Go4Expert (http://www.go4expert.com/)
-   Windows (http://www.go4expert.com/articles/windows/)
-   -   Windows Administrator Account Myths (http://www.go4expert.com/articles/windows-administrator-account-myths-t3537/)

pradeep 22Mar2007 14:08

Windows Administrator Account Myths
When it comes to accessing accounts, the goal of every hacker is to get access to the administrator (or root) account. On Windows systems, this can especially present a problem -- the administrator account comes with no password and an obvious default name ("administrator").

While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. Let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account.

Myth: Renaming this account prevents hackers from finding it

Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM.

However, you can disable the ability to enumerate SIDs in your domain. Follow these steps:

1. Open the Active Directory Users And Computers console.
2. Right-click the domain, and select Properties.
3. On Group Policy tab, click the Default Domain Policy, and select Edit.
4. Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
5. Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.
6. Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.
7. Click OK, and close the console.
8. Go to Start | Run, enter cmd, and click OK.
9. At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter].

Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs.

You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy.

In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account:

1. Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container.
2. Right-click the name of the default administrator account, and click Properties.
3. On the Account tab, select the Account Is Disabled check box under Account Options, and click OK.

Now, the only account with full administrative rights has a name known only to you -- and hackers can't enumerate SIDS to find it!

Myth: You can't lock out the account after failed logon attempts

Windows 2000: This is false. If you've set the security option for account lockout, you can lock out this account for network logons. (This doesn't apply to interactive or console logons.)

To configure this account to lock out after x number of failed logon attempts, you need a tool called Passprop.exe. You can find this utility in the Netmgmt.cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.

Windows Server 2003: This is also false! Like Windows 2000, you can use the Passprop.exe utility to set the administrator account to lock out after x number of failed logon attempts.

However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default administrator account (both network and interactive) after x number of failed logons. Make sure you have a backup method for unlocking this account.
Final thoughts

Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.

ronsan 6May2007 12:13

Re: Windows Administrator Account Myths
Pradeep , a computer running is damn slow these days , itz running on windows XP , it was not that slow before, what i have to do to make it fast , our system is pentium 3 - 20 gb , it used to run fast, shall i make it 80 gb and formatt the 20 gb hard disk , wil it help?

pradeep 7May2007 10:15

Re: Windows Administrator Account Myths
Increasing the hard disk won't make much of a difference, increasing the RAM would surely make a difference. And, also clean up your disk, defragment it regularly.
As your's is a Pentium 3, try not to run too many programs at the same time.

All times are GMT +5.5. The time now is 05:46.