I was going to mention passprop, as well, but it does have some issues such as a bit of flakiness if you use the NT4 version of it on a post-NT system, and the Win2K version is buried in a .cab file in the reskit for Win2K. Also, of course, passprop only allows for over-the-network Administrator account lockout; the account can still log on locally to DCs regardless.
Of course, this all leads me to want to discuss the pros and cons of account lockout policies themselves, but I don't have enough time right now to be all locquacious and brilliant and starting big long philosophical discussions. :-) Laura > -----Original Message----- > From: Dubber, Drew B [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 16, 2005 11:07 AM > To: Derick Anderson; [email protected] > Subject: RE: Renaming Administrator account > > Have a look at passprop, that allows you to make the admin > account subject to lockout. Whether you want to or not is > another matter... > > In my opinion, I like icing on cakes! :) At the very least > someone has to make a conscious effort to find the admin > account first. > > Kind regards > Drew > > -----Original Message----- > From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] > Sent: 16 November 2005 03:02 > To: Derick Anderson; [email protected] > Subject: RE: Renaming Administrator account > > If you rename the domain administrator account, it is still > the "administrator" account and is not subject to account > lockout policies. > This policy utilizes the administrator well known sid to > determine the administrator account, not the name of the > account. While it is security through obscurity, it will > protect you against most worms that are in the wild that > target the administrator account. > > Dennis > > -----Original Message----- > From: Derick Anderson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 15, 2005 4:21 PM > To: [email protected] > Subject: Renaming Administrator account > > A question for the list, inspired by the server hardening/break in > threads: > > Is changing the Administrator account name really worthwhile > or not? My largely unfounded, sparsely researched opinion is this: > > So far I haven't read a convincing argument for changing the > name of the administrator account, and there's one reason > I've chosen not to - account lockout policy. Only the domain > Administrator account is exempt from lockout unless there's a > special dispensation for Domain/Enterprise admins I don't > know about. So choosing another account (and thus changing > the SID) would take away the protection(?) against a DoS > attack on the Administrator account. > > As for providing extra security, I believe it's security by obscurity. > In order to access password-based systems, you have a set of > public knowledge (username) and private knowledge (password): > known * unknown = unknown, or in a (non)mathematical sense > for brute force attacks, 1 * ? > = ?. Now let's say you change the Administrator password, > what have you gotten? Unknown * unknown = unknown, or ? * ? = > ?. You've changed the equation but not the outcome. I realize > that changing the name prevents automated attacks but can't > this be defeated by not allowing direct remote Administrator > access? (no VPN account, no OWA account, servers locked up in > a datacenter...) > > Basically what I'm asking is whether changing the account > name is a fundamental princple or just icing on the cake. > > Derick Anderson > > > > -------------------------------------------------------------- > ---------- > --- > -------------------------------------------------------------- > ---------- > --- > > > -------------------------------------------------------------- > ---------- > --- > -------------------------------------------------------------- > ---------- > --- > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
