Inline... > -----Original Message----- > From: Laura A. Robinson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 16, 2005 12:43 PM > To: 'Dubber, Drew B'; Derick Anderson; focus-ms@securityfocus.com > Subject: RE: Renaming Administrator account > > Yes. > > Therefore, if you have your DCs in a secure site and still > allow TS access to them, then you don't really have them in a > secure site, at least as it pertains to locking out the > Administrator account. This is why Win2K3 allows you to just > disable the darned thing altogether. It's a lot easier than > going through all the bending and twisting required to make > your Administrator account actually "lockout-able". I made > that word up. :-)
Surely you can remove the Administrator/Administrators group from TS access using Group Policy? It's standard practice on Linux machines to disable root login for SSH, the same principle would apply here I suppose. I ask because while we don't allow Administrator VPN access (or OWA for that matter), we do allow it for Terminal Services. TS isn't available from the Internet though - I don't care what its service record has been, there's not a chance that port is getting opened up. I can understand why someone might want to be able to lock out the administrator account, but isn't it a potential DoS if I can lock out EVERY account in the domain? How (besides a restart in DSR mode) could control be regained of the system? Personally I'm glad Administrator can't get locked out - I'm sure someone would have done it already. > By the way, if you copy the Administrator account, the copied > account *is* subject to account lockout policies. > > Laura > Which would make it subject to our rather severe 5-attempt lockout policy, enacted as the result of a SAS70 audit for the overly curious. With a couple sys admins and a very complex password, it wouldn't be too long before someone hit the limit (which is cleared once a day). I suppose the answer will be, "It depends on your particular situation..." =) Derick Anderson --------------------------------------------------------------------------- ---------------------------------------------------------------------------
