Debunking two myths about the Windows Administrator Account
Solve Two questions about the Windows Administrator Account
By Michael Mullins ccna, MCP
By Michael mulrentccna, MCP
Translation: endurer
Http://techrepublic.com.com/5100-1009_11-6043016.html? Tag = NL. e101
Keywords: Microsoft Windows | Security | Windows 2000 | Microsoft Server 2003
Keywords: Microsoft Windows | Security | Windows 2000 | Microsoft Server 2003
Takeaway:
The Administrator account has always been an appealing target for hackers, but the window Administrator account can be particle ly problematic. while setting people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. in this edition of Security Solutions, Mike Mullins debunks two of the biggest myths about this account.
Overview:
The Administrator account has always been an attractive target for hackers, but the Windows Administrator Account may not be suspicious. Although some people understand the important role this account plays in comprehensive security, there are some misunderstandings when locking it. In this security solution, Mike Mullins addresses two questions about the Windows administrator account.
---------------------------------------------------------------------------
When it comes to accessing accounts, the goal of every hacker is to get access to the Administrator (or root) account. on Windows systems, this can especially present a problem-the Administrator account comes with no password and an obvious default name ("Administrator ").
When a hacker accesses an account, the target is to obtain access to the Administrator (or root) account. In Windows, this is especially a problem-the Administrator account does not provide a password and an obvious default name ("Administrator ").
Endurer Note: 1. Come with... occurs; supply with...
While setting people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account.
Although some people understand the important role this account plays in comprehensive security, there are some misunderstandings when locking it. Let's take a look at the understanding and facts of the two biggest questions about the Windows administrator account.
Endurer Note: 1. Take a look
Myth: renaming this account prevents hackers from finding it
Question: rename this account to prevent hacker from discovering it
Windows 2000: This is false. the Windows 2000 Administrator account has a default security identifier (SID) that ends in-500. hackers can target this account by enumerating SIDS from active directory or the local Sam.
Windows 2000: this is not acceptable. The Administrator account of Windows 2000 has a default security id (SID) ending with-500 ). Hacker can enumerate Sid in the Active Directory or local Sam and use this account as the target.
Endurer Note: 1. End in takes... as the result
However, you can disable the ability to enumerate SIDS in your domain. follow these steps:
However, you can disable the ability to enumerate Sid in your domain as follows:
Open the Active Directory users and computers console.
Open the Active Directory user and the computer console.
Right-click the domain, and select Properties.
Right-click the field and select "properties ".
On Group Policy tab, click the default domain policy, and select edit.
On the Group Policy tab, click the default domain policy and select "edit ".
Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
Expand Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options
Double-click additional restrictions for anonymous connections, and select the define this policy option.
Double-click "add anonymous connection restriction" and select to define this policy option.
Select do not allow enumeration of SAM accounts and shares from the drop-down list.
Select "do not allow Sam account and shared enumeration" from the drop-down list ."
Click OK, and close the console.
Click "OK" to close the console.
Go to Start | run, Enter cmd, and click OK.
Start | run, Enter cmd, and click "OK ".
At the command prompt, enter gpupdate, press [enter], enter exit, and press [enter].
At the command prompt, enter gpupdate, press enter, enter exit, and press Enter.
Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you shoshould still disable enumeration of SIDS.
Windows Server 2003: this is feasible. Windows Server 2003 allows you to completely disable the Built-in Administrator account. However, you still need to disable Sid enumeration before disabling this account.
You can do so by following the steps above, with one exception: Double-click Network Access (instead of additional restrictions for anonymous connections), select Allow anonymous SID/Name Translation, and make sure you 've disabled the policy.
You can follow the steps listed above, but there is one exception: Double-click Network Access (instead of adding anonymous connection restrictions), select "Allow anonymous SID/Name conversion ", make sure that you have disabled the policy.
In addition, before you disable the Administrator account, you shoshould create a new Administrator account. Then, follow these steps to disable the old account:
In addition, before disabling the Administrator account, you need to create a new Administrator account. Disable the old account by following these steps:
Endurer Note: 1. In addition
Log on with the new Administrator Account, open the Active Directory users and computers console, and select the users container.
Log on with a new Administrator Account, open the Active Directory user and computer console, and select user container.
Right-click the name of the default Administrator account, and click Properties.
Right-click the default Administrator account name and click "properties ".
On the account tab, select the account is disabled check box under account options, and click OK.
On the "Account" tab, select the "Account Disabled" check box under the account option and click "OK ".
Now, the only account with full administrative rights has a name known only to you-and hackers can't enumerate SIDS to find it!
Now, the only account with full administrative power is known only to you-hackers cannot enumerate Sid to find it.
Myth: You can't lock out the account after failed logon attempts
Q: You cannot lock your account after the logon attempt fails.
Endurer Note: 1. Lock out and lock... out.
Windows 2000: This is false. if you 've set the security option for account lockout, you can lock out this account for network logons. (This doesn' t apply to interactive or console logons .)
Windows 2000: this is not acceptable. If you have set security options for account locking, you can lock the network logon of this account. (This is not applicable to interactive or console logon .)
To configure this account to lock out after X number of failed logon attempts, you need a tool called passprop.exe. you can find this utility in the netmgmt. cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.
To configure the account number to be locked after the XSS fail, you must name it passprop.exe. You can find this tool in netmgmt. Cab in the resource toolbox of Windows 2000 Professional or Windows 2000 Server.
Windows Server 2003: This is also false! Like Windows 2000, you can use the passprop.exe utility to set the Administrator account to lock out after X number of failed logon attempts.
Windows Server 2003: No! Like windows, you can use passprop.exe to set the Administrator account to be locked after X logon failures.
However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default Administrator Account (both network and interactive) after X number of failed logons. make sure you have a backup method for unlocking this account.
However, remember that the tool in Windows Server 2003 will also lock the default Administrator Account (network and interactive) after X logon failures ). Make sure you have a backup method to unlock this account.
Final Thoughts
Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.
Summary:
Account security is the key to basic security management best practices. This is why implementing this security and maintaining the security of administrative power are crucial.
Endurer Note: 1. At heart: In the heart (in essence)