| Author | Messages | |
scharique
Posts:0
 | | 06/12/2009 7:02 PM |
| Wanted to bring up this topic and see what's everyone's best practice (these
days  ) regarding the builtin Administrator account of the domain. I came
across this article, and point # 6 is a "don't" that I have been taken as a
"do" in my environments.
Security Watch : <goog_1244813760645> Why You Should Disable the
Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.aspx>
Based on point #1, I was also wondering what is behind the scene mechanism
that allows you to use this very account in the DRSM or safe mode even in
the disable state.
Thanks for yout input.
| | | |
| Ravi.Sabharanjak@barclaysglobal.com
Posts:0
| | 06/12/2009 7:18 PM |
|
Do set the password to a unique one. You can use tools such as
CyberArk's password manager that make this easy.
Why not rename it? Agreed that it is easy to find out the real name of
the account, however it's one more step a worm / hacker has to take, so
why not make it a little bit harder?
Saying "don't rename as the real account can be found" is like saying
don't lock the car, as it is easy to jimmy it open anyway !
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Friday, June 12, 2009 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] the builtin Administrator account of domain
Wanted to bring up this topic and see what's everyone's best practice
(these days ) regarding the builtin Administrator account of the
domain. I came across this article, and point # 6 is a "don't" that I
have been taken as a "do" in my environments.
Security Watch : Why You Should Disable the Administrator
<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.aspx>
Based on point #1, I was also wondering what is behind the scene
mechanism that allows you to use this very account in the DRSM or safe
mode even in the disable state.
Thanks for yout input.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| deji
Posts:262
| | 06/12/2009 7:32 PM |
| >>>Saying "don't rename as the real account can be found" is like saying don't lock the car, as it is easy to jimmy it open anyway !
Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on your front door because any intelligent human being will be able to tell that it IS a door regardless of what you choose to call it"
In this age, any hacking tool that doesn't know how to look for SID instead of label does not deserve to be names a "hacking tool".
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF [Ravi.Sabharanjak@barclaysglobal.com]
Sent: Friday, June 12, 2009 11:16 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Do set the password to a unique one. You can use tools such as CyberArk's password manager that make this easy.
Why not rename it? Agreed that it is easy to find out the real name of the account, however it's one more step a worm / hacker has to take, so why not make it a little bit harder?
Saying "don't rename as the real account can be found" is like saying don't lock the car, as it is easy to jimmy it open anyway !
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Friday, June 12, 2009 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] the builtin Administrator account of domain
Wanted to bring up this topic and see what's everyone's best practice (these days ) regarding the builtin Administrator account of the domain. I came across this article, and point # 6 is a "don't" that I have been taken as a "do" in my environments.
Security Watch :<UrlBlockedError.aspx> Why You Should Disable the Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.aspx>
Based on point #1, I was also wondering what is behind the scene mechanism that allows you to use this very account in the DRSM or safe mode even in the disable state.
Thanks for yout input.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| Ravi.Sabharanjak@barclaysglobal.com
Posts:0
| | 06/12/2009 7:38 PM |
|
Agreed. Don't rely on this as the only way to protect it. But it's a
simple measure to implement, even though it may be simple to get over
it.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Friday, June 12, 2009 11:28 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>>Saying "don't rename as the real account can be found" is like saying
don't lock the car, as it is easy to jimmy it open anyway !
Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
your front door because any intelligent human being will be able to tell
that it IS a door regardless of what you choose to call it"
In this age, any hacking tool that doesn't know how to look for SID
instead of label does not deserve to be names a "hacking tool".
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon ________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
SF [Ravi.Sabharanjak@barclaysglobal.com]
Sent: Friday, June 12, 2009 11:16 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Do set the password to a unique one. You can use tools such as
CyberArk's password manager that make this easy.
Why not rename it? Agreed that it is easy to find out the real name of
the account, however it's one more step a worm / hacker has to take, so
why not make it a little bit harder?
Saying "don't rename as the real account can be found" is like saying
don't lock the car, as it is easy to jimmy it open anyway !
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Friday, June 12, 2009 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] the builtin Administrator account of domain
Wanted to bring up this topic and see what's everyone's best practice
(these days ) regarding the builtin Administrator account of the
domain. I came across this article, and point # 6 is a "don't" that I
have been taken as a "do" in my environments.
Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
aspx>
Based on point #1, I was also wondering what is behind the scene
mechanism that allows you to use this very account in the DRSM or safe
mode even in the disable state.
Thanks for yout input.
--
This message and any attachments are confidential, proprietary, and may
be privileged. If this message was misdirected, Barclays Global
Investors (BGI) does not waive any confidentiality or privilege. If you
are not the intended recipient, please notify us immediately and destroy
the message without disclosing its contents to anyone. Any
distribution, use or copying of this e-mail or the information it
contains by other than an intended recipient is unauthorized. The views
and opinions expressed in this e-mail message are the author's own and
may not reflect the views and opinions of BGI, unless the author is
authorized by BGI to express such views or opinions on its behalf. All
email sent to or from this address is subject to electronic storage and
review by BGI. Although BGI operates anti-virus programs, it does not
accept responsibility for any damage whatsoever caused by viruses being
passed.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| rwf4
Posts:29
| | 06/12/2009 7:55 PM |
| Another take on it IME is that it’s like other questionable value settings that are really benign to the system anyway, come audit time it’s much easier to have just renamed it than wasting cycles arguing the finer points with various auditors who don’t really understand the pros and cons and are just using a checklist or canned script/auditing tool. ( I didn’t read the article referenced below, I’m just speaking in generalities)
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
Sent: Friday, June 12, 2009 11:37 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Agreed. Don't rely on this as the only way to protect it. But it's a
simple measure to implement, even though it may be simple to get over
it.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Friday, June 12, 2009 11:28 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>>Saying "don't rename as the real account can be found" is like saying
don't lock the car, as it is easy to jimmy it open anyway !
Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
your front door because any intelligent human being will be able to tell
that it IS a door regardless of what you choose to call it"
In this age, any hacking tool that doesn't know how to look for SID
instead of label does not deserve to be names a "hacking tool".
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon ________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
SF [Ravi.Sabharanjak@barclaysglobal.com]
Sent: Friday, June 12, 2009 11:16 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Do set the password to a unique one. You can use tools such as
CyberArk's password manager that make this easy.
Why not rename it? Agreed that it is easy to find out the real name of
the account, however it's one more step a worm / hacker has to take, so
why not make it a little bit harder?
Saying "don't rename as the real account can be found" is like saying
don't lock the car, as it is easy to jimmy it open anyway !
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Friday, June 12, 2009 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] the builtin Administrator account of domain
Wanted to bring up this topic and see what's everyone's best practice
(these days ) regarding the builtin Administrator account of the
domain. I came across this article, and point # 6 is a "don't" that I
have been taken as a "do" in my environments.
Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
aspx>
Based on point #1, I was also wondering what is behind the scene
mechanism that allows you to use this very account in the DRSM or safe
mode even in the disable state.
Thanks for yout input.
--
This message and any attachments are confidential, proprietary, and may
be privileged. If this message was misdirected, Barclays Global
Investors (BGI) does not waive any confidentiality or privilege. If you
are not the intended recipient, please notify us immediately and destroy
the message without disclosing its contents to anyone. Any
distribution, use or copying of this e-mail or the information it
contains by other than an intended recipient is unauthorized. The views
and opinions expressed in this e-mail message are the author's own and
may not reflect the views and opinions of BGI, unless the author is
authorized by BGI to express such views or opinions on its behalf. All
email sent to or from this address is subject to electronic storage and
review by BGI. Although BGI operates anti-virus programs, it does not
accept responsibility for any damage whatsoever caused by viruses being
passed.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| sbradcpa
Posts:496
| | 06/12/2009 7:59 PM |
| Disable it, don't use the 500 account.
Set up a secondary one for administrator.
(us pesky SBS 2008ers do that out of the box during the install)
Free, Bob wrote:
> Another take on it IME is that it’s like other questionable value settings that are really benign to the system anyway, come audit time it’s much easier to have just renamed it than wasting cycles arguing the finer points with various auditors who don’t really understand the pros and cons and are just using a checklist or canned script/auditing tool. ( I didn’t read the article referenced below, I’m just speaking in generalities)
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
> Sent: Friday, June 12, 2009 11:37 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Agreed. Don't rely on this as the only way to protect it. But it's a
> simple measure to implement, even though it may be simple to get over
> it.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
> Sent: Friday, June 12, 2009 11:28 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
>>>> Saying "don't rename as the real account can be found" is like saying
>>>>
> don't lock the car, as it is easy to jimmy it open anyway !
>
> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> your front door because any intelligent human being will be able to tell
> that it IS a door regardless of what you choose to call it"
>
> In this age, any hacking tool that doesn't know how to look for SID
> instead of label does not deserve to be names a "hacking tool".
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon ________________________________
> From: activedir-owner@mail.activedir.org
> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
> SF [Ravi.Sabharanjak@barclaysglobal.com]
> Sent: Friday, June 12, 2009 11:16 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Do set the password to a unique one. You can use tools such as
> CyberArk's password manager that make this easy.
>
> Why not rename it? Agreed that it is easy to find out the real name of
> the account, however it's one more step a worm / hacker has to take, so
> why not make it a little bit harder?
>
> Saying "don't rename as the real account can be found" is like saying
> don't lock the car, as it is easy to jimmy it open anyway !
>
> ________________________________
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
> Sent: Friday, June 12, 2009 11:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] the builtin Administrator account of domain
>
> Wanted to bring up this topic and see what's everyone's best practice
> (these days ) regarding the builtin Administrator account of the
> domain. I came across this article, and point # 6 is a "don't" that I
> have been taken as a "do" in my environments.
>
> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
> aspx>
>
> Based on point #1, I was also wondering what is behind the scene
> mechanism that allows you to use this very account in the DRSM or safe
> mode even in the disable state.
>
> Thanks for yout input.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may
> be privileged. If this message was misdirected, Barclays Global
> Investors (BGI) does not waive any confidentiality or privilege. If you
> are not the intended recipient, please notify us immediately and destroy
> the message without disclosing its contents to anyone. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. The views
> and opinions expressed in this e-mail message are the author's own and
> may not reflect the views and opinions of BGI, unless the author is
> authorized by BGI to express such views or opinions on its behalf. All
> email sent to or from this address is subject to electronic storage and
> review by BGI. Although BGI operates anti-virus programs, it does not
> accept responsibility for any damage whatsoever caused by viruses being
> passed.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>
| | | |
| scharique
Posts:0
| | 06/12/2009 8:11 PM |
| How do you check the RID on that account ? via ADSIedit, the RID attribute
is empty.
Why does it still work with DSRM when disabled ?
On Fri, Jun 12, 2009 at 1:57 PM, Susan Bradley <susan@msmvps.com> wrote:
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
>
> Free, Bob wrote:
>
>> Another take on it IME is that it’s like other questionable value settings
>> that are really benign to the system anyway, come audit time it’s much
>> easier to have just renamed it than wasting cycles arguing the finer points
>> with various auditors who don’t really understand the pros and cons and are
>> just using a checklist or canned script/auditing tool. ( I didn’t read the
>> article referenced below, I’m just speaking in generalities)
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
>> Sent: Friday, June 12, 2009 11:37 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>> Agreed. Don't rely on this as the only way to protect it. But it's a
>> simple measure to implement, even though it may be simple to get over
>> it.
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
>> Sent: Friday, June 12, 2009 11:28 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>>
>>> Saying "don't rename as the real account can be found" is like saying
>>>>>
>>>>>
>>>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
>> your front door because any intelligent human being will be able to tell
>> that it IS a door regardless of what you choose to call it"
>>
>> In this age, any hacking tool that doesn't know how to look for SID
>> instead of label does not deserve to be names a "hacking tool".
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
>> Yesterday? -anon ________________________________
>> From: activedir-owner@mail.activedir.org
>> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
>> SF [Ravi.Sabharanjak@barclaysglobal.com]
>> Sent: Friday, June 12, 2009 11:16 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Do set the password to a unique one. You can use tools such as
>> CyberArk's password manager that make this easy.
>>
>> Why not rename it? Agreed that it is easy to find out the real name of
>> the account, however it's one more step a worm / hacker has to take, so
>> why not make it a little bit harder?
>>
>> Saying "don't rename as the real account can be found" is like saying
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> ________________________________
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
>> Sent: Friday, June 12, 2009 11:02 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] the builtin Administrator account of domain
>>
>> Wanted to bring up this topic and see what's everyone's best practice
>> (these days ) regarding the builtin Administrator account of the
>> domain. I came across this article, and point # 6 is a "don't" that I
>> have been taken as a "do" in my environments.
>>
>> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
>> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
>> aspx>
>>
>> Based on point #1, I was also wondering what is behind the scene
>> mechanism that allows you to use this very account in the DRSM or safe
>> mode even in the disable state.
>>
>> Thanks for yout input.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may
>> be privileged. If this message was misdirected, Barclays Global
>> Investors (BGI) does not waive any confidentiality or privilege. If you
>> are not the intended recipient, please notify us immediately and destroy
>> the message without disclosing its contents to anyone. Any
>> distribution, use or copying of this e-mail or the information it
>> contains by other than an intended recipient is unauthorized. The views
>> and opinions expressed in this e-mail message are the author's own and
>> may not reflect the views and opinions of BGI, unless the author is
>> authorized by BGI to express such views or opinions on its behalf. All
>> email sent to or from this address is subject to electronic storage and
>> review by BGI. Although BGI operates anti-virus programs, it does not
>> accept responsibility for any damage whatsoever caused by viruses being
>> passed.
>>
>> --
>> This message and any attachments are confidential, proprietary, and may
>> be privileged. If this message was misdirected, Barclays Global Investors
>> (BGI) does not waive any confidentiality or privilege. If you are not the
>> intended recipient, please notify us immediately and destroy the message
>> without disclosing its contents to anyone. Any distribution, use or copying
>> of this e-mail or the information it contains by other than an intended
>> recipient is unauthorized. The views and opinions expressed in this e-mail
>> message are the author's own and may not reflect the views and opinions of
>> BGI, unless the author is authorized by BGI to express such views or
>> opinions on its behalf. All email sent to or from this address is subject to
>> electronic storage and review by BGI. Although BGI operates anti-virus
>> programs, it does not accept responsibility for any damage whatsoever caused
>> by viruses being passed.
>>
>>
>
>
| | | |
| bdesmond
Posts:977
| | 06/12/2009 8:17 PM |
| The RID is just a component of the SID.
The Administrator account in AD is AD specific. When you boot in DSRM mode, remember AD isn't running so you're actually logging in with the local SAM's DSRM account. This is the same account as if you logged in locally to a normal member server.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Friday, June 12, 2009 2:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
How do you check the RID on that account ? via ADSIedit, the RID attribute is empty.
Why does it still work with DSRM when disabled ?
On Fri, Jun 12, 2009 at 1:57 PM, Susan Bradley <susan@msmvps.com<mailto:susan@msmvps.com>> wrote:
Disable it, don't use the 500 account.
Set up a secondary one for administrator.
(us pesky SBS 2008ers do that out of the box during the install)
Free, Bob wrote:
Another take on it IME is that it's like other questionable value settings that are really benign to the system anyway, come audit time it's much easier to have just renamed it than wasting cycles arguing the finer points with various auditors who don't really understand the pros and cons and are just using a checklist or canned script/auditing tool. ( I didn't read the article referenced below, I'm just speaking in generalities)
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Sabharanjak, Ravi BGI SF
Sent: Friday, June 12, 2009 11:37 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Agreed. Don't rely on this as the only way to protect it. But it's a
simple measure to implement, even though it may be simple to get over
it.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Akomolafe, Deji
Sent: Friday, June 12, 2009 11:28 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Saying "don't rename as the real account can be found" is like saying
don't lock the car, as it is easy to jimmy it open anyway !
Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
your front door because any intelligent human being will be able to tell
that it IS a door regardless of what you choose to call it"
In this age, any hacking tool that doesn't know how to look for SID
instead of label does not deserve to be names a "hacking tool".
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name><http://www.akomolafe.name/> - we know IT -5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon ________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Sabharanjak, Ravi BGI
SF [Ravi.Sabharanjak@barclaysglobal.com<mailto:Ravi.Sabharanjak@barclaysglobal.com>]
Sent: Friday, June 12, 2009 11:16 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Do set the password to a unique one. You can use tools such as
CyberArk's password manager that make this easy.
Why not rename it? Agreed that it is easy to find out the real name of
the account, however it's one more step a worm / hacker has to take, so
why not make it a little bit harder?
Saying "don't rename as the real account can be found" is like saying
don't lock the car, as it is easy to jimmy it open anyway !
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh
Sent: Friday, June 12, 2009 11:02 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] the builtin Administrator account of domain
Wanted to bring up this topic and see what's everyone's best practice
(these days ) regarding the builtin Administrator account of the
domain. I came across this article, and point # 6 is a "don't" that I
have been taken as a "do" in my environments.
Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
aspx>
Based on point #1, I was also wondering what is behind the scene
mechanism that allows you to use this very account in the DRSM or safe
mode even in the disable state.
Thanks for yout input.
--
This message and any attachments are confidential, proprietary, and may
be privileged. If this message was misdirected, Barclays Global
Investors (BGI) does not waive any confidentiality or privilege. If you
are not the intended recipient, please notify us immediately and destroy
the message without disclosing its contents to anyone. Any
distribution, use or copying of this e-mail or the information it
contains by other than an intended recipient is unauthorized. The views
and opinions expressed in this e-mail message are the author's own and
may not reflect the views and opinions of BGI, unless the author is
authorized by BGI to express such views or opinions on its behalf. All
email sent to or from this address is subject to electronic storage and
review by BGI. Although BGI operates anti-virus programs, it does not
accept responsibility for any damage whatsoever caused by viruses being
passed.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| y2k1981
Posts:0
| | 06/12/2009 8:21 PM |
| OK, I don't claim to be an expert - but why not leave it enabled but
remove all it's admin privileges. That way you can use it as a mini
"honey pot" & audit your logs for any attempted logins using that
account. Just a suggestion
Martin
On 12 Jun 2009, at 19:27, "Akomolafe, Deji" <deji@readymaids.com> wrote:
>>>> Saying "don't rename as the real account can be found" is like
>>>> saying don't lock the car, as it is easy to jimmy it open anyway !
>
> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> your front door because any intelligent human being will be able to
> tell that it IS a door regardless of what you choose to call it"
>
> In this age, any hacking tool that doesn't know how to look for SID
> instead of label does not deserve to be names a "hacking tool".
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name/> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________
> From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org
> ] On Behalf Of Sabharanjak, Ravi BGI SF [Ravi.Sabharanjak@barclaysglobal.com
> ]
> Sent: Friday, June 12, 2009 11:16 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Do set the password to a unique one. You can use tools such as
> CyberArk's password manager that make this easy.
>
> Why not rename it? Agreed that it is easy to find out the real name
> of the account, however it's one more step a worm / hacker has to
> take, so why not make it a little bit harder?
>
> Saying "don't rename as the real account can be found" is like
> saying don't lock the car, as it is easy to jimmy it open anyway !
>
> ________________________________
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org
> ] On Behalf Of Rick Sheikh
> Sent: Friday, June 12, 2009 11:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] the builtin Administrator account of domain
>
> Wanted to bring up this topic and see what's everyone's best
> practice (these days ) regarding the builtin Administrator account
> of the domain. I came across this article, and point # 6 is a
> "don't" that I have been taken as a "do" in my environments.
>
> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.aspx
> >
>
> Based on point #1, I was also wondering what is behind the scene
> mechanism that allows you to use this very account in the DRSM or
> safe mode even in the disable state.
>
> Thanks for yout input.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and
> may be privileged. If this message was misdirected, Barclays Global
> Investors (BGI) does not waive any confidentiality or privilege. If
> you are not the intended recipient, please notify us immediately and
> destroy the message without disclosing its contents to anyone. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. The
> views and opinions expressed in this e-mail message are the author's
> own and may not reflect the views and opinions of BGI, unless the
> author is authorized by BGI to express such views or opinions on its
> behalf. All email sent to or from this address is subject to
> electronic storage and review by BGI. Although BGI operates anti-
> virus programs, it does not accept responsibility for any damage
> whatsoever caused by viruses being passed.
| | | |
| sbradcpa
Posts:496
| | 06/12/2009 8:23 PM |
| The Lazy Admin : Sync DSRM and Domain Admin Passwords:
http://thelazyadmin.com/blogs/thelazyadmin/archive/2009/02/27/sync-dsrm-and-domain-admin-passwords.aspx
In my case the DSRM password is that first newly built Admin password.
I'll need to manually change it after that or use that hotfix to sync it
to an account.
Rick Sheikh wrote:
> How do you check the RID on that account ? via ADSIedit, the RID
> attribute is empty.
>
> Why does it still work with DSRM when disabled ?
>
>
> On Fri, Jun 12, 2009 at 1:57 PM, Susan Bradley <susan@msmvps.com
> <mailto:susan@msmvps.com>> wrote:
>
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
>
> Free, Bob wrote:
>
> Another take on it IME is that it’s like other questionable
> value settings that are really benign to the system anyway,
> come audit time it’s much easier to have just renamed it than
> wasting cycles arguing the finer points with various auditors
> who don’t really understand the pros and cons and are just
> using a checklist or canned script/auditing tool. ( I didn’t
> read the article referenced below, I’m just speaking in
> generalities)
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>] On Behalf Of
> Sabharanjak, Ravi BGI SF
> Sent: Friday, June 12, 2009 11:37 AM
> To: activedir@mail.activedir.org
> <mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] the builtin Administrator account of
> domain
>
> Agreed. Don't rely on this as the only way to protect it. But
> it's a
> simple measure to implement, even though it may be simple to
> get over
> it.
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>] On Behalf Of
> Akomolafe, Deji
> Sent: Friday, June 12, 2009 11:28 AM
> To: activedir@mail.activedir.org
> <mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] the builtin Administrator account of
> domain
>
>
>
> Saying "don't rename as the real account can be
> found" is like saying
>
>
> don't lock the car, as it is easy to jimmy it open anyway !
>
> Actually, I think he was saying "Don't write 'THIS IS NOT A
> DOOR' on
> your front door because any intelligent human being will be
> able to tell
> that it IS a door regardless of what you choose to call it"
>
> In this age, any hacking tool that doesn't know how to look
> for SID
> instead of label does not deserve to be names a "hacking tool".
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name
> <http://www.akomolafe.name><http://www.akomolafe.name/> - we
> know IT -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried
> about
> Yesterday? -anon ________________________________
> From: activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>
> [activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>] On Behalf Of
> Sabharanjak, Ravi BGI
> SF [Ravi.Sabharanjak@barclaysglobal.com
> <mailto:Ravi.Sabharanjak@barclaysglobal.com>]
> Sent: Friday, June 12, 2009 11:16 AM
> To: activedir@mail.activedir.org
> <mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] the builtin Administrator account of
> domain
>
>
> Do set the password to a unique one. You can use tools such as
> CyberArk's password manager that make this easy.
>
> Why not rename it? Agreed that it is easy to find out the real
> name of
> the account, however it's one more step a worm / hacker has to
> take, so
> why not make it a little bit harder?
>
> Saying "don't rename as the real account can be found" is like
> saying
> don't lock the car, as it is easy to jimmy it open anyway !
>
> ________________________________
> From: activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org
> <mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick
> Sheikh
> Sent: Friday, June 12, 2009 11:02 AM
> To: ActiveDir@mail.activedir.org
> <mailto:ActiveDir@mail.activedir.org>
> Subject: [ActiveDir] the builtin Administrator account of domain
>
> Wanted to bring up this topic and see what's everyone's best
> practice
> (these days ) regarding the builtin Administrator account of the
> domain. I came across this article, and point # 6 is a "don't"
> that I
> have been taken as a "do" in my environments.
>
> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
> aspx>
>
> Based on point #1, I was also wondering what is behind the scene
> mechanism that allows you to use this very account in the DRSM
> or safe
> mode even in the disable state.
>
> Thanks for yout input.
>
>
> --
>
> This message and any attachments are confidential,
> proprietary, and may
> be privileged. If this message was misdirected, Barclays Global
> Investors (BGI) does not waive any confidentiality or
> privilege. If you
> are not the intended recipient, please notify us immediately
> and destroy
> the message without disclosing its contents to anyone. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized.
> The views
> and opinions expressed in this e-mail message are the author's
> own and
> may not reflect the views and opinions of BGI, unless the
> author is
> authorized by BGI to express such views or opinions on its
> behalf. All
> email sent to or from this address is subject to electronic
> storage and
> review by BGI. Although BGI operates anti-virus programs, it
> does not
> accept responsibility for any damage whatsoever caused by
> viruses being
> passed.
>
> --
> This message and any attachments are confidential,
> proprietary, and may be privileged. If this message was
> misdirected, Barclays Global Investors (BGI) does not waive
> any confidentiality or privilege. If you are not the intended
> recipient, please notify us immediately and destroy the
> message without disclosing its contents to anyone. Any
> distribution, use or copying of this e-mail or the information
> it contains by other than an intended recipient is
> unauthorized. The views and opinions expressed in this e-mail
> message are the author's own and may not reflect the views and
> opinions of BGI, unless the author is authorized by BGI to
> express such views or opinions on its behalf. All email sent
> to or from this address is subject to electronic storage and
> review by BGI. Although BGI operates anti-virus programs, it
> does not accept responsibility for any damage whatsoever
> caused by viruses being passed.
>
>
>
>
| | | |
| deji
Posts:262
| | 06/12/2009 9:27 PM |
| 3 words - security. layers. onion.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Martin McDermott [martin.mcdermott@exlayer.co.uk]
Sent: Friday, June 12, 2009 12:18 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
OK, I don't claim to be an expert - but why not leave it enabled but
remove all it's admin privileges. That way you can use it as a mini
"honey pot" & audit your logs for any attempted logins using that
account. Just a suggestion
Martin
On 12 Jun 2009, at 19:27, "Akomolafe, Deji" <deji@readymaids.com> wrote:
>>>> Saying "don't rename as the real account can be found" is like
>>>> saying don't lock the car, as it is easy to jimmy it open anyway !
>
> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> your front door because any intelligent human being will be able to
> tell that it IS a door regardless of what you choose to call it"
>
> In this age, any hacking tool that doesn't know how to look for SID
> instead of label does not deserve to be names a "hacking tool".
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name/> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________
> From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org
> ] On Behalf Of Sabharanjak, Ravi BGI SF [Ravi.Sabharanjak@barclaysglobal.com
> ]
> Sent: Friday, June 12, 2009 11:16 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Do set the password to a unique one. You can use tools such as
> CyberArk's password manager that make this easy.
>
> Why not rename it? Agreed that it is easy to find out the real name
> of the account, however it's one more step a worm / hacker has to
> take, so why not make it a little bit harder?
>
> Saying "don't rename as the real account can be found" is like
> saying don't lock the car, as it is easy to jimmy it open anyway !
>
> ________________________________
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org
> ] On Behalf Of Rick Sheikh
> Sent: Friday, June 12, 2009 11:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] the builtin Administrator account of domain
>
> Wanted to bring up this topic and see what's everyone's best
> practice (these days ) regarding the builtin Administrator account
> of the domain. I came across this article, and point # 6 is a
> "don't" that I have been taken as a "do" in my environments.
>
> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.aspx
> >
>
> Based on point #1, I was also wondering what is behind the scene
> mechanism that allows you to use this very account in the DRSM or
> safe mode even in the disable state.
>
> Thanks for yout input.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and
> may be privileged. If this message was misdirected, Barclays Global
> Investors (BGI) does not waive any confidentiality or privilege. If
> you are not the intended recipient, please notify us immediately and
> destroy the message without disclosing its contents to anyone. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. The
> views and opinions expressed in this e-mail message are the author's
> own and may not reflect the views and opinions of BGI, unless the
> author is authorized by BGI to express such views or opinions on its
> behalf. All email sent to or from this address is subject to
> electronic storage and review by BGI. Although BGI operates anti-
> virus programs, it does not accept responsibility for any damage
> whatsoever caused by viruses being passed. | | | |
| rwf4
Posts:29
| | 06/12/2009 10:28 PM |
| > Disable it, don't use the 500 account.
Who said anything about actually using it?
I was responding to the "don't rename as the real account can be found" portion. My point remains it's not worth arguing about it, we renamed it, disabled it in AD, set up monitoring on the renamed account long time ago and never looked back. Do it on the first DC in any new domain right up front. The administrator account on member systems is renamed and neutered as part of our build process before it ever joins the domain. 500 account is never used. Anyone with administrative access is required to have an individual admin account. SOX guys get the activity reports, auditors are happy. :-) EOF
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, June 12, 2009 11:58 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
Disable it, don't use the 500 account.
Set up a secondary one for administrator.
(us pesky SBS 2008ers do that out of the box during the install)
Free, Bob wrote:
> Another take on it IME is that it’s like other questionable value settings that are really benign to the system anyway, come audit time it’s much easier to have just renamed it than wasting cycles arguing the finer points with various auditors who don’t really understand the pros and cons and are just using a checklist or canned script/auditing tool. ( I didn’t read the article referenced below, I’m just speaking in generalities)
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
> Sent: Friday, June 12, 2009 11:37 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Agreed. Don't rely on this as the only way to protect it. But it's a
> simple measure to implement, even though it may be simple to get over
> it.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
> Sent: Friday, June 12, 2009 11:28 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
>>>> Saying "don't rename as the real account can be found" is like saying
>>>>
> don't lock the car, as it is easy to jimmy it open anyway !
>
> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> your front door because any intelligent human being will be able to tell
> that it IS a door regardless of what you choose to call it"
>
> In this age, any hacking tool that doesn't know how to look for SID
> instead of label does not deserve to be names a "hacking tool".
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon ________________________________
> From: activedir-owner@mail.activedir.org
> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
> SF [Ravi.Sabharanjak@barclaysglobal.com]
> Sent: Friday, June 12, 2009 11:16 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Do set the password to a unique one. You can use tools such as
> CyberArk's password manager that make this easy.
>
> Why not rename it? Agreed that it is easy to find out the real name of
> the account, however it's one more step a worm / hacker has to take, so
> why not make it a little bit harder?
>
> Saying "don't rename as the real account can be found" is like saying
> don't lock the car, as it is easy to jimmy it open anyway !
>
> ________________________________
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
> Sent: Friday, June 12, 2009 11:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] the builtin Administrator account of domain
>
> Wanted to bring up this topic and see what's everyone's best practice
> (these days ) regarding the builtin Administrator account of the
> domain. I came across this article, and point # 6 is a "don't" that I
> have been taken as a "do" in my environments.
>
> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
> aspx>
>
> Based on point #1, I was also wondering what is behind the scene
> mechanism that allows you to use this very account in the DRSM or safe
> mode even in the disable state.
>
> Thanks for yout input.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may
> be privileged. If this message was misdirected, Barclays Global
> Investors (BGI) does not waive any confidentiality or privilege. If you
> are not the intended recipient, please notify us immediately and destroy
> the message without disclosing its contents to anyone. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. The views
> and opinions expressed in this e-mail message are the author's own and
> may not reflect the views and opinions of BGI, unless the author is
> authorized by BGI to express such views or opinions on its behalf. All
> email sent to or from this address is subject to electronic storage and
> review by BGI. Although BGI operates anti-virus programs, it does not
> accept responsibility for any damage whatsoever caused by viruses being
> passed.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>
| | | |
| hboogz
Posts:71
| | 06/12/2009 11:25 PM |
| Curious how could you get the following done ? Would love to know if there
is something out there that can monitor it, besides combing event logs.
"set up monitoring on the renamed account"
On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com> wrote:
> > Disable it, don't use the 500 account.
>
> Who said anything about actually using it?
>
> I was responding to the "don't rename as the real account can be found"
> portion. My point remains it's not worth arguing about it, we renamed it,
> disabled it in AD, set up monitoring on the renamed account long time ago
> and never looked back. Do it on the first DC in any new domain right up
> front. The administrator account on member systems is renamed and neutered
> as part of our build process before it ever joins the domain. 500 account is
> never used. Anyone with administrative access is required to have an
> individual admin account. SOX guys get the activity reports, auditors are
> happy. :-) EOF
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
> Sent: Friday, June 12, 2009 11:58 AM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
> Free, Bob wrote:
> > Another take on it IME is that it’s like other questionable value
> settings that are really benign to the system anyway, come audit time it’s
> much easier to have just renamed it than wasting cycles arguing the finer
> points with various auditors who don’t really understand the pros and cons
> and are just using a checklist or canned script/auditing tool. ( I didn’t
> read the article referenced below, I’m just speaking in generalities)
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
> > Sent: Friday, June 12, 2009 11:37 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >
> >
> > Agreed. Don't rely on this as the only way to protect it. But it's a
> > simple measure to implement, even though it may be simple to get over
> > it.
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
> > Sent: Friday, June 12, 2009 11:28 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >
> >
> >>>> Saying "don't rename as the real account can be found" is like saying
> >>>>
> > don't lock the car, as it is easy to jimmy it open anyway !
> >
> > Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> > your front door because any intelligent human being will be able to tell
> > that it IS a door regardless of what you choose to call it"
> >
> > In this age, any hacking tool that doesn't know how to look for SID
> > instead of label does not deserve to be names a "hacking tool".
> >
> >
> > Sincerely,
> > _____
> > (, / | /) /) /)
> > /---| (/_ ______ ___// _ // _
> > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> > (_/ /)
> > (/
> > www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
> > Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday? -anon ________________________________
> > From: activedir-owner@mail.activedir.org
> > [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
> > SF [Ravi.Sabharanjak@barclaysglobal.com]
> > Sent: Friday, June 12, 2009 11:16 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >
> >
> > Do set the password to a unique one. You can use tools such as
> > CyberArk's password manager that make this easy.
> >
> > Why not rename it? Agreed that it is easy to find out the real name of
> > the account, however it's one more step a worm / hacker has to take, so
> > why not make it a little bit harder?
> >
> > Saying "don't rename as the real account can be found" is like saying
> > don't lock the car, as it is easy to jimmy it open anyway !
> >
> > ________________________________
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
> > Sent: Friday, June 12, 2009 11:02 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] the builtin Administrator account of domain
> >
> > Wanted to bring up this topic and see what's everyone's best practice
> > (these days ) regarding the builtin Administrator account of the
> > domain. I came across this article, and point # 6 is a "don't" that I
> > have been taken as a "do" in my environments.
> >
> > Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> > Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
> > aspx>
> >
> > Based on point #1, I was also wondering what is behind the scene
> > mechanism that allows you to use this very account in the DRSM or safe
> > mode even in the disable state.
> >
> > Thanks for yout input.
> >
> >
> > --
> >
> > This message and any attachments are confidential, proprietary, and may
> > be privileged. If this message was misdirected, Barclays Global
> > Investors (BGI) does not waive any confidentiality or privilege. If you
> > are not the intended recipient, please notify us immediately and destroy
> > the message without disclosing its contents to anyone. Any
> > distribution, use or copying of this e-mail or the information it
> > contains by other than an intended recipient is unauthorized. The views
> > and opinions expressed in this e-mail message are the author's own and
> > may not reflect the views and opinions of BGI, unless the author is
> > authorized by BGI to express such views or opinions on its behalf. All
> > email sent to or from this address is subject to electronic storage and
> > review by BGI. Although BGI operates anti-virus programs, it does not
> > accept responsibility for any damage whatsoever caused by viruses being
> > passed.
> >
> >
> > --
> >
> > This message and any attachments are confidential, proprietary, and may
> be privileged. If this message was misdirected, Barclays Global Investors
> (BGI) does not waive any confidentiality or privilege. If you are not the
> intended recipient, please notify us immediately and destroy the message
> without disclosing its contents to anyone. Any distribution, use or copying
> of this e-mail or the information it contains by other than an intended
> recipient is unauthorized. The views and opinions expressed in this e-mail
> message are the author's own and may not reflect the views and opinions of
> BGI, unless the author is authorized by BGI to express such views or
> opinions on its behalf. All email sent to or from this address is subject to
> electronic storage and review by BGI. Although BGI operates anti-virus
> programs, it does not accept responsibility for any damage whatsoever caused
> by viruses being passed.
> >
>
>
| | | |
| rwf4
Posts:29
| | 06/13/2009 1:07 AM |
| Depends on your definition of monitoring I guess. We had a homegrown solution that monitored the account for changes which was replaced eventually with NetPro Change Auditor that satisfied the control objective regarding the configuration and group membership of the account(s). Our logs are collected by a 3rd party solution and eventually forwarded to a MSSP (managed security service provider) so they are under 24x7 watch to satisfy another control. Auditors happy J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: Friday, June 12, 2009 3:24 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
Curious how could you get the following done ? Would love to know if there is something out there that can monitor it, besides combing event logs.
"set up monitoring on the renamed account"
On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com> wrote:
> Disable it, don't use the 500 account.
Who said anything about actually using it?
I was responding to the "don't rename as the real account can be found" portion. My point remains it's not worth arguing about it, we renamed it, disabled it in AD, set up monitoring on the renamed account long time ago and never looked back. Do it on the first DC in any new domain right up front. The administrator account on member systems is renamed and neutered as part of our build process before it ever joins the domain. 500 account is never used. Anyone with administrative access is required to have an individual admin account. SOX guys get the activity reports, auditors are happy. :-) EOF
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, June 12, 2009 11:58 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
Disable it, don't use the 500 account.
Set up a secondary one for administrator.
(us pesky SBS 2008ers do that out of the box during the install)
Free, Bob wrote:
> Another take on it IME is that it’s like other questionable value settings that are really benign to the system anyway, come audit time it’s much easier to have just renamed it than wasting cycles arguing the finer points with various auditors who don’t really understand the pros and cons and are just using a checklist or canned script/auditing tool. ( I didn’t read the article referenced below, I’m just speaking in generalities)
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
> Sent: Friday, June 12, 2009 11:37 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Agreed. Don't rely on this as the only way to protect it. But it's a
> simple measure to implement, even though it may be simple to get over
> it.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
> Sent: Friday, June 12, 2009 11:28 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
>>>> Saying "don't rename as the real account can be found" is like saying
>>>>
> don't lock the car, as it is easy to jimmy it open anyway !
>
> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> your front door because any intelligent human being will be able to tell
> that it IS a door regardless of what you choose to call it"
>
> In this age, any hacking tool that doesn't know how to look for SID
> instead of label does not deserve to be names a "hacking tool".
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon ________________________________
> From: activedir-owner@mail.activedir.org
> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
> SF [Ravi.Sabharanjak@barclaysglobal.com]
> Sent: Friday, June 12, 2009 11:16 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>
>
> Do set the password to a unique one. You can use tools such as
> CyberArk's password manager that make this easy.
>
> Why not rename it? Agreed that it is easy to find out the real name of
> the account, however it's one more step a worm / hacker has to take, so
> why not make it a little bit harder?
>
> Saying "don't rename as the real account can be found" is like saying
> don't lock the car, as it is easy to jimmy it open anyway !
>
> ________________________________
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
> Sent: Friday, June 12, 2009 11:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] the builtin Administrator account of domain
>
> Wanted to bring up this topic and see what's everyone's best practice
> (these days ) regarding the builtin Administrator account of the
> domain. I came across this article, and point # 6 is a "don't" that I
> have been taken as a "do" in my environments.
>
> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
> aspx>
>
> Based on point #1, I was also wondering what is behind the scene
> mechanism that allows you to use this very account in the DRSM or safe
> mode even in the disable state.
>
> Thanks for yout input.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may
> be privileged. If this message was misdirected, Barclays Global
> Investors (BGI) does not waive any confidentiality or privilege. If you
> are not the intended recipient, please notify us immediately and destroy
> the message without disclosing its contents to anyone. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. The views
> and opinions expressed in this e-mail message are the author's own and
> may not reflect the views and opinions of BGI, unless the author is
> authorized by BGI to express such views or opinions on its behalf. All
> email sent to or from this address is subject to electronic storage and
> review by BGI. Although BGI operates anti-virus programs, it does not
> accept responsibility for any damage whatsoever caused by viruses being
> passed.
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>
| | | |
| hboogz
Posts:71
| | 06/13/2009 1:28 AM |
| Coool.
On 6/12/09, Free, Bob <RWF4@pge.com> wrote:
> Depends on your definition of monitoring I guess. We had a homegrown
> solution that monitored the account for changes which was replaced
> eventually with NetPro Change Auditor that satisfied the control objective
> regarding the configuration and group membership of the account(s). Our
> logs are collected by a 3rd party solution and eventually forwarded to a
> MSSP (managed security service provider) so they are under 24x7 watch to
> satisfy another control. Auditors happy J
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Harry Singh
> Sent: Friday, June 12, 2009 3:24 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
>
>
>
>
> Curious how could you get the following done ? Would love to know if there
> is something out there that can monitor it, besides combing event logs.
>
>
> "set up monitoring on the renamed account"
>
>
>
>
> On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com> wrote:
>
>> Disable it, don't use the 500 account.
>
> Who said anything about actually using it?
>
> I was responding to the "don't rename as the real account can be found"
> portion. My point remains it's not worth arguing about it, we renamed it,
> disabled it in AD, set up monitoring on the renamed account long time ago
> and never looked back. Do it on the first DC in any new domain right up
> front. The administrator account on member systems is renamed and neutered
> as part of our build process before it ever joins the domain. 500 account is
> never used. Anyone with administrative access is required to have an
> individual admin account. SOX guys get the activity reports, auditors are
> happy. :-) EOF
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
> Sent: Friday, June 12, 2009 11:58 AM
> To: activedir@mail.activedir.org
>
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
> Free, Bob wrote:
>> Another take on it IME is that it’s like other questionable value settings
>> that are really benign to the system anyway, come audit time it’s much
>> easier to have just renamed it than wasting cycles arguing the finer
>> points with various auditors who don’t really understand the pros and cons
>> and are just using a checklist or canned script/auditing tool. ( I didn’t
>> read the article referenced below, I’m just speaking in generalities)
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi
>> BGI SF
>> Sent: Friday, June 12, 2009 11:37 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Agreed. Don't rely on this as the only way to protect it. But it's a
>> simple measure to implement, even though it may be simple to get over
>> it.
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
>> Sent: Friday, June 12, 2009 11:28 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>>>>> Saying "don't rename as the real account can be found" is like saying
>>>>>
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
>> your front door because any intelligent human being will be able to tell
>> that it IS a door regardless of what you choose to call it"
>>
>> In this age, any hacking tool that doesn't know how to look for SID
>> instead of label does not deserve to be names a "hacking tool".
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
>> Yesterday? -anon ________________________________
>> From: activedir-owner@mail.activedir.org
>> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
>> SF [Ravi.Sabharanjak@barclaysglobal.com]
>> Sent: Friday, June 12, 2009 11:16 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Do set the password to a unique one. You can use tools such as
>> CyberArk's password manager that make this easy.
>>
>> Why not rename it? Agreed that it is easy to find out the real name of
>> the account, however it's one more step a worm / hacker has to take, so
>> why not make it a little bit harder?
>>
>> Saying "don't rename as the real account can be found" is like saying
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> ________________________________
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
>> Sent: Friday, June 12, 2009 11:02 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] the builtin Administrator account of domain
>>
>> Wanted to bring up this topic and see what's everyone's best practice
>> (these days ) regarding the builtin Administrator account of the
>> domain. I came across this article, and point # 6 is a "don't" that I
>> have been taken as a "do" in my environments.
>>
>> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
>> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
>> aspx>
>>
>> Based on point #1, I was also wondering what is behind the scene
>> mechanism that allows you to use this very account in the DRSM or safe
>> mode even in the disable state.
>>
>> Thanks for yout input.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may
>> be privileged. If this message was misdirected, Barclays Global
>> Investors (BGI) does not waive any confidentiality or privilege. If you
>> are not the intended recipient, please notify us immediately and destroy
>> the message without disclosing its contents to anyone. Any
>> distribution, use or copying of this e-mail or the information it
>> contains by other than an intended recipient is unauthorized. The views
>> and opinions expressed in this e-mail message are the author's own and
>> may not reflect the views and opinions of BGI, unless the author is
>> authorized by BGI to express such views or opinions on its behalf. All
>> email sent to or from this address is subject to electronic storage and
>> review by BGI. Although BGI operates anti-virus programs, it does not
>> accept responsibility for any damage whatsoever caused by viruses being
>> passed.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may be
>> privileged. If this message was misdirected, Barclays Global Investors
>> (BGI) does not waive any confidentiality or privilege. If you are not the
>> intended recipient, please notify us immediately and destroy the message
>> without disclosing its contents to anyone. Any distribution, use or
>> copying of this e-mail or the information it contains by other than an
>> intended recipient is unauthorized. The views and opinions expressed in
>> this e-mail message are the author's own and may not reflect the views and
>> opinions of BGI, unless the author is authorized by BGI to express such
>> views or opinions on its behalf. All email sent to or from this address is
>> subject to electronic storage and review by BGI. Although BGI operates
>> anti-virus programs, it does not accept responsibility for any damage
>> whatsoever caused by viruses being passed.
>>
>
>
>
>
| | | |
| scharique
Posts:0
| | 06/15/2009 6:22 PM |
| FYI - The link provided here by Susan (from the lazyadmin) is only
applicable to Windows Server 2008 domains. Is there a workaround to sync up
the password to an account or change the DSRM passwords (on every DC)
programatically in Windows Server 2003 ?
Thanks,
On Fri, Jun 12, 2009 at 7:26 PM, Harry Singh <hboogz@gmail.com> wrote:
> Coool.
>
> On 6/12/09, Free, Bob <RWF4@pge.com> wrote:
> > Depends on your definition of monitoring I guess. We had a homegrown
> > solution that monitored the account for changes which was replaced
> > eventually with NetPro Change Auditor that satisfied the control
> objective
> > regarding the configuration and group membership of the account(s). Our
> > logs are collected by a 3rd party solution and eventually forwarded to a
> > MSSP (managed security service provider) so they are under 24x7 watch to
> > satisfy another control. Auditors happy J
> >
> >
> >
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Harry Singh
> > Sent: Friday, June 12, 2009 3:24 PM
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] the builtin Administrator account of domain
> >
> >
> >
> >
> >
> > Curious how could you get the following done ? Would love to know if
> there
> > is something out there that can monitor it, besides combing event logs.
> >
> >
> > "set up monitoring on the renamed account"
> >
> >
> >
> >
> > On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com> wrote:
> >
> >> Disable it, don't use the 500 account.
> >
> > Who said anything about actually using it?
> >
> > I was responding to the "don't rename as the real account can be found"
> > portion. My point remains it's not worth arguing about it, we renamed it,
> > disabled it in AD, set up monitoring on the renamed account long time ago
> > and never looked back. Do it on the first DC in any new domain right up
> > front. The administrator account on member systems is renamed and
> neutered
> > as part of our build process before it ever joins the domain. 500 account
> is
> > never used. Anyone with administrative access is required to have an
> > individual admin account. SOX guys get the activity reports, auditors are
> > happy. :-) EOF
> >
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
> > Sent: Friday, June 12, 2009 11:58 AM
> > To: activedir@mail.activedir.org
> >
> > Subject: Re: [ActiveDir] the builtin Administrator account of domain
> >
> > Disable it, don't use the 500 account.
> > Set up a secondary one for administrator.
> >
> > (us pesky SBS 2008ers do that out of the box during the install)
> >
> > Free, Bob wrote:
> >> Another take on it IME is that it’s like other questionable value
> settings
> >> that are really benign to the system anyway, come audit time it’s much
> >> easier to have just renamed it than wasting cycles arguing the finer
> >> points with various auditors who don’t really understand the pros and
> cons
> >> and are just using a checklist or canned script/auditing tool. ( I
> didn’t
> >> read the article referenced below, I’m just speaking in generalities)
> >>
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak,
> Ravi
> >> BGI SF
> >> Sent: Friday, June 12, 2009 11:37 AM
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >>
> >>
> >> Agreed. Don't rely on this as the only way to protect it. But it's a
> >> simple measure to implement, even though it may be simple to get over
> >> it.
> >>
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe,
> Deji
> >> Sent: Friday, June 12, 2009 11:28 AM
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >>
> >>
> >>>>> Saying "don't rename as the real account can be found" is like saying
> >>>>>
> >> don't lock the car, as it is easy to jimmy it open anyway !
> >>
> >> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
> >> your front door because any intelligent human being will be able to tell
> >> that it IS a door regardless of what you choose to call it"
> >>
> >> In this age, any hacking tool that doesn't know how to look for SID
> >> instead of label does not deserve to be names a "hacking tool".
> >>
> >>
> >> Sincerely,
> >> _____
> >> (, / | /) /) /)
> >> /---| (/_ ______ ___// _ // _
> >> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> >> (_/ /)
> >> (/
> >> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75,
> -3.23
> >> Do you now realize that Today is the Tomorrow you were worried about
> >> Yesterday? -anon ________________________________
> >> From: activedir-owner@mail.activedir.org
> >> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI
> >> SF [Ravi.Sabharanjak@barclaysglobal.com]
> >> Sent: Friday, June 12, 2009 11:16 AM
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] the builtin Administrator account of domain
> >>
> >>
> >> Do set the password to a unique one. You can use tools such as
> >> CyberArk's password manager that make this easy.
> >>
> >> Why not rename it? Agreed that it is easy to find out the real name of
> >> the account, however it's one more step a worm / hacker has to take, so
> >> why not make it a little bit harder?
> >>
> >> Saying "don't rename as the real account can be found" is like saying
> >> don't lock the car, as it is easy to jimmy it open anyway !
> >>
> >> ________________________________
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
> >> Sent: Friday, June 12, 2009 11:02 AM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] the builtin Administrator account of domain
> >>
> >> Wanted to bring up this topic and see what's everyone's best practice
> >> (these days ) regarding the builtin Administrator account of the
> >> domain. I came across this article, and point # 6 is a "don't" that I
> >> have been taken as a "do" in my environments.
> >>
> >> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
> >> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch
> .
> >> aspx>
> >>
> >> Based on point #1, I was also wondering what is behind the scene
> >> mechanism that allows you to use this very account in the DRSM or safe
> >> mode even in the disable state.
> >>
> >> Thanks for yout input.
> >>
> >>
> >> --
> >>
> >> This message and any attachments are confidential, proprietary, and may
> >> be privileged. If this message was misdirected, Barclays Global
> >> Investors (BGI) does not waive any confidentiality or privilege. If you
> >> are not the intended recipient, please notify us immediately and destroy
> >> the message without disclosing its contents to anyone. Any
> >> distribution, use or copying of this e-mail or the information it
> >> contains by other than an intended recipient is unauthorized. The views
> >> and opinions expressed in this e-mail message are the author's own and
> >> may not reflect the views and opinions of BGI, unless the author is
> >> authorized by BGI to express such views or opinions on its behalf. All
> >> email sent to or from this address is subject to electronic storage and
> >> review by BGI. Although BGI operates anti-virus programs, it does not
> >> accept responsibility for any damage whatsoever caused by viruses being
> >> passed.
> >>
> >>
> >> --
> >>
> >> This message and any attachments are confidential, proprietary, and may
> be
> >> privileged. If this message was misdirected, Barclays Global Investors
> >> (BGI) does not waive any confidentiality or privilege. If you are not
> the
> >> intended recipient, please notify us immediately and destroy the message
> >> without disclosing its contents to anyone. Any distribution, use or
> >> copying of this e-mail or the information it contains by other than an
> >> intended recipient is unauthorized. The views and opinions expressed in
> >> this e-mail message are the author's own and may not reflect the views
> and
> >> opinions of BGI, unless the author is authorized by BGI to express such
> >> views or opinions on its behalf. All email sent to or from this address
> is
> >> subject to electronic storage and review by BGI. Although BGI operates
> >> anti-virus programs, it does not accept responsibility for any damage
> >> whatsoever caused by viruses being passed.
> >>
> >
> >
> >
> >
>
| | | |
| ZJORZ
Posts:363
| | 06/15/2009 6:28 PM |
| >>>> Is there a workaround to sync up the password to an account or
change the DSRM passwords (on every DC) programatically in Windows
Server 2003 ?
Yes... use Dean's script (DSRMreset.cmd) which you can find at
jadonex.com. Check the ZIP file
Make sure to read the prerequisites first
Met vriendelijke groeten / Kind regards,
Jorge de Almeida Pinto | Senior Technical Consultant | MVP IdA-DS |
Oxford Computer Group BeNeLux
(: +31 (0)6 26.26.62.80 | (: +31 (0)70 36.21.627 | 7: +31 (0)70
36.21.677
-: Sweelinckplein 9 (Unit 11), 2517 GK, Den Haag, The Netherlands
(Google
<http://maps.google.com/maps?f=q&hl=EN&geocode=&q=sweelinckplein+9+-+11+
(unit+11),+2517+GK,+Den+Haag,+The+Netherlands&sll=37.0625,-95.677068&ssp
n=50.291089,113.90625&ie=UTF8&z=16&g=sweelinckplein+9+-+11+(unit+11),+25
17+GK,+Den+Haag,+The+Netherlands> Maps) (Live
<http://maps.live.com/default.aspx?v=2&FORM=LMLTCC&cp=52.084005~4.285932
&style=r&lvl=14&tilt=-90&dir=0&alt=-1000&phx=0&phy=0&phscl=1&where1=Swee
linckplein%209%20-%2011%20(unit%2011)%2C%202517%20GK%2C%20Den%20Haag%2C%
20The%20Netherlands&encType=1> Maps)
<blocked::blocked::http://www.oxfordcomputergroup.com/>
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW
NL8188.31.972.BO1
(MVP Profile <https://mvp.support.microsoft.com/profile/jorge1> ) (Blog
<http://blogs.dirteam.com/blogs/jorge/default.aspx> )
cid:image001.png@01C99800.BB23FE50
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Monday, June 15, 2009 19:21
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
FYI - The link provided here by Susan (from the lazyadmin) is only
applicable to Windows Server 2008 domains. Is there a workaround to sync
up the password to an account or change the DSRM passwords (on every DC)
programatically in Windows Server 2003 ?
Thanks,
On Fri, Jun 12, 2009 at 7:26 PM, Harry Singh <hboogz@gmail.com> wrote:
Coool.
On 6/12/09, Free, Bob <RWF4@pge.com> wrote:
> Depends on your definition of monitoring I guess. We had a homegrown
> solution that monitored the account for changes which was replaced
> eventually with NetPro Change Auditor that satisfied the control
objective
> regarding the configuration and group membership of the account(s).
Our
> logs are collected by a 3rd party solution and eventually forwarded to
a
> MSSP (managed security service provider) so they are under 24x7 watch
to
> satisfy another control. Auditors happy J
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Harry Singh
> Sent: Friday, June 12, 2009 3:24 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
>
>
>
>
> Curious how could you get the following done ? Would love to know if
there
> is something out there that can monitor it, besides combing event
logs.
>
>
> "set up monitoring on the renamed account"
>
>
>
>
> On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com> wrote:
>
>> Disable it, don't use the 500 account.
>
> Who said anything about actually using it?
>
> I was responding to the "don't rename as the real account can be
found"
> portion. My point remains it's not worth arguing about it, we renamed
it,
> disabled it in AD, set up monitoring on the renamed account long time
ago
> and never looked back. Do it on the first DC in any new domain right
up
> front. The administrator account on member systems is renamed and
neutered
> as part of our build process before it ever joins the domain. 500
account is
> never used. Anyone with administrative access is required to have an
> individual admin account. SOX guys get the activity reports, auditors
are
> happy. :-) EOF
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Susan Bradley
> Sent: Friday, June 12, 2009 11:58 AM
> To: activedir@mail.activedir.org
>
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
> Free, Bob wrote:
>> Another take on it IME is that it's like other questionable value
settings
>> that are really benign to the system anyway, come audit time it's
much
>> easier to have just renamed it than wasting cycles arguing the finer
>> points with various auditors who don't really understand the pros and
cons
>> and are just using a checklist or canned script/auditing tool. ( I
didn't
>> read the article referenced below, I'm just speaking in generalities)
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak,
Ravi
>> BGI SF
>> Sent: Friday, June 12, 2009 11:37 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Agreed. Don't rely on this as the only way to protect it. But it's a
>> simple measure to implement, even though it may be simple to get over
>> it.
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe,
Deji
>> Sent: Friday, June 12, 2009 11:28 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>>>>> Saying "don't rename as the real account can be found" is like
saying
>>>>>
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
>> your front door because any intelligent human being will be able to
tell
>> that it IS a door regardless of what you choose to call it"
>>
>> In this age, any hacking tool that doesn't know how to look for SID
>> instead of label does not deserve to be names a "hacking tool".
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75,
-3.23
>> Do you now realize that Today is the Tomorrow you were worried about
>> Yesterday? -anon ________________________________
>> From: activedir-owner@mail.activedir.org
>> [activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi
BGI
>> SF [Ravi.Sabharanjak@barclaysglobal.com]
>> Sent: Friday, June 12, 2009 11:16 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Do set the password to a unique one. You can use tools such as
>> CyberArk's password manager that make this easy.
>>
>> Why not rename it? Agreed that it is easy to find out the real name
of
>> the account, however it's one more step a worm / hacker has to take,
so
>> why not make it a little bit harder?
>>
>> Saying "don't rename as the real account can be found" is like saying
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> ________________________________
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
>> Sent: Friday, June 12, 2009 11:02 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] the builtin Administrator account of domain
>>
>> Wanted to bring up this topic and see what's everyone's best practice
>> (these days ) regarding the builtin Administrator account of the
>> domain. I came across this article, and point # 6 is a "don't" that I
>> have been taken as a "do" in my environments.
>>
>> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
>>
Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
>> aspx>
>>
>> Based on point #1, I was also wondering what is behind the scene
>> mechanism that allows you to use this very account in the DRSM or
safe
>> mode even in the disable state.
>>
>> Thanks for yout input.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and
may
>> be privileged. If this message was misdirected, Barclays Global
>> Investors (BGI) does not waive any confidentiality or privilege. If
you
>> are not the intended recipient, please notify us immediately and
destroy
>> the message without disclosing its contents to anyone. Any
>> distribution, use or copying of this e-mail or the information it
>> contains by other than an intended recipient is unauthorized. The
views
>> and opinions expressed in this e-mail message are the author's own
and
>> may not reflect the views and opinions of BGI, unless the author is
>> authorized by BGI to express such views or opinions on its behalf.
All
>> email sent to or from this address is subject to electronic storage
and
>> review by BGI. Although BGI operates anti-virus programs, it does
not
>> accept responsibility for any damage whatsoever caused by viruses
being
>> passed.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and
may be
>> privileged. If this message was misdirected, Barclays Global
Investors
>> (BGI) does not waive any confidentiality or privilege. If you are not
the
>> intended recipient, please notify us immediately and destroy the
message
>> without disclosing its contents to anyone. Any distribution, use or
>> copying of this e-mail or the information it contains by other than
an
>> intended recipient is unauthorized. The views and opinions expressed
in
>> this e-mail message are the author's own and may not reflect the
views and
>> opinions of BGI, unless the author is authorized by BGI to express
such
>> views or opinions on its behalf. All email sent to or from this
address is
>> subject to electronic storage and review by BGI. Although BGI
operates
>> anti-virus programs, it does not accept responsibility for any damage
>> whatsoever caused by viruses being passed.
>>
>
>
>
>
__________ Information from ESET Smart Security, version of virus
signature database 4156 (20090615) __________
The message was checked by ESET Smart Security.
http://www.eset.com
| | | |
| michael1
Posts:426
| | bdesmond
Posts:977
| | 06/15/2009 6:35 PM |
| IIRC it's available from any Windows 2000 CD?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Michael B. Smith
Sent: Monday, June 15, 2009 12:30 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] the builtin Administrator account of domain
Look in the archives for this mailing list on threads talking about "setpwd".
Can it be done? Sure. But it's somewhat painful acquiring the requisite application.
PS C:\temp> ./setpwd -?
Reset Directory Service Restore Mode Administrator Account Password.
SETPWD.EXE [/s:<server>] [/p:<password>]
/s:<server> - Name of the server to use. Optional.
/p:<password> - DS Restore Mode Administrator Account Password. Optional.
See Microsoft Knowledge Base article Q271641 at
http://support.microsoft.com for more information.
PS C:\temp>
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Monday, June 15, 2009 1:21 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] the builtin Administrator account of domain
FYI - The link provided here by Susan (from the lazyadmin) is only applicable to Windows Server 2008 domains. Is there a workaround to sync up the password to an account or change the DSRM passwords (on every DC) programatically in Windows Server 2003 ?
Thanks,
On Fri, Jun 12, 2009 at 7:26 PM, Harry Singh <hboogz@gmail.com<mailto:hboogz@gmail.com>> wrote:
Coool.
On 6/12/09, Free, Bob <RWF4@pge.com<mailto:RWF4@pge.com>> wrote:
> Depends on your definition of monitoring I guess. We had a homegrown
> solution that monitored the account for changes which was replaced
> eventually with NetPro Change Auditor that satisfied the control objective
> regarding the configuration and group membership of the account(s). Our
> logs are collected by a 3rd party solution and eventually forwarded to a
> MSSP (managed security service provider) so they are under 24x7 watch to
> satisfy another control. Auditors happy J
>
>
>
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Harry Singh
> Sent: Friday, June 12, 2009 3:24 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
>
>
>
>
> Curious how could you get the following done ? Would love to know if there
> is something out there that can monitor it, besides combing event logs.
>
>
> "set up monitoring on the renamed account"
>
>
>
>
> On Fri, Jun 12, 2009 at 5:25 PM, Free, Bob <RWF4@pge.com<mailto:RWF4@pge.com>> wrote:
>
>> Disable it, don't use the 500 account.
>
> Who said anything about actually using it?
>
> I was responding to the "don't rename as the real account can be found"
> portion. My point remains it's not worth arguing about it, we renamed it,
> disabled it in AD, set up monitoring on the renamed account long time ago
> and never looked back. Do it on the first DC in any new domain right up
> front. The administrator account on member systems is renamed and neutered
> as part of our build process before it ever joins the domain. 500 account is
> never used. Anyone with administrative access is required to have an
> individual admin account. SOX guys get the activity reports, auditors are
> happy. :-) EOF
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Susan Bradley
> Sent: Friday, June 12, 2009 11:58 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>
> Subject: Re: [ActiveDir] the builtin Administrator account of domain
>
> Disable it, don't use the 500 account.
> Set up a secondary one for administrator.
>
> (us pesky SBS 2008ers do that out of the box during the install)
>
> Free, Bob wrote:
>> Another take on it IME is that it's like other questionable value settings
>> that are really benign to the system anyway, come audit time it's much
>> easier to have just renamed it than wasting cycles arguing the finer
>> points with various auditors who don't really understand the pros and cons
>> and are just using a checklist or canned script/auditing tool. ( I didn't
>> read the article referenced below, I'm just speaking in generalities)
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Sabharanjak, Ravi
>> BGI SF
>> Sent: Friday, June 12, 2009 11:37 AM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Agreed. Don't rely on this as the only way to protect it. But it's a
>> simple measure to implement, even though it may be simple to get over
>> it.
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Akomolafe, Deji
>> Sent: Friday, June 12, 2009 11:28 AM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>>>>> Saying "don't rename as the real account can be found" is like saying
>>>>>
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> Actually, I think he was saying "Don't write 'THIS IS NOT A DOOR' on
>> your front door because any intelligent human being will be able to tell
>> that it IS a door regardless of what you choose to call it"
>>
>> In this age, any hacking tool that doesn't know how to look for SID
>> instead of label does not deserve to be names a "hacking tool".
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name><http://www.akomolafe.name/> - we know IT -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
>> Yesterday? -anon ________________________________
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Sabharanjak, Ravi BGI
>> SF [Ravi.Sabharanjak@barclaysglobal.com<mailto:Ravi.Sabharanjak@barclaysglobal.com>]
>> Sent: Friday, June 12, 2009 11:16 AM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: RE: [ActiveDir] the builtin Administrator account of domain
>>
>>
>> Do set the password to a unique one. You can use tools such as
>> CyberArk's password manager that make this easy.
>>
>> Why not rename it? Agreed that it is easy to find out the real name of
>> the account, however it's one more step a worm / hacker has to take, so
>> why not make it a little bit harder?
>>
>> Saying "don't rename as the real account can be found" is like saying
>> don't lock the car, as it is easy to jimmy it open anyway !
>>
>> ________________________________
>> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
>> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh
>> Sent: Friday, June 12, 2009 11:02 AM
>> To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
>> Subject: [ActiveDir] the builtin Administrator account of domain
>>
>> Wanted to bring up this topic and see what's everyone's best practice
>> (these days ) regarding the builtin Administrator account of the
>> domain. I came across this article, and point # 6 is a "don't" that I
>> have been taken as a "do" in my environments.
>>
>> Security Watch :<UrlBlockedError.aspx> Why You Should Disable the
>> Administrator<http://207.46.16.252/en-us/magazine/2006.01.securitywatch.
>> aspx>
>>
>> Based on point #1, I was also wondering what is behind the scene
>> mechanism that allows you to use this very account in the DRSM or safe
>> mode even in the disable state.
>>
>> Thanks for yout input.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may
>> be privileged. If this message was misdirected, Barclays Global
>> Investors (BGI) does not waive any confidentiality or privilege. If you
>> are not the intended recipient, please notify us immediately and destroy
>> the message without disclosing its contents to anyone. Any
>> distribution, use or copying of this e-mail or the information it
>> contains by other than an intended recipient is unauthorized. The views
>> and opinions expressed in this e-mail message are the author's own and
>> may not reflect the views and opinions of BGI, unless the author is
>> authorized by BGI to express such views or opinions on its behalf. All
>> email sent to or from this address is subject to electronic storage and
>> review by BGI. Although BGI operates anti-virus programs, it does not
>> accept responsibility for any damage whatsoever caused by viruses being
>> passed.
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may be
>> privileged. If this message was misdirected, Barclays Global Investors
>> (BGI) does not waive any confidentiality or privilege. If you are not the
>> intended recipient, please notify us immediately and destroy the message
>> without disclosing its contents to anyone. Any distribution, use or
>> copying of this e-mail or the information it contains by other than an
>> intended recipient is unauthorized. The views and opinions expressed in
>> this e-mail message are the author's own and may not reflect the views and
>> opinions of BGI, unless the author is authorized by BGI to express such
>> views or opinions on its behalf. All email sent to or from this address is
>> subject to electronic storage and review by BGI. Although BGI operates
>> anti-virus programs, it does not accept responsibility for any damage
>> whatsoever caused by viruses being passed.
>>
>
>
>
>
| | | |
| michael1
Posts:426
| |
|