Sign in with
Sign up | Sign in
Your question

Renaming W2K AD Administrator Account

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
March 16, 2005 7:57:37 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have been told by our Auditors to rename the administrator account and
create another Administrator account with no priviledges in its place.

We have 19 servers that log-in as Administrator and have services that
use/run as the Administrator account.

can anyone please let me have or suggest an order that I should tackle this
large change to our AD domain and the servers/services in it?

Thanks.
Anonymous
a b 8 Security
March 16, 2005 9:57:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Since a few places are not easily touched by central script in
order to change the account in use, like scheduled tasks, hard
coded runas, etc.. you may find it most simple to define one or
more new administrator accounts (if that level is appropriate
and actually required) and use this (these) to replace the now
existing over time. Then, when done you would be free to do
the rename in GPO and create the dummy Administrator account.

You may also want to ask them just what they believe this will
accomplish. Doing as they recommend was pretty standard back
in NT 4 days, but in a deeper analysis one most often finds that
in a properly deployed/secured AD doing this does not really
gain one much if anything.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Woodsy" <Woodsy@discussions.microsoft.com> wrote in message
news:01E2FAA3-9542-4E54-B020-260522F2B229@microsoft.com...
> I have been told by our Auditors to rename the administrator account and
> create another Administrator account with no priviledges in its place.
>
> We have 19 servers that log-in as Administrator and have services that
> use/run as the Administrator account.
>
> can anyone please let me have or suggest an order that I should tackle
this
> large change to our AD domain and the servers/services in it?
>
> Thanks.
March 16, 2005 5:19:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Roger Abell" wrote:

> You may also want to ask them just what they believe this will
> accomplish. Doing as they recommend was pretty standard back
> in NT 4 days, but in a deeper analysis one most often finds that
> in a properly deployed/secured AD doing this does not really
> gain one much if anything.

All my study material says to do this to lessen the chance of a brute force
attack on the administrator password since the account name is known to
hackers. You probably shouldn't name the 'new' admin account admin or root
either as those are popular too.

I'm not sure why you'd leave the administrator account active though (even
with minimal access/rights/permissions) unless the event log wouldn't log any
irregularities if the account wasn't there.
Related resources
Anonymous
a b 8 Security
March 16, 2005 5:29:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger Abell wrote:
> Since a few places are not easily touched by central script in
> order to change the account in use, like scheduled tasks, hard
> coded runas, etc.. you may find it most simple to define one or
> more new administrator accounts (if that level is appropriate
> and actually required) and use this (these) to replace the now
> existing over time. Then, when done you would be free to do
> the rename in GPO and create the dummy Administrator account.
>
> You may also want to ask them just what they believe this will
> accomplish. Doing as they recommend was pretty standard back
> in NT 4 days, but in a deeper analysis one most often finds that
> in a properly deployed/secured AD doing this does not really
> gain one much if anything.
>

Agreed. Woodsy, renaming the administrator account
is a fine idea; I do it on my systems.

But it's really intended to be done -before- the
machine goes into production. I would think it is
probably a bit hazardous to try it all at once and
not test. You can also make the dummy Administrator
account an administrator (temporarily), and audit
the account use for a week or so to be sure.

Oh, and some applications you run may be hard coded
to use the account -named- administrator, and fail
if you do this.
Anonymous
a b 8 Security
March 17, 2005 1:23:27 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Les" <Les@discussions.microsoft.com> wrote in message
news:3C85BF01-0215-4227-838C-A7A415D132E9@microsoft.com...
> "Roger Abell" wrote:
>
> > You may also want to ask them just what they believe this will
> > accomplish. Doing as they recommend was pretty standard back
> > in NT 4 days, but in a deeper analysis one most often finds that
> > in a properly deployed/secured AD doing this does not really
> > gain one much if anything.
>
> All my study material says to do this to lessen the chance of a brute
force
> attack on the administrator password since the account name is known to
> hackers. You probably shouldn't name the 'new' admin account admin or root
> either as those are popular too.
>
> I'm not sure why you'd leave the administrator account active though (even
> with minimal access/rights/permissions) unless the event log wouldn't log
any
> irregularities if the account wasn't there.

Granted.

Some ideas die hard once training texts latch onto them.

Often the bigger threat is from inside, and one with an account
for domain login and an infected machine can end up hammering
authentication interfaces with all of the actual accounts. If it is
just guess / blind attempts, this type of thing most commonly
comes from machines without access to enumerate the accounts,
which often means from outside - and these should really not
be able to hammer on the most commonly programmed authentication
interfaces.

In any case, lockout seems to be falling out of favor due to its
rather high expense when accounts do get locked. Instead,
more strong methods for credential management are coming
into play (two factor forms, lengthy passphrases, etc.)

I used to advocate renaming Administrator, defining a Junk
group, defining a new Administrator account making its primary
and only group membership be in Junk (which was used nowhere
other than for this), and to then disable the account.

I now question the value of doing this. Back then one could not
disallow use of Adminstrator over the network as one now can.
I also do not use the built-in Administrator account, but rather just
hold it in reserve with a long, strong passphrase.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
!