Have a look at passprop, that allows you to make the admin account subject to lockout. Whether you want to or not is another matter...
In my opinion, I like icing on cakes! :) At the very least someone has to make a conscious effort to find the admin account first. Kind regards Drew -----Original Message----- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: 16 November 2005 03:02 To: Derick Anderson; [email protected] Subject: RE: Renaming Administrator account If you rename the domain administrator account, it is still the "administrator" account and is not subject to account lockout policies. This policy utilizes the administrator well known sid to determine the administrator account, not the name of the account. While it is security through obscurity, it will protect you against most worms that are in the wild that target the administrator account. Dennis -----Original Message----- From: Derick Anderson [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 15, 2005 4:21 PM To: [email protected] Subject: Renaming Administrator account A question for the list, inspired by the server hardening/break in threads: Is changing the Administrator account name really worthwhile or not? My largely unfounded, sparsely researched opinion is this: So far I haven't read a convincing argument for changing the name of the administrator account, and there's one reason I've chosen not to - account lockout policy. Only the domain Administrator account is exempt from lockout unless there's a special dispensation for Domain/Enterprise admins I don't know about. So choosing another account (and thus changing the SID) would take away the protection(?) against a DoS attack on the Administrator account. As for providing extra security, I believe it's security by obscurity. In order to access password-based systems, you have a set of public knowledge (username) and private knowledge (password): known * unknown = unknown, or in a (non)mathematical sense for brute force attacks, 1 * ? = ?. Now let's say you change the Administrator password, what have you gotten? Unknown * unknown = unknown, or ? * ? = ?. You've changed the equation but not the outcome. I realize that changing the name prevents automated attacks but can't this be defeated by not allowing direct remote Administrator access? (no VPN account, no OWA account, servers locked up in a datacenter...) Basically what I'm asking is whether changing the account name is a fundamental princple or just icing on the cake. Derick Anderson ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
