+ Post New Thread
Results 1 to 15 of 15
Windows Thread, Renaming the adminstrator account, pro's and con's in Technical; i know Microsoft recommend renaming the administrator account for obvious reasons. What i want to know and clear up (no ...
  1. #1
    Kyle's Avatar
    Join Date
    Jan 2006
    Posts
    969
    Thank Post
    91
    Thanked 14 Times in 13 Posts
    Rep Power
    20

    Renaming the adminstrator account, pro's and con's

    i know Microsoft recommend renaming the administrator account for obvious reasons. What i want to know and clear up (no microsoft training ever)

    A procedure to rename the account,
    how it works,
    pros and cons



    please keep this basic for me please.

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,943
    Thank Post
    115
    Thanked 272 Times in 250 Posts
    Rep Power
    104

    Re: Renaming the adminstrator account, pro's and con's

    Well the biggest pro is that it is a different name and takes some work to find rather than just having administrator to start with which is the obvious one you have stated. I have seen a script also that renames the local administrator account and changes its description. It then recreates an administrator account with right description but puts it in a normal group.

  3. #3
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,400
    Thank Post
    353
    Thanked 254 Times in 185 Posts
    Rep Power
    74

    Re: Renaming the adminstrator account, pro's and con's

    I may be wrong but I think the procedure is the same as renaming a user account. Test it first.

    This is copied from the 2003 manual;

    Find the user account that you want to rename in Active Directory Users And
    Computers.
    Right-click the user account and then select Rename. Active Directory Users And
    Computers then highlights the account name for editing. Press Backspace or Delete to
    erase the existing name and then press Enter to open the Rename User dialog box.
    Make the necessary changes to the user’s name information and then click OK. If the
    user is logged on, you’ll see a warning prompt telling you that the user should log off
    and then log back on using the new account logon name.

    The account is renamed and the SID for access permissions remains the same. You
    may still need to modify other data for the user in the account properties dialog box,
    including the following:
    User Profile Path—As necessary change the Profile Path on the Profile tab, and
    then rename the corresponding directory on disk.
    Logon Script Name—If you use individual logon scripts for each user, change the
    Logon Script Name on the Profile tab, and then rename the logon script on disk.
    Home Folder—As necessary change the home folder path on the Profile tab, and
    then rename the corresponding directory on disk.


    Pros - system is more secure as the account is not as visible to the hacker.
    Cons - You have to remember what it is

  4. #4

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,481
    Thank Post
    527
    Thanked 1,998 Times in 936 Posts
    Blog Entries
    23
    Rep Power
    576

    Re: Renaming the adminstrator account, pro's and con's

    Cons. Lot of of other stuff hangs off the admin account and will stop working the minute you re-name it and change its password.

  5. #5

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Renaming the adminstrator account, pro's and con's

    also you can just use common knowledge to find the account, a scripted example from microsoft demonstrates this.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Renaming the adminstrator account, pro's and con's

    Security through obscurity is no security at all.

    http://en.wikipedia.org/wiki/Security_through_obscurity

  7. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,946
    Thank Post
    232
    Thanked 1,513 Times in 1,206 Posts
    Rep Power
    328

    Re: Renaming the adminstrator account, pro's and con's

    I agree with Dos_Box that there are services or applications which rely on the administrator account, but in my experience, re-installing these applications after re-naming the administrator account should resolve any problems.

    By default every Windows Server has an administrator account named "administrator". Thinking about it logically, not renaming the account means that an intruder is already 50% of the way, as now they only have to guess your password. Renaming the administrator account and enforcing strong password policies in AD will make it much more difficult to crack.

    Believe me I've seen many Primary schools with servers setup with default administrator accounts and the password is "password". Terrible from a security point of view.

    @E1uSiV3 - I presume this script has to be run locally on the machine? I know that physical security of servers are covered by LEA policies. Unless you have physical access to a machine, it should be near impossible to obtain the administrator username and password. I guess if intruders are really that determined they'll get in, but for most, an easier target would probably be in the intruders sights.

  8. #8

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Renaming the adminstrator account, pro's and con's

    Quote Originally Posted by Geoff
    Security through obscurity is no security at all.

    http://en.wikipedia.org/wiki/Security_through_obscurity
    Agreed but the more obstacles you can put in the way of crackers the better. Strength in depth so you wouldn't just stop at renaming the admin account you would also create a dummy account called 'administrsator' with minimal powers. Sure the l33t hak3r5 would see through it but it will keep the wannabes guessing

  9. #9

    Join Date
    Nov 2005
    Location
    Middlesbrough
    Posts
    402
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Renaming the adminstrator account, pro's and con's

    Quote Originally Posted by Dos_Box
    Cons. Lot of of other stuff hangs off the admin account and will stop working the minute you re-name it and change its password.
    As I once found out, it breaks lots of stuff. I find it's best to do it on server setup, not once it's been in production.

  10. #10

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,481
    Thank Post
    527
    Thanked 1,998 Times in 936 Posts
    Blog Entries
    23
    Rep Power
    576

    Re: Renaming the adminstrator account, pro's and con's

    Its all legacy too. If you take over an old network changing the administrator account in any way is almost guarenteed to breaks lots of things which have been set over the years.
    I think the rule of thumb should be.

    *If you didn't set up the network then don't change the administrator account*

  11. #11
    petectid's Avatar
    Join Date
    Jun 2005
    Posts
    298
    Thank Post
    2
    Thanked 15 Times in 13 Posts
    Rep Power
    19

    Re: Renaming the adminstrator account, pro's and con's

    Quote Originally Posted by Dos_Box
    Cons. Lot of of other stuff hangs off the admin account and will stop working the minute you re-name it and change its password.
    Surely everything should run under either the Local System Account, the NT Authority\LocalService or NT Authority\NetworkService or an account which is setup to be used by a particular service like virus update package. If your server is new then would any service be using the administrator account to log on? If so you could simply change the logon details for the service.

  12. #12

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Renaming the adminstrator account, pro's and con's

    Quote Originally Posted by NetworkGeezer
    Agreed but the more obstacles you can put in the way of crackers the better.
    Agreed, but renaming the admin account isn't an obstacle. It (was) standard practice in NT4 days so its one of the first things a hacker would test for.

    Quote Originally Posted by NetworkGeezer
    Strength in depth so you wouldn't just stop at renaming the admin account you would also create a dummy account called 'administrsator' with minimal powers.
    Querying AD, LDAP, RPC, or various other funs things allows you to see right through this in seconds. Plus, you need to be able to spell 'Administrator' for this technique to be effective.

    Sure the l33t hak3r5 would see through it but it will keep the wannabes guessing
    Shannon's maxim explains why this doesn't work quite eloquently.

    "The enemy knows the system"

    Also, consider the average 'l33t hak3r' is attending the school for seven years. Giving plenty of time for them to 'know the system'.

    Personally, I follow the following best practices:

    1. Apply software patches regularly. Security fixes ASAP.
    2. Run Antispyware and Antimalware software on all hosts.
    3. Use host based firewalls.
    4. Use a perimeter firewall.
    5. Use a network IDS.
    6. Do not use any unencrypted authentication mechanisms.
    7. Do not use any unauthenticated mail or proxy systems.
    8. Use pyhisical security to augment any software based security.
    9. Disable unnecesseary services

  13. #13
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 69 Times in 42 Posts
    Rep Power
    33

    Re: Renaming the adminstrator account, pro's and con's

    We've renamed the admin account on all our servers (at install time) with no problems. I'd think all Microsoft stuff will reference the domain admins group or the Administrator's SID (the user part of the SID is always the same for the builtin administrator)

  14. #14


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    338

    Re: Renaming the adminstrator account, pro's and con's

    This really is a waste of time, you'd need to disguise all the admin groups as well to be effective. Like previous post says grepping ldap will reveal all sorts of info about users and groups, its trivial and doesn't require any leetness.

  15. #15

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Renaming the adminstrator account, pro's and con's

    @Geoff: All good stuff though you could have added: 0. Use Strong Passwords

    Do you run antispyware on your servers? Personally I never surf while logged in as domain admin or other interactive server account.

    The point about authentication mechanisms is good but is not always possible in a hetroegnous environment where you have legacy NAS say, using NTLM.

    The spelling lesson was below the belt but I'll let it pass. I don't want this to degenerate into handbags at dawn

SHARE:
+ Post New Thread

Similar Threads

  1. Renaming menus
    By ianaddisonuk in forum Web Development
    Replies: 0
    Last Post: 12th August 2007, 02:01 PM
  2. Renaming W2003 DC
    By Simcfc73 in forum Windows
    Replies: 7
    Last Post: 1st April 2007, 10:54 AM
  3. Error message when renaming domain...
    By johnny in forum Windows
    Replies: 3
    Last Post: 25th February 2007, 07:21 PM
  4. Renaming the intranet server hosting Liberum
    By OverWorked in forum How do you do....it?
    Replies: 3
    Last Post: 8th September 2006, 09:00 AM
  5. Renaming the Administrator Account
    By tosca925 in forum Windows
    Replies: 20
    Last Post: 3rd July 2006, 05:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •