Users in Windows

[dalek]

Windows 2000 security checklist

Disable the Guest Account
Windows 2000 finally disables the guest account by default, but if you didn't build the image yourself, always double check to make sure the guest account is not enabled. For additional security assign a complex password to the account anyway, and restrict its logon 24x7.

Limit the number of unnecessary accounts
Eliminate any duplicate user accounts, test accounts, shared accounts, general department accounts, etc., Use group policies to assign permissions as needed, and audit your accounts regularly. These generic accounts are famous for having weak passwords (and lots of access) and are at the top of every hacker's list of accounts to crack first. This can be a big problem at larger companies with understaffed IT departments. An audit at a Fortune 10 company I worked for revealed that 3,000 of their 15,000 active user accounts were assigned to employees who no longer worked for the company. To make matters worse, we were able to crack the passwords on more than half of those inactive accounts.

(having 2 sometimes is nescessary)

Create 2 accounts for Administrators
I know this goes against the previous caveat, but this is the exception to the rule. Create one regular user account for your Administrators for reading mail and other common tasks, and a separate account (with a more aggressive password policy) for tasks requiring administrator privileges. Have your Administrators use the "Run As" command available with Windows 2000 to enable the access they need. This prevents malicious code from spreading through your network with admin privileges.

Rename the Administrator Account
Many hackers will argue that this won't stop them, because they will use the SID to find the name of the account and hack that. Our view is, why make it easy for them. Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything.

Consider creating a dummy Administrator account
Another strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. This should keep the script kiddies busy for a while. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with.

Replace the "Everyone" Group with "Authenticated Users" on file shares
"Everyone" in the context of Windows 2000 security, means anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network, use "Authenticated Users" instead. This is especially important for printers, who have the "Everyone" Group assigned by default.

Read the rest of the article, maybe even print a copy off, if you want to establish some form of security on your network.....

[Digoy]

Originally posted here by Norrit
Hey, I just started working with network security. I felt like i needed to after my computer getting trashed about 3 weeks ago. One thing that i need to do is remove both the administrator and guest accounts from windows. I've created seperate accounts but when i try to remove either account it tells me that the account could not be removed.

What am i doing wrong here?

Well you can't remove the Administrator or guest accounts.

The guest account can be disabled, not a problem there.

The Administrator account has to be there, but you don't have to use it, just don't log in as Administrator, again not a problem.

Make sure to give your personal account Admin rights or you won't beable to install any programs, change any settings etc.

[@tt!tud3]

Originally posted here by Norrit
Hey, I just started working with network security. I felt like i needed to after my computer getting trashed about 3 weeks ago. One thing that i need to do is remove both the administrator and guest accounts from windows. I've created seperate accounts but when i try to remove either account it tells me that the account could not be removed.

If no one has physical access to the computer and it is running Windows XP or Server 2003 (or later), the safest thing you can do is leave the administrator account password blank. To further restrict access to the administrator account (and any accounts using a blank password), you can enable the group policy to allow only console login access for accounts with blank passwords. This means only someone physically sitting at the PC can get into it. Really, the setting is sort of redundant, but it never hurts.

[Nokia]

Bear in mind though that accounts with no passwords associated with them cannot be used over a network, so only use this method if you have a stand-alone box!

The is a very informative Chat session here with MS representatives all about windows passwords.

Further Reading about passwords/how they are stored/used etc

I never knew this:

"Using Unicode Characters in ALT Key Combinations

Most users should have no problem finding pass phrases that they can easily remember, but for particularly sensitive accounts such as those with domain administrator privileges it is highly recommended that Unicode characters are included in the passwords using ALT key combinations. These are characters that do not appear on standard U.S. keyboards. You enter them by holding down the ALT key (or the FN and the ALT key on most laptop computers) and typing a three- or four-digit number on the numeric keypad (the numeric overlay keypad on a laptop computer).

The use of these types of characters greatly strengthens passwords in two ways: First, password cracking tools are often unable to test the vast majority of these types of characters. Second, the use of these characters greatly increases the range of characters that may appear in your password, which strengthens the potential complexity of the password by many orders of magnitude. When using ALT key combinations it is very important that you remember the leading zero, if present, because leaving the zero off results in a different character. For example, ALT+128 is Ç, while ALT+0128 is €. The rest of this section focuses on four digit codes, which access the entire Unicode character set, and ignore the three digit codes, which only access the extended ASCII character set.

The following table lists the numerical values that can be used as ALT key combinations. Recommended values are between 0128 and 1024. Each cell in the table below shows either a single value or a range of values. For example, the first cell shows "0128-0159." This means that you could use any value between 0128 and 0159, such as ALT+0135, which corresponds to the Unicode character "‡"."