Click here to get back home

Rename Domain Admin Account
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Rename Domain Admin Account create_share 06-10-2008
Get Chitika Premium
Posted by Ben M. Schorr - MVP (OneNote) on June 15, 2008, 4:51 pm
Please log in for more thread options
 I certainly agree that a good passphrase is far more important, but I
think there can be some value to renaming the default administrator
account. That's one more thing for the bad people to have to figure
out. Especially if you don't just rename it to "Admin" or "Root".

And if I did so I'd probably create a Guest account named
"Administrator" just to lead them astray.

But I absolutely agree that renaming the account is not nearly as
important as having a good passphrase.

--
-Ben-
Ben M. Schorr, MVP
Roland Schorr & Tower
http://www.rolandschorr.com
http://www.officeforlawyers.com




> Why do you want to do this? Renaming the account doesn't increase its
> security. Use a good (meaning long) passphrase and leave the account name at
> its default.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
>
> > I want to rename Domain Admin Account in my windows 2003 Domain
> > Controller. Can i use Domain Controller Security Policy to rename it and
> > what will happen if i use domain security policy to rename it?
> >
> > Thanks!


Posted by Meinolf Weber on June 15, 2008, 4:54 pm
Please log in for more thread options
 Hello Steve Riley [MSFT],

But i think the most attacks will choose the default name "administrator",
so why renaming it, is not a kind of security increase? Ofcourse also with
a strong password.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Why do you want to do this? Renaming the account doesn't increase its
> security. Use a good (meaning long) passphrase and leave the account
> name at its default.
>
>
>> I want to rename Domain Admin Account in my windows 2003 Domain
>> Controller. Can i use Domain Controller Security Policy to rename it
>> and what will happen if i use domain security policy to rename it?
>>
>> Thanks!
>>



Posted by DevilsPGD on June 15, 2008, 9:56 pm
Please log in for more thread options

>Why do you want to do this? Renaming the account doesn't increase its
>security. Use a good (meaning long) passphrase and leave the account name at
>its default.

Changing the account name can marginally increase security in small set
of circumstances.

If an attacker already had some level of internal access, then can look
up the new administrator account name, or enumerate the various
administrators' groups, true enough.

However, not all attackers will have that luxury. For example,
attempting to crack the password through a RADIUS interface (which
provides authentication services an external VPN server, for example) is
easier if you have a valid username, and much easier if the username in
question is immune to invalid-password account lockouts.

Sure, a sufficiently strong password will keep a raw brute-force attack
at bay indefinitely, however, since there is no real downside to
changing the administrator account usernames, why not make life harder
on a password cracker who happens to come across a partial password
somehow.

Posted by Thor Kottelin on June 15, 2008, 10:16 pm
Please log in for more thread options

> Renaming the account doesn't increase its security. Use a good (meaning
> long) passphrase and leave the account name at its default.

Hi Steve,

According to Microsoft, renaming the Administrator account is a "very
simple yet effective procedure that should be a standard part of the
hardening process for all servers" [1].

Since there usually, AFAIK, is no drawback, I do not see why renaming
should be discouraged.

--
Thor Kottelin
http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/


[1]
http://www.microsoft.com/technet/serviceproviders/hmc4/CMSU_CM_Plan_CONC_Baseline_Server_Hardening.mspx?mfr=true


Posted by Jorge de Almeida Pinto [MVP - on June 16, 2008, 4:03 pm
Please log in for more thread options
some people believe in it, some don't. what's the main reason?

of course you can rename the account. however, before the attack I would
search for the account that contains the RID of 500.

>>>>>>>>>>>>>read the rootDSE to get domain part of the SID

16-Jun-2008 22:01:42.51
[RFSRWDC1] C:\>adfind -default -s base objectSid

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: RFSRWDC1.ADCORP.LAB:389
Directory: Windows Longhorn
Base DN: DC=ADCORP,DC=LAB

dn:DC=ADCORP,DC=LAB
>objectSid: S-1-5-21-2524662531-667181895-3648062849


1 Objects returned


>>>>>>>>>>>>>add the -500 part to the domain SID which is the default
>>>>>>>>>>>>>administrator accounts

16-Jun-2008 22:01:44.67
[RFSRWDC1] C:\>adfind -default -f
"objectSID=S-1-5-21-2524662531-667181895-36480
62849-500" sAMAccountName

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: RFSRWDC1.ADCORP.LAB:389
Directory: Windows Longhorn
Base DN: DC=ADCORP,DC=LAB

dn:CN=ADM.ROOT,CN=Users,DC=ADCORP,DC=LAB
>sAMAccountName: ADM.ROOT


1 Objects returned

16-Jun-2008 22:01:55.15
[RFSRWDC1] C:\>

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
>
>> Renaming the account doesn't increase its security. Use a good (meaning
>> long) passphrase and leave the account name at its default.
>
> Hi Steve,
>
> According to Microsoft, renaming the Administrator account is a "very
> simple yet effective procedure that should be a standard part of the
> hardening process for all servers" [1].
>
> Since there usually, AFAIK, is no drawback, I do not see why renaming
> should be discouraged.
>
> --
> Thor Kottelin
> http://www.anta.net/
>
> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
>
>
> [1]
>
http://www.microsoft.com/technet/serviceproviders/hmc4/CMSU_CM_Plan_CONC_Baseline_Server_Hardening.mspx?mfr=true
>


Similar ThreadsPosted
domain admin account impersontating November 6, 2006, 8:20 am
GPO not implementing rename of Administrator Account April 27, 2006, 5:19 am
Disable or rename administrator account September 1, 2006, 3:32 pm
Need limited domain admin rights user account. August 8, 2005, 2:33 pm
Built-in domain admin account password will expire January 3, 2007, 3:03 pm
Delegate Control to rename and add/remove computer from domain February 27, 2007, 4:05 pm
Admin account - log actions November 6, 2005, 1:25 pm
connect to event log on a non admin account? December 7, 2005, 4:23 pm
Allowing a Domain User Admin Rights to a Couple of Domain Servers June 29, 2005, 8:13 pm
Adding another domain users to your local domain admin group December 28, 2005, 12:19 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap