Creating a dummy account won't fool anyone. I think there is a way to spoof
you SID though, which would definitely fool me.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Sheldon Malm
Sent: Monday, January 14, 2008 11:18 AM
To: my.security.lists@gmail.com; security-basics@securityfocus.com
Subject: Re: Removing Local Admin Accounts - What do you think?
General best practice is to disable and rename the built in Administrator
account and grant required permissions to individuals' accounts so that access
can be audited for the individuals performing tasks against the host. In many
shops, an added step is to create a "decoy" account named "Administrator" with
limited or no permissions.
I hope this helps.
--------------------------
Sheldon Malm
Director
Security Research and Development
nCircle VERT
Sent from my BlackBerry Wireless Handheld
----- Original Message -----
From: listbounce@securityfocus.com <listbounce@securityfocus.com>
To: security-basics@securityfocus.com <security-basics@securityfocus.com>
Sent: Sun Jan 13 11:19:16 2008
Subject: Removing Local Admin Accounts - What do you think?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear List,
I am looking for a general consensus from my peers. If you are able to
answer this with definite knowledge and not an assumption and you fully
understand what you are saying, please reply to this message. I do not
mean to be rude, but if you are not sure, please do not respond to this
message.
I am asking this as I will be presenting this to a company, as they have
proposed this idea and I want to show them exactly what they are
considering getting themselves into.
What is your professional opinion on removing the local administrator
account?
Does this pose a security risk to have a local administrator account on
a computer, so that IT staff (which are the only people in the
organization that are entitled to this user/pass) can do work on a
computer in a way that can not be "securely" audited? What I mean by
this is, they all use this one account (for emergencies only), instead
of using their own credentials over the network - thereby showing the
local admin account was used, but not who used it.
What are the risks involved in removing this account?
Is this a general best practice, from a security point of view?
If not, what is the best practice from a security point of view?
Lastly, do you believe or not, that if the IT staff wanted to compromise
a box, anonymously, would they really need this local administrator
account on the box? Or would they still be able to do this, without the
account there? Why?
I sincerely appreciate your time and thank you in advance for any
answers that you may pose. Also, if you see something that I did not
consider in my questions, please feel free to include that as well.
Please remember, if you think that this is a wise decision or not,
PLEASE state your answers and why.
- --
Rob
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| _ |
| ASCII ribbon campaign ( ) |
| - against HTML email X |
| / \ |
| |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
iEYEARECAAYFAkeKZCsACgkQcfN68iZZIcf9SgCgii4WMWjE8upNop/TvA41sqpJ
2GgAoNnC7iU1OT8GAPVkouK0UlfHfqkN
=67NY
-----END PGP SIGNATURE-----
