解開Windows的Administrator帳號的兩個疑問

Debunking two myths about the Windows administrator account
解開Windows的Administrator帳號的兩個疑問

by  Michael Mullins CCNA, MCP
作者:Michael Mullins CCNA, MCP
翻譯:endurer

英文來源：http://techrepublic.com.com/5100-1009_11-6043016.html?tag=nl.e101

Keywords:  Microsoft Windows | Security | Windows 2000 | Microsoft Server 2003
關鍵字:  微軟視窗 | 安全 | Windows 2000 | Microsoft Server 2003

Takeaway:
The administrator account has always been an appealing target for hackers, but the Window administrator account can be particularly problematic. While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. In this edition of Security Solutions, Mike Mullins debunks two of the biggest myths about this account. 
概述:
Administrator帳號一直是對hacker們有吸引力的目標，但是Windows的Administrator帳號可能是獨別令人存疑的。儘管一些人理解這個帳號在全面安全中扮演的重要角色，但在鎖定它時存在一些誤解。在本期安全解決方案中，Mike Mullins解開了Windows的Administrator帳號的兩個疑問。
---------------------------------------------------------------------------
When it comes to accessing accounts, the goal of every hacker is to get access to the administrator (or root) account. On Windows systems, this can especially present a problem—the administrator account comes with no password and an obvious default name ("administrator").
每一個Hacker訪問帳號時，其目標是獲得對administrator (或root)帳號的訪問權。在Windows系統中，這能特別表明一個問題——administrator帳號未提供密碼和顯而易見的預設名 ("administrator")。

《endurer註：1。come with 伴隨...發生；與...一起供給》

While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. Let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account.
儘管一些人理解這個帳號在全面安全中扮演的重要角色，但在鎖定它時存在一些誤解。讓我們看看關於Windows的Administrator帳號的兩個最大疑問的理解和事實。
《endurer註：1。take a look 注視》

Myth: Renaming this account prevents hackers from finding it
疑問：重新命名這個帳號防止hacker發現它

Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM.
Windows 2000: 這是不行的。Windows 2000的administrator帳號有一個以-500結尾的預設安全標識（SID）。Hacker們可以通過在活動目錄或本地SAM中枚舉SID而把這個帳號作為目標。

《endurer註：1。end in 以...為結果》

However, you can disable the ability to enumerate SIDs in your domain. Follow these steps:
然而，你能禁用在您的域中枚舉SID的能力，步驟如下：

Open the Active Directory Users And Computers console.
開啟活動目錄使用者和電腦控制台。
Right-click the domain, and select Properties.
右擊域，選擇“屬性”。
On Group Policy tab, click the Default Domain Policy, and select Edit.
在組策略選項卡，點擊預設域策略，選擇“編輯”。
Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
展開電腦配置 | Windows設定 | 安全設定 | 本地策略 | 安全選項

Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.
雙擊“附加匿名串連限制”，選擇定義這個策略選項。

Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.
從下拉式清單中選擇“不允許SAM賬戶和共用的枚舉。”

Click OK, and close the console.
點擊“確定”，關閉控制台。

Go to Start | Run, enter cmd, and click OK.
開始 | 運行，輸入：cmd，點擊“確定”。

At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter].
在命令提示字元下，輸入：gpupdate，斷行符號，輸入：exit，斷行符號。

Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs.

Windows Server 2003: 這是可行的。Windows Server 2003允許你完全地禁用內建的administrator帳號。但是在禁用該帳號之前，你仍然需要禁止SID枚舉。

You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy.
你可以按上面列的步驟做，但有一個例外：雙擊網路訪問（代替附加匿名串連限制），選擇“允許匿名SID/名稱轉換”，並確認你已經禁用該策略。

In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account:
另外，在禁用administrator帳號之前，你需要建立一個新的管理員帳號。然後按下列步驟禁用老帳號：

《endurer註：1。in addition 另外》

Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container.
以新管理員帳號登入，開啟活動目錄使用者和電腦控制台，選擇使用者容器。

Right-click the name of the default administrator account, and click Properties.
右擊預設管理員帳號名，點擊“屬性”。

On the Account tab, select the Account Is Disabled check box under Account Options, and click OK.
在“帳號”選項卡，選擇帳號選項下的“帳號被禁用”檢查框，點擊“確定”。

Now, the only account with full administrative rights has a name known only to you—and hackers can't enumerate SIDS to find it!
現在， 唯一具有完全管理權力的帳號的名字只有你知道——hacker們不能枚舉SID來找到它。

Myth:You can't lock out the account after failed logon attempts
疑問：在登入嘗試失敗後你不能鎖定帳號

《endurer註：1。lock out 把...關在外面》

Windows 2000: This is false. If you've set the security option for account lockout, you can lock out this account for network logons. (This doesn't apply to interactive or console logons.)
Windows 2000: 這是不行的。如果你已經設定帳號鎖定的安全選項，則可以鎖定此帳號的網路登入。（這不應用於互動式或控制台登入。）

To configure this account to lock out after x number of failed logon attempts, you need a tool called Passprop.exe. You can find this utility in the Netmgmt.cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.
要配置帳號在x次登入失敗後鎖定帳號，你需要名為Passprop.exe的工具。你可以在Windows 2000 Professional或Windows 2000 Server的資源工具箱中的Netmgmt.cab中找到這個工具。

Windows Server 2003: This is also false! Like Windows 2000, you can use the Passprop.exe utility to set the administrator account to lock out after x number of failed logon attempts.
Windows Server 2003: 也不行！像Windows 2000一樣，你可以使用Passprop.exe工具來設定administrator帳號在x次登入失敗後鎖定。

However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default administrator account (both network and interactive) after x number of failed logons. Make sure you have a backup method for unlocking this account.
然而，記住，在Windows Server 2003版本的這個工具在在x次登入失敗後也將鎖定預設管理員帳號（網路和互動式）。確認你有後備方法來為此帳號解鎖。

Final thoughts
Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.
總結：
帳號安全是基本安全管理最佳慣例的要害。這就為什麼執行此安全並保持管理權力安全是至關重要的原因。

《endurer註：1。at heart: 在內心裡(在本質上)》