Deleting the admin account? Thoughts - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Deleting the admin account? Thoughts

  1. #11
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I'll follow the ss2chef here. The name "Administrator" is just a name that easier to remind that a SID. If you find a program that doesn’t work because the “administrator” name is required, it’s because the software provider doesn’t follow Windows API. I never play with Recovery Console but I think it would suck if the recovery console doesn’t work because the administrator login is change!
    -Simon \"SDK\"

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Yeah, you can rename the Adminstrator account to anything you like through the LSP in Win2k as has been said. In Win XP Pro you can rename it through My Computer - Manage. As has also been said the SUID will remain 500 so anyone looking with SID2User or User2SID will see the true admin account because of it's 500 SUID.

    I'll make a couple of thoughts here.....

    If I can use the User/SID tools I'm far too close to rooting the network anyway for a renamed Administrator account to be "scarey". If you've allowed the attacker this close and not noticed then you will probably be rooted soon.

    I like renaming the Administrator account on machines that are publicly available. Then I make a new account called Administrator. If some attempts to brute force the administrator account remotely then it falls under the account lockout policy, which the 500 SUID doesn't. I can then be alerted on an account lockout on the box.... It's quicker and easier than looking for mass attempts in a brute force attack on the 500 account. The lockout policy is for 3 days so the attcker is really screwed. Additionally, and because I am a little bit evil, I deny access to the entire C: drive to the new Administrator so even if they get really lucky they can't do a darned thing.....

    Does all that tell them in no uncertain terms that the account they are attacking isn't the 500 SUID?.... Of course.... but I don't give a monkeys..... Once they realize that I have gone to that length to piss with them they have to know that brute forcing the username of the 500 account is useless.... Yes, it's more like a password than an account name.... And you can forget brute forcing the password in my lifetime... I use the entire character set including the extended ASCII......

    Finally, I have yet to have any issues with a renamed Administrator account... but that's more because "Administrator" is just a name..... The account is still the 500 SUID and that's what's used for authentication and the granting of rights and permissions.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    When I had to use the recovery console... I knew the admin password... but it wouldn't let me logon... it kept asking for "administrator" password... and I had renamed the user account...

    I'll have to see if that still doesn't work... last time I tried... I was unable to use the XP recovery console with the administrator account renamed...

    Am I just going crazy?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #14
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Phish:

    I never used the recovery console on a machine with a renamed Administrator account but I would suggest that is it requires the name administrator rather than acting properly, (per the protocols used in day to day management), then this would be a flaw.... Not a serious flaw in terms of security, but certainly the fact that it doesn't operate on the SUID system is a probem.... But this is why we image our disks isn't it?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #15
    Member
    Join Date
    Jun 2002
    Posts
    95
    you wouldnt change the administrator username if you are on a standalone machine with many people login on to it. however, on a network, you would change the domains administrator username. doing it this way doesnt harm recovery etc, as the LOCAL machine admin is still administrator. however, someone trying to attack a network has to search for the admin username you changed to get access to the network.

    cheers,

  6. #16
    Hey, I want to take a look at that --

    So you're saying it's a good idea to leave the local admin username in place, but change the domain admin username. That sounds promising, and is something I've been thinking about for our network in addition to shifting from passwords to passphrases.

    Anyone else care to expound upon that thought?

  7. #17
    Member
    Join Date
    Jun 2002
    Posts
    95
    yeah AngelicKnight,

    i work at a school with a medium-size (i spose) network of 240 computers (and high school kids). we basic dont care about the local machines, if they bugger up, we just ghost them and to connect to the domain we login as 'administrator' locally. however, the domain admin username we changed... it is so good to have. we search logs, and the ammount of "attacks" (used VERY loosely) by kids is at the "administrator" account.

    muwahahah :P

  8. #18
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Even though this particular article only applies to Win2k it says that the recovery console shows you that it is logging into the administrative account even if the name has been changed. It's just the the prompt doesn't show you what name you changed it to. It will still let you login. I've never seen anything that indicates that WinXP behaves differently.

    http://support.microsoft.com/default...b;en-us;258585

    In over 10 years of using NT I've never had any problems from changing the administrative account to another name. If you disable netbios, it will be rather hard for an attacker to determine what the name of the account is if they don't have any type of access to the machine. If you have a piece of software that relies on an account called administrator being there to function I wouldn't use that software.

    I never leave any accout called administrator with any type of administrative privileges.. Whether that is domain, or local system privileges.. All default administrator accounts are renamed, and new accounts are delegated the proper permissions.

    Many people have this problem with the recovery console and think it is because the account was renamed-
    http://support.microsoft.com/default...b;en-us;308402

  9. #19
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    We renamed the enterprise admin account a long time ago. Then applied a very random, long and complex password to it and locked it in a safe--just in case we have to recover the forest. Then we just don't use it. We really should change the password on this account periodically, though. However, we rename the thing again every now and then. Just to keep things interesting. We use two accounts. A personal one and an SA account. The personal is a normal account. The SA account is the one used to manage and make changes. Audit trail, you know.

    Yeah, the security by obscurity thing is the only reason for changing the local admin, or domain admin account names. It just makes it harder to write scripts that attack normal admin account names. Smart scripters will use LDAP or other methods to use the SID, which doesn't change.

    Your best bet is to create a good, long, complex password and then don't use the account, especially in a remote session.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides