|
Posted by Al Dunbar on June 20, 2008, 12:49 am
Please log in for more thread options
> Yep, and some of our guidance also recommends using account lockout, which
> is also wrong.
>
> Just because you can do a thing (rename an account, use account lockout)
> doesn't mean it's a good idea.
thanks for the brutal honesty.
> I disagree with the traditional advice for the same reason I rail against
> hiding an SSID. It has to do with trying to force an identity (an account
> name, an SSID) to take on the role of an authenticator (a secret). When
> you can achieve all the security you'll ever need by using good secrets
> (long passwords, WPA/WPA2), then changing account names adds no additional
> security but it increases the brittleness of the system.
My view is that it increases the security slightly against an attack from an
unsophisticated insider, but then, that is not the greatest threat. It also
is a form of "security by obscurity", whose chief problem is that one can be
fooled into thinking it is equivalent to real security.
> Every change that you make from the default is a change that you have
> to remember, a change that you have to manage. It adds complexity. Complex
> configurations are more likely to contain mistakes, and that's what the
> bad guys love. Configuration vulnerabilities are the most common vectors
> for attack.
Another factor in line with your analysis above is that a secret known by
more than one person is not a secret. And if the name of the administrator
account is known by only one person, then you have a problem.
/Al
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
>>
>>> Renaming the account doesn't increase its security. Use a good (meaning
>>> long) passphrase and leave the account name at its default.
>>
>> Hi Steve,
>>
>> According to Microsoft, renaming the Administrator account is a "very
>> simple yet effective procedure that should be a standard part of the
>> hardening process for all servers" [1].
>>
>> Since there usually, AFAIK, is no drawback, I do not see why renaming
>> should be discouraged.
>>
>> --
>> Thor Kottelin
>> http://www.anta.net/
>>
>> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
>>
>>
>> [1]
>>
http://www.microsoft.com/technet/serviceproviders/hmc4/CMSU_CM_Plan_CONC_Baseline_Server_Hardening.mspx?mfr=true
>>
| 
XML Sitemap