Renaming W2K AD Administrator Account

Archived from groups: microsoft.public.win2000.security (More info?)

I have been told by our Auditors to rename the administrator account and
create another Administrator account with no priviledges in its place.

We have 19 servers that log-in as Administrator and have services that
use/run as the Administrator account.

can anyone please let me have or suggest an order that I should tackle this
large change to our AD domain and the servers/services in it?

Thanks.
4 answers Last reply
More about renaming administrator account
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Since a few places are not easily touched by central script in
    order to change the account in use, like scheduled tasks, hard
    coded runas, etc.. you may find it most simple to define one or
    more new administrator accounts (if that level is appropriate
    and actually required) and use this (these) to replace the now
    existing over time. Then, when done you would be free to do
    the rename in GPO and create the dummy Administrator account.

    You may also want to ask them just what they believe this will
    accomplish. Doing as they recommend was pretty standard back
    in NT 4 days, but in a deeper analysis one most often finds that
    in a properly deployed/secured AD doing this does not really
    gain one much if anything.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Woodsy" <Woodsy@discussions.microsoft.com> wrote in message
    news:01E2FAA3-9542-4E54-B020-260522F2B229@microsoft.com...
    > I have been told by our Auditors to rename the administrator account and
    > create another Administrator account with no priviledges in its place.
    >
    > We have 19 servers that log-in as Administrator and have services that
    > use/run as the Administrator account.
    >
    > can anyone please let me have or suggest an order that I should tackle
    this
    > large change to our AD domain and the servers/services in it?
    >
    > Thanks.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    "Roger Abell" wrote:

    > You may also want to ask them just what they believe this will
    > accomplish. Doing as they recommend was pretty standard back
    > in NT 4 days, but in a deeper analysis one most often finds that
    > in a properly deployed/secured AD doing this does not really
    > gain one much if anything.

    All my study material says to do this to lessen the chance of a brute force
    attack on the administrator password since the account name is known to
    hackers. You probably shouldn't name the 'new' admin account admin or root
    either as those are popular too.

    I'm not sure why you'd leave the administrator account active though (even
    with minimal access/rights/permissions) unless the event log wouldn't log any
    irregularities if the account wasn't there.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger Abell wrote:
    > Since a few places are not easily touched by central script in
    > order to change the account in use, like scheduled tasks, hard
    > coded runas, etc.. you may find it most simple to define one or
    > more new administrator accounts (if that level is appropriate
    > and actually required) and use this (these) to replace the now
    > existing over time. Then, when done you would be free to do
    > the rename in GPO and create the dummy Administrator account.
    >
    > You may also want to ask them just what they believe this will
    > accomplish. Doing as they recommend was pretty standard back
    > in NT 4 days, but in a deeper analysis one most often finds that
    > in a properly deployed/secured AD doing this does not really
    > gain one much if anything.
    >

    Agreed. Woodsy, renaming the administrator account
    is a fine idea; I do it on my systems.

    But it's really intended to be done -before- the
    machine goes into production. I would think it is
    probably a bit hazardous to try it all at once and
    not test. You can also make the dummy Administrator
    account an administrator (temporarily), and audit
    the account use for a week or so to be sure.

    Oh, and some applications you run may be hard coded
    to use the account -named- administrator, and fail
    if you do this.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    "Les" <Les@discussions.microsoft.com> wrote in message
    news:3C85BF01-0215-4227-838C-A7A415D132E9@microsoft.com...
    > "Roger Abell" wrote:
    >
    > > You may also want to ask them just what they believe this will
    > > accomplish. Doing as they recommend was pretty standard back
    > > in NT 4 days, but in a deeper analysis one most often finds that
    > > in a properly deployed/secured AD doing this does not really
    > > gain one much if anything.
    >
    > All my study material says to do this to lessen the chance of a brute
    force
    > attack on the administrator password since the account name is known to
    > hackers. You probably shouldn't name the 'new' admin account admin or root
    > either as those are popular too.
    >
    > I'm not sure why you'd leave the administrator account active though (even
    > with minimal access/rights/permissions) unless the event log wouldn't log
    any
    > irregularities if the account wasn't there.

    Granted.

    Some ideas die hard once training texts latch onto them.

    Often the bigger threat is from inside, and one with an account
    for domain login and an infected machine can end up hammering
    authentication interfaces with all of the actual accounts. If it is
    just guess / blind attempts, this type of thing most commonly
    comes from machines without access to enumerate the accounts,
    which often means from outside - and these should really not
    be able to hammer on the most commonly programmed authentication
    interfaces.

    In any case, lockout seems to be falling out of favor due to its
    rather high expense when accounts do get locked. Instead,
    more strong methods for credential management are coming
    into play (two factor forms, lengthy passphrases, etc.)

    I used to advocate renaming Administrator, defining a Junk
    group, defining a new Administrator account making its primary
    and only group membership be in Junk (which was used nowhere
    other than for this), and to then disable the account.

    I now question the value of doing this. Back then one could not
    disallow use of Adminstrator over the network as one now can.
    I also do not use the built-in Administrator account, but rather just
    hold it in reserve with a long, strong passphrase.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
Ask a new question

Read More

Security Microsoft Servers Windows