|
Posted by UBEST on September 4, 2006, 9:46 pm
Please log in for more thread options Steve,
You are right. I got the answer from Microsoft too:
http://i.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch05n.mspx
Thanks again.
On Sun, 3 Sep 2006 22:06:05 -0500, "Steven L Umbach"
>As long as the real account name is known there will not be any problem.
>However as time goes it is surprising how such things can be forgotten or
>hard to find. Again for AD Restore an Recovery Console on a domain
>controller the built in administrator account for the domain is not used but
>the built in administrator account for the domain controller that was
>configured during dcpromo is used. I can't see it being a problem on other
>servers as long as the built in administrator account name and password is
>known. As always if you are unsure it is best to test what happens in a non
>destructive way for the domain.
>
>Steve
>
>Administrator Account
>
>
>> Hi Steve,
>>
>> Thanks you for your input. Auditor suggested we should rename built-in
>> domain and local member server administrator account. Microsoft Best
>> Practice Guide mentioned, renaming built-in administrator account is
>> not secure enough since hacker has tools to identify easily built-in
>> admin account (SID ending with 500). However, Microsoft doesn't
>> mention any reference about how this change affect disaster recovery
>> procedure for AD or member servers or standalone server.
>>
>> On Fri, 1 Sep 2006 14:55:48 -0500, "Steven L Umbach"
>>
>>>Disabling an administrator account disables it for network or normal
>>>interactive logon. You still can logon in Safe Mode. AD Recovery is a type
>>>of Safe Mode and does not use the administrator account for the domain
>>>anyhow as it uses the built in administrator account for that domain
>>>controller which is what you are prompted for in AD recovery. I believe
>>>it
>>>should also work in Recovery Console and that would be easy enough to
>>>test.
>>>In my opinion as long as other security best practices are followed
>>>renaming
>>>the built in administrator account, particularly if it is disabled, is
>>>of
>>>little value and can pose a problem if it is forgot. The free password
>>>reset
>>>disk at the link below can also enable disable accounts and identify the
>>>administrator account. You also want to make sure that you are not using
>>>the
>>>same password on the general population domain computer for the built in
>>>administrators account as you do on servers and sensitive workstations.
>>>
>>>Steve
>>>
>>>http://home.eunet.no/~pnordahl/ntpasswd/
>>>
>>>
>>>> For security reason, we have to disable or rename Domain administrator
>>>> account and domain member server's local administrator account.
>>>> We have some concerns about tha changes:
>>>>
>>>> Can anyone please answer the following concerns?
>>>>
>>>> If we rename or disable administrator account for AD or Windows 2003
>>>> local administrator account, what are impacts on disaster recovery of
>>>> AD and standalone Windows 2003 servers, member servers.
>>>>
>>>> For a standalone or member server, if we disable or rename local
>>>> administrator account, when disaster happens, when we have to run
>>>> disaster recovery, for example, recovery console mode, system will
>>>> prompt you with administratror password, if we disable or rename
>>>> bulit-in administrator account, can we still be able to get in
>>>> recovery console mode? and How?
>>>>
>>>> If we do system repair partion of Windows 2003 setup, if we are
>>>> prompted with Administrator password, how can we get along this this
>>>> step.
>>>>
>>>> For reanme or disabling AD administrator account, if disaster happens
>>>> to AD, how will it affect disaster recovery procedure?
>>>>
>>>> Thanks
>>>
>
| 
XML Sitemap