Your FW should block this functionality for normal users. Cheers Ken
-----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, 15 June 2012 4:51 AM To: NT System Admin Issues Subject: Re: What is your take on this (built-in admin password and account lockout) On Thu, Jun 14, 2012 at 10:52 AM, Ziots, Edward <[email protected]> wrote: > It’s a well known sid aka 500, but if you can't enumerate the users on the > system how are you going to tell in the first place? Run as a standard user 'psgetsid \\computername administrator', and then you're off to the races. If it returns a SID that doesn't end in -500, well, you've got the significant portion of the SID, so use psgetsid to enumerate the SID with the -500 ending to get the name of the Administrator account. It just adds a very small extra step. However, if the account that whose SID ends in -500 is disabled (no matter what it's called), then the attacker has to try to enumerate all of the accounts on that machine, and figure out which one(s) have the desired privs - that's much harder, especially if you don't simply add the account to the Administrators group. The hard part is getting the credentials of a standard user... > Disable the Null Sessions, which I hope people are doing and proper ACLing of > traffic cuts down on that stuff. True. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
