+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Windows Thread, Renaming the Administrator Account in Technical; I have just read the below from a Microsoft book, I quite understand it all but i have one question, ...
  1. #1
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Renaming the Administrator Account

    I have just read the below from a Microsoft book, I quite understand it all but i have one question, if it is done like this do you still need to check all the services on the server that run as administrator and make sure you change the passwords?


    Using GPMC
    It's always a good practice to rename the Administrator account because any
    account with that name is a target for hackers and other pests. When renaming
    the account, avoid obvious names such as admin, boss, or root. Even the
    dumbest
    hacker can figure those out in no time.
    To rename the Administrator account, complete the following steps:
    1. Select Group Policy Management from the Administrative Tools menu.
    2. In the console tree, right-click your domain name and select Create
    And Link A GPO Here from the shortcut menu (Figure 10-27).
    F10kr27 Figure 10-27. Creating a new GPO (Group Policy Object).
    3. In the New GPO dialog box, type Rename Administrator Account.
    Click OK.
    4. In the console tree, expand the Group Policy Objects container.
    5. In the details pane, right-click the new Rename Administrator Account GPO,
    and select Edit (Figure 10-28) to launch the Group Policy Object Editor.
    F10kr28 Figure 10-28. Right-clicking the new policy to edit it.
    6. In the Group Policy Object Editor console tree, expand Computer
    Configuration, Windows Settings, Security Settings, Local Policies,
    and then Security Options.
    7. In the details pane, double-click Accounts: Rename Administrator Account.
    8. In the Security Policy Setting dialog box (Figure 10-29), select the
    check box to define this policy setting and type the new name for
    the Administrator account. Click OK.
    F10kr29 Figure 10-29. Changing the name of the Administrator account.
    9. Close the Group Policy Object Editor and the Group Policy Management
    Console. Log off and log back on using the new name for the Administrator
    account.

    To rename the account back to Administrator, don't disable the policy.
    Just return to the Security Policy Setting dialog box for the Accounts:
    Rename Administrator Account policy and type Administrator.



    Sorry if this has been asked before, may even have been me who asked, but after reading this today it thought i would share it with you.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Renaming the Administrator Account

    Meaningless. You can still enumerate the Domain Admins group and discover the admin account and/or look it up via its SSID.

  3. #3

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    10,467
    Thank Post
    606
    Thanked 2,193 Times in 1,006 Posts
    Blog Entries
    23
    Rep Power
    633

    Re: Renaming the Administrator Account

    Agreed, that coupled with the problems of programs getting tied into the admin account on established domains suddenly going tits-up once it gets re-named. It's esiers to whack a large, secure password on the account and then create a custom admin account for everyday use.

  4. #4
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34

    Re: Renaming the Administrator Account

    Our administrator accounts are all renamed and nothing bad has ever come of it, but we did it on day 1. To be honest I'm not sure I'd bother changing it now if it had been left as administrator for a year. The return is relatively small even in a building full of miscreants.

    There are some situations where it does offer a small amount of protection. For example, it's not always possible to enumerate the Domain Admins group, because you're not always in a position to query AD etc. Most situations where you'd use your domain credentials from outside the firewall would only be giving you access to one port, like 80 or 443. Knowing the SID in this case wouldn't usually help you much either.

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Renaming the Administrator Account

    If you have 443 open, you've blown a big hole in your firewall. Making it rather pointless. You can tunnel _ANYTHING_ over HTTPS.

    Now, onwards. Firstly, we need the domain SID. Easily done for me. I'm using Samba here. You could just as easily use LDAP.

    Code:
    root@terror:~# wbinfo -D CARRHILL
    Name              : CARRHILL
    Alt_Name          : carrhill.lancs.sch.uk
    SID               : S-1-5-21-281514301-135522355-1315823253
    Active Directory  : Yes
    Native            : Yes
    Primary           : Yes
    Sequence          : -1
    Now, we can work out the SSID for the Administrator account by just appending the hardcoded number (500) to the end. (Nice one MS).

    Code:
    root@titan:~# wbinfo -s S-1-5-21-281514301-135522355-1315823253-500
    CARRHILL\administrator 1
    Easy.

  6. #6

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37

    Re: Renaming the Administrator Account

    If you have 443 open, you've blown a big hole in your firewall. Making it rather pointless. You can tunnel _ANYTHING_ over HTTPS.
    __________________________________________________ ________

    Don't agree with this at all, if you have all the firewall rules in place and all IDS then there not much that can get in.

    ISA Server is a good example of this, you can securely publish OWA (Outlook web access) and still have the protection. Dumn HW firewall are useless in modern times and simple port block is not enough. You need to really look at the content that is going through by using stateful packet filtering firewall like ISA. With ISA you specify signitures and User Agent- strings to only allow the things you want and cut our the junk.

    Ashok.

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Renaming the Administrator Account

    HTTPS is encrypted. You cannot see the content of the encrypted tunnel on your firewall as the connection will fail.

    User Agent strings can be forged.

    You do not address the possibility of a reverse tunnel either.

  8. #8
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34

    Re: Renaming the Administrator Account

    Can you tell me how to connect to an SSL site if it's on the opposite side of a firewall with 443 closed. I'm ignoring the case where you put your SSL site on a non-default port of course. Obviously the outside world would only be able to access one server (or possibly a selection) on 443 as we only have one outward facing IP - how exactly would they tunnel telnet (as a simple example) over HTTPS to my server which has 443 exposed if I hadn't configured the telnet tunnel beforehand? Even if I ran a telnet daemon they'd not be able to talk to it over my port 443 unless the server said so.

    I totally agree that anyone with direct access to your Windows network can get the name of the builtin Administrator account, but as I say that isn't the only scenario out there. With a school system we would traditionally be looking primarily at protecting against attacks from the inside. With all these wonderful advances in access by pupils/parents/babysitters/pets from home we have to spend more time protecting against the whole world. Thankfully it's simpler for us to reduce the "attack surface" for attacks from outside.

    "You do not address the possibility of a reverse tunnel either."

    Any outbound SSL connections are logged and blockable so although it is an issue it's one most schools can deal with reasonably well. I wouldn't consider disabling pupil/staff access to external HTTPS sites a viable security measure.

  9. #9

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37

    Re: Renaming the Administrator Account

    I think ISA Server actually looks at the content i.e. HTTPS traffic and then it reconstructs to sent to the appropriate server. SSL bridging scenario.

    This kinds of facilities are not offered by HW firewall such as PIX etc because they just allow 443 traffic but does not look at the content. ISA Server goes through the content even HTTPS (encrypted) checks for exploits if any then open another separate connection with the actual server and passes the original request. This is assuming the SSL bridging scenario i mentioned. You are correct if you just use the tunnel mode which just lets the HTTPS traffic pass to the relevant server, but you're got to be daft to do in the first place.

    Ash.

  10. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Renaming the Administrator Account

    Ok, there's a few steps to this. I'm relying on windows stupidity here. Alternatively you can poison the ARP cache on the router/switch.

    1. Linux on a Laptop.
    2. Configure it with a static IP same as the webserver your pretending to be.
    3. plug it in the internal LAN
    4. Windows server will complain about duplicate IP's and shut down its TCPIP netoworking.

    With that out the way, it's a simple matter of setting up the tunnel. ssh-https-tunnel should be sufficent.

    http://www.uq.edu.au/~suter/software/ssh-https-tunnel/

    If your doing things in the other direction there's no requirement to stomp all over the Windows server. HTTPS over the proxy server is sufficent.

  11. #11
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,208
    Thank Post
    225
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30

    Re: Renaming the Administrator Account

    You can't tunnel everything through SSL (Port 443) but you can with SSH (Port 22). You should be okay with 443 as long as you authenticate and authorise incoming connections properly.

    Wes

  12. #12

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Renaming the Administrator Account

    You can run SSH over SSL. So yes, you can tunnel anything.

  13. #13
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,208
    Thank Post
    225
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30

    Re: Renaming the Administrator Account

    I thought it was more like you can run SSL through SSH? I'm running SSH putty sessions presently to use my servers from home! (Actually I'm doing that right now lol!)

    Okay just found a few more things out with this erm.. both are valid lol you can use SSL to tunnel SSH and vice versa SSH has a few more options available I believe but because you can use SSH through SSL this all become academic Interesting though!

    Wes

  14. #14

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Renaming the Administrator Account

    Ok, there's a few steps to this
    Is Somone1 with a rogue box on your internal network supplanting an HTTPS server so that (presumably) Someone2 on the outside can tunnel in, high up on the likely threat list?

    Someone1 likely has outbound SSL access already.. and logmein.com is a perfect example of what you can do with that.

    Top of my list in this kind of scenario is someone hacking some poorly written web app...

  15. #15
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    315
    Thank Post
    13
    Thanked 22 Times in 17 Posts
    Rep Power
    23

    Re: Renaming the Administrator Account

    Quote Originally Posted by PiqueABoo
    Is Somone1 with a rogue box on your internal network supplanting an HTTPS server so that (presumably) Someone2 on the outside can tunnel in, high up on the likely threat list?
    What I'd be more concerned with about a rougue box supplanting an HTTPS server is that if it was done right, a user of the HTTPS website would never know it was fake (especially if you use self signed certs and tell users to accept them as I'm sure some of us do).
    Imagine the HTTPS server was your remote file access server, $teacher connects, enters username & password, rogue box logs details and displays believable error message, $teacher accepts & gives up non the wiser. Rogue now has $teacher login, if $teacher is as imaginative as most users, rogue may have SIMS password too.

    DPA breach in 5 easy steps.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Renaming menus
    By ianaddisonuk in forum Web Development
    Replies: 0
    Last Post: 12th August 2007, 02:01 PM
  2. Renaming W2003 DC
    By Simcfc73 in forum Windows
    Replies: 7
    Last Post: 1st April 2007, 10:54 AM
  3. types of administrator account
    By disinfo in forum Windows
    Replies: 21
    Last Post: 16th October 2006, 10:14 AM
  4. Replies: 14
    Last Post: 4th April 2006, 11:26 AM
  5. Administrator Account
    By Gatt in forum Windows Vista
    Replies: 0
    Last Post: 2nd April 2006, 09:51 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •