2012 11:55 AM To: NT System Admin Issues Subject: Re: What is your take on this (built-in admin password and account lockout) On Thu, Jun 14, 2012 at 8:35 AM, Ziots, Edward <[email protected]> wrote: > I would concur that both ideas are flawed. I would caution on account > lockout because its easy to do a DDOS against accounts with lockout enabled. > > What I would recommend: > > Renaming the account and putting in a dummy administrator account > which is disabled and only a member of the guest group is a idea: (Can > look for attempts to login as administrator which will show up in the > log and will tip you off as to something or someone trying to use > local credentials to access a system. Fails because the Administrator account because it is associated with a well-known SID. Monitor the account, yes Create an account with the same privs and an innocuous name, then disable the Administrator account, yes. The rest of your recommendations I definitely agree with... Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
