I would disagree with this. Several of the last worms that I had to deal with were doing lookups against the SAM to find out what to attack. In fact MUMU was enumerating the administrators group and attacking all local ids in that group specifically. Luckily they weren't attacking anything but what was local so the domains stayed up. Had the worm been going after all security principals I would hate to have seen how hard that would have hit the domain infrastructure. As it were, it was only a matter of hitting the couple of domain admin IDs on the DCs and that only when they were specifically attacked directly.
Renaming things that have the name owner and administrator are good because there are specific worms/viruses that attack those names but I wouldn't do it for any security reason. It would be for system resources, if the name doesn't exist it is quicker for the system to say, doesn't exist, go away, versus having to go and actually check the password and go through lockout process when that limit gets hit, etc. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 1:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account You could argue that. But, if you consider the fact that most hackwares and viruses/trojans that carry their own account/password dictionaries don't do SID enumeration, you'd understand the significance of renaming the accounts. Because they don't do SID enumeration/translation, these hackwares are useless against your infrastructure because they just go through looking for accounts named "Administrator" or "admin" or "root" and similar. If they don't find one, they move on. Unless you are a direct target of concentrated hack/crack attempts, it's not common for SID translation to be done. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Right! My point exactly! So if your policy is to include the Domain Admin in NTFS permissions, there's no point in renaming your Domain Admin account. Thanks Tony. RH ________________________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Murray Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Renaming The Admin Account The admin tools resolve the SID to the friendly name for you. In other words, you're not actually working with the friendly names when viewing or assigning permissions, but this is how it appears to you. Tony ---------- Original Message ---------------------------------- Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV Reply-To: [EMAIL PROTECTED] Date: Thu, 22 Jul 2004 10:25:14 -0400 People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH ------------------------------------------------- Rocky Habeeb Microsoft Systems Administrator ------------------------------------------------- James W. Sewall Company Old Town, Maine ------------------------------------------------- 207.827.4456 habr @ jws.com www.jws.com ------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
