A question for the list, inspired by the server hardening/break in
threads:
Is changing the Administrator account name really worthwhile or not? My
largely unfounded, sparsely researched opinion is this:
So far I haven't read a convincing argument for changing the name of the
administrator account, and there's one reason I've chosen not to -
account lockout policy. Only the domain Administrator account is exempt
from lockout unless there's a special dispensation for Domain/Enterprise
admins I don't know about. So choosing another account (and thus
changing the SID) would take away the protection(?) against a DoS attack
on the Administrator account.
As for providing extra security, I believe it's security by obscurity.
In order to access password-based systems, you have a set of public
knowledge (username) and private knowledge (password): known * unknown =
unknown, or in a (non)mathematical sense for brute force attacks, 1 * ?
= ?. Now let's say you change the Administrator password, what have you
gotten? Unknown * unknown = unknown, or ? * ? = ?. You've changed the
equation but not the outcome. I realize that changing the name prevents
automated attacks but can't this be defeated by not allowing direct
remote Administrator access? (no VPN account, no OWA account, servers
locked up in a datacenter...)
Basically what I'm asking is whether changing the account name is a
fundamental princple or just icing on the cake.
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
