| Author | Messages | |
scharique
Posts:0
 | | 06/15/2009 6:45 PM |
| So looks like there is a native but cumbersome way in the SETPWD utility and
then there is the DSRMreset script of Joe ?
On Mon, Jun 15, 2009 at 12:32 PM, Brian Desmond <brian@briandesmond.com>wrote:
> *IIRC it’s available from any Windows 2000 CD? *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c - 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Michael B. Smith
> *Sent:* Monday, June 15, 2009 12:30 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] the builtin Administrator account of domain
>
>
>
> Look in the archives for this mailing list on threads talking about
> “setpwd”.
>
>
>
> Can it be done? Sure. But it’s somewhat painful acquiring the requisite
> application.
>
>
>
> PS C:\temp> ./setpwd -?
>
> Reset Directory Service Restore Mode Administrator Account Password.
>
>
>
> SETPWD.EXE [/s:<server>] [/p:<password>]
>
>
>
> /s:<server> - Name of the server to use. Optional.
>
> /p:<password> - DS Restore Mode Administrator Account Password.
> Optional.
>
>
>
> See Microsoft Knowledge Base article Q271641 at
>
> http://support.microsoft.com for more information.
>
> PS C:\temp>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Rick Sheikh
> *Sent:* Monday, June 15, 2009 1:21 PM
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] the builtin Administrator account of domain
>
>
>
> FYI - The link provided here by Susan (from the lazyadmin) is only
> applicable to Windows Server 2008 domains. Is there a workaround to sync up
> the password to an account or change the DSRM passwords (on every DC)
> programatically in Windows Server 2003 ?
>
> Thanks,
>
> On Fri, Jun 12, 2009 at 7:26 PM, Harry Singh <hboogz@gmail.com> wrote:
>
> Coool. 
>
>
> On 6/12/09, Free, Bob <RWF4@pge.com> wrote:
> > Depends on your definition of monitoring I guess. We had a homegrown
> > solution that monitored the account for changes which was replaced
> > eventually with NetPro Change Auditor that satisfied the control
> objective
> > regarding the configuration and group membership of the account(s). Our
> > logs are collected by a 3rd party solution and eventually forwarded to a
> > MSSP (managed security service provider) so they are under 24x7 watch to
> > satisfy another control. Auditors happy J
> >
> >
> >
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Harry Singh
> > Sent: Friday, June 12, 2009 3:24 PM
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] the builtin Administrator account of domain
> >
> >
> >
> >
> >
> > Curious how could you get the following done ? Would love to know if
> there
> > is something out there that can monitor it, besides combing event logs.
> >
> >
> > "set up monitoring on the renamed account"
> >
> >
> >
> >
> > On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com> wrote:
> >
> >> Disable it, don't use the 500 account.
> >
> > Who said anything about actually using it?
> >
> > I was responding to the "don't rename as the real account can be found"
> > portion. My point remains it's not worth arguing about it, we renamed it,
> > disabled it in AD, set up monitoring on the renamed account long time ago
> > and never looked back. Do it on the first DC in any new domain right up
> > front. The administrator account on member systems is renamed and
> neutered
> > as part of our build process before it ever joins the domain. 500 account
> is
> > never used. Anyone with administrative access is required to have an
> > individual admin account. SOX guys get the activity reports, auditors are
> > happy. :-) EOF
> >
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
> > Sent: Friday, June 12, 2009 11:58 AM
> > To: activedir@mail.activedir.org
> >
> > Subject: Re: [ActiveDir] the builtin Administrator account of domain
> >
> > Disable it, don't use the 500 account.
> > Set up a secondary one for administrator.
> >
> > (us pesky SBS 2008ers do that out of the box during the install)
> >
> > Free, Bob wrote:
> >> Another take on it IME is that it’s like other questionable value
> settings
> >> that are really benign to the system anyway, come audit time it’s much
> >> easier to have just renamed it than wasting cycles arguing the finer
> >> points with various auditors who don’t really understand the pros and
> cons
> >> and are just using a checklist or canned script/auditing tool. ( I
> didn’t
> >> read the article referenced below, I’m just speaking in generalities)
> >>
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak,
> Ravi
> >> BGI SF
> >> Sent: Friday, June 12, 2009 11:37 AM
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >>
> >>
> >> Agreed. Don't rely on this as the only way to protect it. But it's a
> >> simple measure to implement, even though it may be simple to get over
> >> it.
> >>
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe,
> Deji
> >> Sent: Friday, June 12, 2009 11:28 AM
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >>
> >>
> >>>>> Saying "don't rename as the real account can be found" is like saying
> >>>>>
> >> don't lock the car, as it is easy to jimmy it open anyway !
> >>
> >> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> >> your front door because any intelligent human being will be able to tell
> >> that it IS a door regardless of what you choose to call it"
> >>
> >> In this age, any hacking tool that doesn't know how to look for SID
> >> instead of label does not deserve to be names a "hacking tool".
> >>
> >>
> >> Sincerely,
> >> _____
> >> (, / | /) /) /)
> >> /---| (/_ ______ ___// _ // _
> >> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> >> (_/ /)
> >> (/
> >> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75,
> -3.23
> >> Do you now realize that Today is the Tomorrow you were worried about
> >> Yesterday? -anon ________________________________
> >> From: activedir-owner@mail.activedir.org
> >> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
> >> SF [Ravi.Sabharanjak@barclaysglobal.com]
> >> Sent: Friday, June 12, 2009 11:16 AM
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >>
> >>
> >> Do set the password to a unique one. You can use tools such as
> >> CyberArk's password manager that make this easy.
> >>
> >> Why not rename it? Agreed that it is easy to find out the real name of
> >> the account, however it's one more step a worm / hacker has to take, so
> >> why not make it a little bit harder?
> >>
> >> Saying "don't rename as the real account can be found" is like saying
> >> don't lock the car, as it is easy to jimmy it open anyway !
> >>
> >> ________________________________
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
> >> Sent: Friday, June 12, 2009 11:02 AM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] the builtin Administrator account of domain
> >>
> >> Wanted to bring up this topic and see what's everyone's best practice
> >> (these days ) regarding the builtin Administrator account of the
> >> domain. I came across this article, and point # 6 is a "don't" that I
> >> have been taken as a "do" in my environments.
> >>
> >> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> >> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch
> .
> >> aspx>
> >>
> >> Based on point #1, I was also wondering what is behind the scene
> >> mechanism that allows you to use this very account in the DRSM or safe
> >> mode even in the disable state.
> >>
> >> Thanks for yout input.
> >>
> >>
> >> --
> >>
> >> This message and any attachments are confidential, proprietary, and may
> >> be privileged. If this message was misdirected, Barclays Global
> >> Investors (BGI) does not waive any confidentiality or privilege. If you
> >> are not the intended recipient, please notify us immediately and destroy
> >> the message without disclosing its contents to anyone. Any
> >> distribution, use or copying of this e-mail or the information it
> >> contains by other than an intended recipient is unauthorized. The views
> >> and opinions expressed in this e-mail message are the author's own and
> >> may not reflect the views and opinions of BGI, unless the author is
> >> authorized by BGI to express such views or opinions on its behalf. All
> >> email sent to or from this address is subject to electronic storage and
> >> review by BGI. Although BGI operates anti-virus programs, it does not
> >> accept responsibility for any damage whatsoever caused by viruses being
> >> passed.
> >>
> >>
> >> --
> >>
> >> This message and any attachments are confidential, proprietary, and may
> be
> >> privileged. If this message was misdirected, Barclays Global Investors
> >> (BGI) does not waive any confidentiality or privilege. If you are not
> the
> >> intended recipient, please notify us immediately and destroy the message
> >> without disclosing its contents to anyone. Any distribution, use or
> >> copying of this e-mail or the information it contains by other than an
> >> intended recipient is unauthorized. The views and opinions expressed in
> >> this e-mail message are the author's own and may not reflect the views
> and
> >> opinions of BGI, unless the author is authorized by BGI to express such
> >> views or opinions on its behalf. All email sent to or from this address
> is
> >> subject to electronic storage and review by BGI. Although BGI operates
> >> anti-virus programs, it does not accept responsibility for any damage
> >> whatsoever caused by viruses being passed.
> >>
> >
> >
> >
> >
>
>
>
| | | |
| bdesmond
Posts:996
| | 06/15/2009 7:07 PM |
| AFAIK that batch script just calls setpwd.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Monday, June 15, 2009 12:43 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
So looks like there is a native but cumbersome way in the SETPWD utility and then there is the DSRMreset script of Joe ?
On Mon, Jun 15, 2009 at 12:32 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
IIRC it's available from any Windows 2000 CD?
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Michael B. Smith
Sent: Monday, June 15, 2009 12:30 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Look in the archives for this mailing list on threads talking about "setpwd".
Can it be done? Sure. But it's somewhat painful acquiring the requisite application.
PS C:\temp> ./setpwd -?
Reset Directory Service Restore Mode Administrator Account Password.
SETPWD.EXE [/s:<server>] [/p:<password>]
/s:<server> - Name of the server to use. Optional.
/p:<password> - DS Restore Mode Administrator Account Password. Optional.
See Microsoft Knowledge Base article Q271641 at
http://support.microsoft.com for more information.
PS C:\temp>
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh
Sent: Monday, June 15, 2009 1:21 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] the builtin Administrator account of domain
FYI - The link provided here by Susan (from the lazyadmin) is only applicable to Windows Server 2008 domains. Is there a workaround to sync up the password to an account or change the DSRM passwords (on every DC) programatically in Windows Server 2003 ?
Thanks,
On Fri, Jun 12, 2009 at 7:26 PM, Harry Singh <hboogz@gmail.com<mailto:hboogz@gmail.com>> wrote:
Coool.
On 6/12/09, Free, Bob <RWF4@pge.com<mailto:RWF4@pge.com>> wrote:
> Depends on your definition of monitoring I guess. We had a homegrown
> solution that monitored the account for changes which was replaced
> eventually with NetPro Change Auditor that satisfied the control objective
> regarding the configuration and group membership of the account(s). Our
> logs are collected by a 3rd party solution and eventually forwarded to a
> MSSP (managed security service provider) so they are under 24x7 watch to
> satisfy another control. Auditors happy J
>
>
>
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Harry Singh
> Sent: Friday, June 12, 2009 3:24 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
>
>
>
>
> Curious how could you get the following done ? Would love to know if there
> is something out there that can monitor it, besides combing event logs.
>
>
> "set up monitoring on the renamed account"
>
>
>
>
> On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com<mailto:RWF4@pge.com>> wrote:
>
>> Disable it, don't use the 500 account.
>
> Who said anything about actually using it?
>
> I was responding to the "don't rename as the real account can be found"
> portion. My point remains it's not worth arguing about it, we renamed it,
> disabled it in AD, set up monitoring on the renamed account long time ago
> and never looked back. Do it on the first DC in any new domain right up
> front. The administrator account on member systems is renamed and neutered
> as part of our build process before it ever joins the domain. 500 account is
> never used. Anyone with administrative access is required to have an
> individual admin account. SOX guys get the activity reports, auditors are
> happy. :-) EOF
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Susan Bradley
> Sent: Friday, June 12, 2009 11:58 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
> Free, Bob wrote:
>> Another take on it IME is that it's like other questionable value settings
>> that are really benign to the system anyway, come audit time it's much
>> easier to have just renamed it than wasting cycles arguing the finer
>> points with various auditors who don't really understand the pros and cons
>> and are just using a checklist or canned script/auditing tool. ( I didn't
>> read the article referenced below, I'm just speaking in generalities)
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Sabharanjak, Ravi
>> BGI SF
>> Sent: Friday, June 12, 2009 11:37 AM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Agreed. Don't rely on this as the only way to protect it. But it's a
>> simple measure to implement, even though it may be simple to get over
>> it.
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Akomolafe, Deji
>> Sent: Friday, June 12, 2009 11:28 AM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>>>>> Saying "don't rename as the real account can be found" is like saying
>>>>>
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
>> your front door because any intelligent human being will be able to tell
>> that it IS a door regardless of what you choose to call it"
>>
>> In this age, any hacking tool that doesn't know how to look for SID
>> instead of label does not deserve to be names a "hacking tool".
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name><http://www.akomolafe.name/> - we know IT -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
>> Yesterday? -anon ________________________________
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Sabharanjak, Ravi BGI
>> SF [Ravi.Sabharanjak@barclaysglobal.com<mailto:Ravi.Sabharanjak@barclaysglobal.com>]
>> Sent: Friday, June 12, 2009 11:16 AM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Do set the password to a unique one. You can use tools such as
>> CyberArk's password manager that make this easy.
>>
>> Why not rename it? Agreed that it is easy to find out the real name of
>> the account, however it's one more step a worm / hacker has to take, so
>> why not make it a little bit harder?
>>
>> Saying "don't rename as the real account can be found" is like saying
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> ________________________________
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh
>> Sent: Friday, June 12, 2009 11:02 AM
>> To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
>> Subject: [ActiveDir] the builtin Administrator account of domain
>>
>> Wanted to bring up this topic and see what's everyone's best practice
>> (these days ) regarding the builtin Administrator account of the
>> domain. I came across this article, and point # 6 is a "don't" that I
>> have been taken as a "do" in my environments.
>>
>> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
>> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
>> aspx>
>>
>> Based on point #1, I was also wondering what is behind the scene
>> mechanism that allows you to use this very account in the DRSM or safe
>> mode even in the disable state.
>>
>> Thanks for yout input.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may
>> be privileged. If this message was misdirected, Barclays Global
>> Investors (BGI) does not waive any confidentiality or privilege. If you
>> are not the intended recipient, please notify us immediately and destroy
>> the message without disclosing its contents to anyone. Any
>> distribution, use or copying of this e-mail or the information it
>> contains by other than an intended recipient is unauthorized. The views
>> and opinions expressed in this e-mail message are the author's own and
>> may not reflect the views and opinions of BGI, unless the author is
>> authorized by BGI to express such views or opinions on its behalf. All
>> email sent to or from this address is subject to electronic storage and
>> review by BGI. Although BGI operates anti-virus programs, it does not
>> accept responsibility for any damage whatsoever caused by viruses being
>> passed.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may be
>> privileged. If this message was misdirected, Barclays Global Investors
>> (BGI) does not waive any confidentiality or privilege. If you are not the
>> intended recipient, please notify us immediately and destroy the message
>> without disclosing its contents to anyone. Any distribution, use or
>> copying of this e-mail or the information it contains by other than an
>> intended recipient is unauthorized. The views and opinions expressed in
>> this e-mail message are the author's own and may not reflect the views and
>> opinions of BGI, unless the author is authorized by BGI to express such
>> views or opinions on its behalf. All email sent to or from this address is
>> subject to electronic storage and review by BGI. Although BGI operates
>> anti-virus programs, it does not accept responsibility for any damage
>> whatsoever caused by viruses being passed.
>>
>
>
>
>
| | | |
| Ruffrider
Posts:0
| | 06/15/2009 7:11 PM |
| No ... but there will be one soon ;-)
_________________________________________
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Monday, June 15, 2009 1:43 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
So looks like there is a native but cumbersome way in the SETPWD utility and
then there is the DSRMreset script of Joe ?
On Mon, Jun 15, 2009 at 12:32 PM, Brian Desmond <brian@briandesmond.com>
wrote:
IIRC it's available from any Windows 2000 CD?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Michael B. Smith
Sent: Monday, June 15, 2009 12:30 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Look in the archives for this mailing list on threads talking about
"setpwd".
Can it be done? Sure. But it's somewhat painful acquiring the requisite
application.
PS C:\temp> ./setpwd -?
Reset Directory Service Restore Mode Administrator Account Password.
SETPWD.EXE [/s:<server>] [/p:<password>]
/s:<server> - Name of the server to use. Optional.
/p:<password> - DS Restore Mode Administrator Account Password.
Optional.
See Microsoft Knowledge Base article Q271641 at
http://support.microsoft.com for more information.
PS C:\temp>
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Monday, June 15, 2009 1:21 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
FYI - The link provided here by Susan (from the lazyadmin) is only
applicable to Windows Server 2008 domains. Is there a workaround to sync up
the password to an account or change the DSRM passwords (on every DC)
programatically in Windows Server 2003 ?
Thanks,
On Fri, Jun 12, 2009 at 7:26 PM, Harry Singh <hboogz@gmail.com> wrote:
Coool.
On 6/12/09, Free, Bob <RWF4@pge.com> wrote:
> Depends on your definition of monitoring I guess. We had a homegrown
> solution that monitored the account for changes which was replaced
> eventually with NetPro Change Auditor that satisfied the control objective
> regarding the configuration and group membership of the account(s). Our
> logs are collected by a 3rd party solution and eventually forwarded to a
> MSSP (managed security service provider) so they are under 24x7 watch to
> satisfy another control. Auditors happy J
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Harry Singh
> Sent: Friday, June 12, 2009 3:24 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
>
>
>
>
> Curious how could you get the following done ? Would love to know if there
> is something out there that can monitor it, besides combing event logs.
>
>
> "set up monitoring on the renamed account"
>
>
>
>
> On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com> wrote:
>
>> Disable it, don't use the 500 account.
>
> Who said anything about actually using it?
>
> I was responding to the "don't rename as the real account can be found"
> portion. My point remains it's not worth arguing about it, we renamed it,
> disabled it in AD, set up monitoring on the renamed account long time ago
> and never looked back. Do it on the first DC in any new domain right up
> front. The administrator account on member systems is renamed and neutered
> as part of our build process before it ever joins the domain. 500 account
is
> never used. Anyone with administrative access is required to have an
> individual admin account. SOX guys get the activity reports, auditors are
> happy. :-) EOF
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
> Sent: Friday, June 12, 2009 11:58 AM
> To: activedir@mail.activedir.org
>
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
> Free, Bob wrote:
>> Another take on it IME is that it's like other questionable value
settings
>> that are really benign to the system anyway, come audit time it's much
>> easier to have just renamed it than wasting cycles arguing the finer
>> points with various auditors who don't really understand the pros and
cons
>> and are just using a checklist or canned script/auditing tool. ( I didn't
>> read the article referenced below, I'm just speaking in generalities)
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak,
Ravi
>> BGI SF
>> Sent: Friday, June 12, 2009 11:37 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Agreed. Don't rely on this as the only way to protect it. But it's a
>> simple measure to implement, even though it may be simple to get over
>> it.
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
>> Sent: Friday, June 12, 2009 11:28 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>>>>> Saying "don't rename as the real account can be found" is like saying
>>>>>
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
>> your front door because any intelligent human being will be able to tell
>> that it IS a door regardless of what you choose to call it"
>>
>> In this age, any hacking tool that doesn't know how to look for SID
>> instead of label does not deserve to be names a "hacking tool".
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
>> Yesterday? -anon ________________________________
>> From: activedir-owner@mail.activedir.org
>> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
>> SF [Ravi.Sabharanjak@barclaysglobal.com]
>> Sent: Friday, June 12, 2009 11:16 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Do set the password to a unique one. You can use tools such as
>> CyberArk's password manager that make this easy.
>>
>> Why not rename it? Agreed that it is easy to find out the real name of
>> the account, however it's one more step a worm / hacker has to take, so
>> why not make it a little bit harder?
>>
>> Saying "don't rename as the real account can be found" is like saying
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> ________________________________
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
>> Sent: Friday, June 12, 2009 11:02 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] the builtin Administrator account of domain
>>
>> Wanted to bring up this topic and see what's everyone's best practice
>> (these days ) regarding the builtin Administrator account of the
>> domain. I came across this article, and point # 6 is a "don't" that I
>> have been taken as a "do" in my environments.
>>
>> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
>> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
>> aspx>
>>
>> Based on point #1, I was also wondering what is behind the scene
>> mechanism that allows you to use this very account in the DRSM or safe
>> mode even in the disable state.
>>
>> Thanks for yout input.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may
>> be privileged. If this message was misdirected, Barclays Global
>> Investors (BGI) does not waive any confidentiality or privilege. If you
>> are not the intended recipient, please notify us immediately and destroy
>> the message without disclosing its contents to anyone. Any
>> distribution, use or copying of this e-mail or the information it
>> contains by other than an intended recipient is unauthorized. The views
>> and opinions expressed in this e-mail message are the author's own and
>> may not reflect the views and opinions of BGI, unless the author is
>> authorized by BGI to express such views or opinions on its behalf. All
>> email sent to or from this address is subject to electronic storage and
>> review by BGI. Although BGI operates anti-virus programs, it does not
>> accept responsibility for any damage whatsoever caused by viruses being
>> passed.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may
be
>> privileged. If this message was misdirected, Barclays Global Investors
>> (BGI) does not waive any confidentiality or privilege. If you are not the
>> intended recipient, please notify us immediately and destroy the message
>> without disclosing its contents to anyone. Any distribution, use or
>> copying of this e-mail or the information it contains by other than an
>> intended recipient is unauthorized. The views and opinions expressed in
>> this e-mail message are the author's own and may not reflect the views
and
>> opinions of BGI, unless the author is authorized by BGI to express such
>> views or opinions on its behalf. All email sent to or from this address
is
>> subject to electronic storage and review by BGI. Although BGI operates
>> anti-virus programs, it does not accept responsibility for any damage
>> whatsoever caused by viruses being passed.
>>
>
>
>
>
| | | |
|
|