On Thu, Jun 14, 2012 at 10:52 AM, Ziots, Edward <[email protected]> wrote: > It’s a well known sid aka 500, but if you can't enumerate the users on the > system how are you going to tell in the first place?
Run as a standard user 'psgetsid \\computername administrator', and then you're off to the races. If it returns a SID that doesn't end in -500, well, you've got the significant portion of the SID, so use psgetsid to enumerate the SID with the -500 ending to get the name of the Administrator account. It just adds a very small extra step. However, if the account that whose SID ends in -500 is disabled (no matter what it's called), then the attacker has to try to enumerate all of the accounts on that machine, and figure out which one(s) have the desired privs - that's much harder, especially if you don't simply add the account to the Administrators group. The hard part is getting the credentials of a standard user... > Disable the Null Sessions, which I hope people are doing and proper ACLing of > traffic cuts down on that stuff. True. > Z > > Edward Ziots > CISSP, Security +, Network + > Security Engineer > Lifespan Organization > [email protected] > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Thursday, June 14, 2012 11:55 AM > To: NT System Admin Issues > Subject: Re: What is your take on this (built-in admin password and account > lockout) > > On Thu, Jun 14, 2012 at 8:35 AM, Ziots, Edward <[email protected]> wrote: >> I would concur that both ideas are flawed. I would caution on account >> lockout because its easy to do a DDOS against accounts with lockout enabled. >> >> What I would recommend: >> >> Renaming the account and putting in a dummy administrator account >> which is disabled and only a member of the guest group is a idea: (Can >> look for attempts to login as administrator which will show up in the >> log and will tip you off as to something or someone trying to use >> local credentials to access a system. > > Fails because the Administrator account because it is associated with a > well-known SID. > > Monitor the account, yes > Create an account with the same privs and an innocuous name, then disable > the Administrator account, yes. > > The rest of your recommendations I definitely agree with... > > > Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
