On Tue, 2005-11-15 at 16:21 -0500, Derick Anderson wrote:
A question for the list, inspired by the server hardening/break in
threads:
Is changing the Administrator account name really worthwhile or not? My
largely unfounded, sparsely researched opinion is this:
So far I haven't read a convincing argument for changing the name of the
administrator account, and there's one reason I've chosen not to -
account lockout policy. Only the domain Administrator account is exempt
from lockout unless there's a special dispensation for Domain/Enterprise
admins I don't know about. So choosing another account (and thus
changing the SID) would take away the protection(?) against a DoS attack
on the Administrator account.
I would imagine (hope) that the lockout is based on the SID rather than
the username - perhaps someone more knowledgeable / from microsoft can
confirm this?
As for providing extra security, I believe it's security by obscurity.
In order to access password-based systems, you have a set of public
knowledge (username) and private knowledge (password): known * unknown =
unknown, or in a (non)mathematical sense for brute force attacks, 1 * ?
= ?. Now let's say you change the Administrator password, what have you
gotten? Unknown * unknown = unknown, or ? * ? = ?. You've changed the
equation but not the outcome. I realize that changing the name prevents
automated attacks but can't this be defeated by not allowing direct
remote Administrator access? (no VPN account, no OWA account, servers
locked up in a datacenter...)
It is security through obscurity - sorry to repeat old material, but to
save myself some typing, this is from another thread I posted to today:
[starts]
Whilst 'security through obscurity' as a *sole* security measure is a
bad idea, obscurity actually plays (and historically has played) a very
important part in security not just of IT systems.
As a few examples, renaming the administrator account, non-obvious
forward or reverse DNS, whois sanitisation, and actually even encryption
are all security measures which are commonly accepted and have a greater
or lesser amount of 'obscurity' involved. The important thing is that
you don't rely on them - something which applies just as much to relying
on any one vendor's shiny, snakeoil security panacea as it does to
policies and reconfigurations like this.
[ends]
Although you can authenticate via SID in some instances (specifically on
the local machine and via kerberos, which uses the SID as the
identifier, I think), there are plenty of circumstances (such as RDP,
SMB and possibly also RPC - again, I may be wrong) in which the username
is used, and in these circumstances changing the administrative username
does raise the bar in terms of difficulty to break into the system.
Basically what I'm asking is whether changing the account name is a
fundamental princple or just icing on the cake.
I don't think it's a fundamental principle, but I think describing it as
'icing on the cake' is perhaps understating it - I wouldn't go quite as
far as to describe it as best practice, but I'd certainly classify it as
a commonly deployed and recommended security measure. Given the
difficulty of implementation (zero) and the net result (greater than
zero), I'd say there's no reason not to implement it unless you have a
specific reason not to.
- James.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
