I concurr, You defintely want to rename and implement account Lockout ( Detective control, audit requirement) to see if anything or anyone is trying to utilize a local admin account which is not uniquely tied back to an entity which can be properly identified and authenticated and authorized. Again both PCI and HIPPA regulations speak of this aspect, therefore its a good practice to make sure nobody is using those accounts and that auditing of the actions done by those accounts should raise suspicion and be addressed. Z
Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ Subject: Re: GPO reset of local non-builtin accounts From: cato.rob...@gmail.com Date: Thu, 5 Jan 2012 11:53:28 -0500 To: ntsysadmin@lyris.sunbelt-software.com The SID is the same for the built-in local administrator account, even if it is renamed. It is best to rename and disable the account if possible. These steps are like any security implementation (lock), they keep the honest people honest. Robert On Jan 5, 2012, at 9:54 AM, Cameron <cameron.orl...@gmail.com> wrote: Re #2....why would you disable the local admin account and create a new one instead of just renaming the local admin account? On Wed, Jan 4, 2012 at 6:04 PM, James Hill <falc...@gmail.com> wrote: 1. You’d still have a local admin account. I prefer to used restricted groups GPO so that it forces the local admin memberships. 2. Yes, not sure how really effective it is though apart from being one more step to take when attempting a breach. From: David Lum [mailto:david....@nwea.org] Sent: Thursday, 5 January 2012 8:18 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Good suggestion. Questions: 1. If you need to log on locally and the domain is unavailable (it happens), how do you log in? 2. Isn’t it best practice to disable the builtin admin account and use a new local admin account with a different name? IIRC #2 was suggested practice years ago (I can’t remember from where). Dave From: ed ziots [mailto:ezi...@hotmail.com] Sent: Wednesday, January 04, 2012 1:37 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts You can use cusrmgr.exe from the Windows 2000 Resource kit tools to script out the GPO changes. Better yet, as mentioned earlier it would be best to control who is in your local administrators to domain based accounts that are added by GPO/GPP and remove any others from those privileged groups. HTH, Sincerely, EZ Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ > From: kennedy...@elyriaschools.org > To: ntsysadmin@lyris.sunbelt-software.com > Date: Wed, 4 Jan 2012 13:39:08 -0500 > Subject: RE: GPO reset of local non-builtin accounts > > Then convert it to an exe or encrypt it to help keep prying eyes out of it. > > http://www.abyssmedia.com/quickbfc/ > > > -----Original Message----- > From: Matthew W. Ross [mailto:mr...@ephrataschools.org] > Sent: Wednesday, January 04, 2012 1:37 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Try: > > net user localuser n3wP@ssw0rd > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: David Lum > [mailto:david....@nwea.org] > To: NT System Admin Issues > [mailto:ntsysadmin@lyris.sunbelt-software.com] > Sent: Wed, 04 Jan 2012 > 10:27:38 -0800 > Subject: RE: GPO reset of local non-builtin accounts > > > > Ohh..do tell - have a script handy that I can modify? > > > > From: Michael B. Smith [mailto:mich...@smithcons.com] > > Sent: Wednesday, January 04, 2012 10:21 AM > > To: NT System Admin Issues > > Subject: RE: GPO reset of local non-builtin accounts > > > > Startup/boot script? > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > From: David Lum > > [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> > > Sent: Wednesday, January 04, 2012 1:14 PM > > To: NT System Admin Issues > > Subject: GPO reset of local non-builtin accounts > > > > Is there a way to GPO a password change of added-in local machine > > accounts if the account is the same across all systems? I can do it > > easily enough with the BuiltIn ones, but see no GPO way to do added ones. > > David Lum > > Systems Engineer // NWEATM > > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to > > listmana...@lyris.sunbeltsoftware.com<mailto:listmanager@lyris.sunbelt > > software.com> > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to > > listmana...@lyris.sunbeltsoftware.com<mailto:listmanager@lyris.sunbelt > > software.com> > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin