Re: Remove Administrator Account from Administrators Group
- From: "Thomas M." <NoEmailReplies@xxxxxxxxxx>
- Date: Tue, 28 Aug 2007 18:08:53 -0600
Yeah, I found some information today on the Internet about randomizing the
password for the local Administrator account. I think that we will
incorporate that into our overall plan as well.
As you implied, an attacker with sufficient knowledge, time, money, and
technical resources may eventually breach your security, but that's not a
reason to make it easy for them.
--Tom
"Mathieu CHATEAU" <gollum123@xxxxxxx> wrote in message
news:uK5Yuia6HHA.3740@xxxxxxxxxxxxxxxxxxxxxxx
Security is all about cost (knowledge/$$) to break it !
A more security issue is to have random password.
We had an external audit. They needed half day to break the local admin
password (it was a long long one but this damned lan man hash was still
activated). Then they were not just local admin, but admin of all
workstation.
They set up a trap on a computer of a domain admins one...you guess it,
they became domain admins...
renaming is good, individual passwors is great !
Ok, even with lan man hash, they needed rainbow table + brute force.
Without lan man they would have needed a lot more time. Multiply this time
by every computer.. :)
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message
news:%23LosmJa6HHA.5424@xxxxxxxxxxxxxxxxxxxxxxx
And that's really all we are trying to do. I am in charge of limiting
user rights for employees ranging from the receptionist to high-level IT
staff, including Exchange Server administrators with 10 years of
experience. We figure that renaming the Administrator account is not
going to stop a determined Exchange Server administrator with the
knowledge and rights to get around things, but it might stop the less
knowledgeable and less motivated, and so therefore it's a step in the
right direction. Also, we are renaming the account to something
sufficiently random (renaming it to "Admin" would be pretty pointless
since that could be easily guessed by a remote user).
Going back the issue of high-level IT staff, given their knowledge and
rights it may not be possible from a technical perspective to stop them
from working around security policies, but there are other options
available, such as disciplinary actions, that may dissuade people from
attempting to circumvent security.
--Tom
"Mathieu CHATEAU" <gollum123@xxxxxxx> wrote in message
news:85ADE192-7904-4327-AC59-703E8C59DEB2@xxxxxxxxxxxxxxxx
indeed, that just help if someone try to break it remotely (so without
the knowledge it's not the default name)
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
"G Johansson" <fantomen@xxxxxxxxxxxxxxx> wrote in message
news:O9s3NuX6HHA.5164@xxxxxxxxxxxxxxxxxxxxxxx
Just for your information, renaming the administrator account is not
really a security option since it will still have same SID.
--
G Johansson
fantomen@xxxxxxxxxxxxxxx
http://GPfaq.se
"Thomas M." <NoEmailReplies@xxxxxxxxxx> skrev i meddelandet
news:%23iWcSTQ6HHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
Yep. That part I got. I was just not seeing where to find the policy
to rename the local Administrator account. I'm trying Mathieu's
suggestion for that, and will post back here once I have tested it.
--Tom
"Paul O" <polson@xxxxxxxxx> wrote in message
news:ui9eVvP6HHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
I use GPMC Computer Config>Windows Settings>Security
Settings>Restricted Groups to add or remove local groups from the
local admin group.
Look up 'Restricted Groups' on MS or the web for more info.
PaulO
"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message
news:u7zTcgM6HHA.3716@xxxxxxxxxxxxxxxxxxxxxxx
We are in the process of creating a group policy that will limit
user rights on the desktop. A major element of our group policy is
that it will push down the local Administrators group, which will
contain a domain group for Network Administrators so that we will
have administrator rights to all machines. Currently, the local
Administrator account is a member of the Administrators group that
is pushed down by the group policy. Our security officer would like
us to either remove the local Administrator account from the group
policy, or push it down under a different name. In other words, if
you were to logon to a PC that gets the group policy, and check the
local Administrators group, you would not see the local
Administrator account listed as a member, but you might see an
account called something like "SecureDesktop" that would be the
local Administrator account under a different name.
Given that you can't manually remove the local Administrator account
from the local Administrators group (you get a message akin to,
"This action is not allowed for built-in accounts"), I would say
that what our security officer is asking may not be possible.
However, I am very new to group policies and thought that I should
seek some expert advice on whether or not this can be achieved
through a group policy.
Is there a way through a group policy to remove the local
Administrator account from the local Administrators group, or to
push it down under a different name?
--Tom
.
- Follow-Ups:
- References:
- Remove Administrator Account from Administrators Group
- From: Thomas M.
- Re: Remove Administrator Account from Administrators Group
- From: Paul O
- Re: Remove Administrator Account from Administrators Group
- From: Thomas M.
- Re: Remove Administrator Account from Administrators Group
- From: G Johansson
- Re: Remove Administrator Account from Administrators Group
- From: Mathieu CHATEAU
- Re: Remove Administrator Account from Administrators Group
- From: Thomas M.
- Re: Remove Administrator Account from Administrators Group
- From: Mathieu CHATEAU
- Remove Administrator Account from Administrators Group
- Prev by Date: Re: Several questions in Deploying software with GP
- Next by Date: Re: What is the quickest way to do this
- Previous by thread: Re: Remove Administrator Account from Administrators Group
- Next by thread: Re: Remove Administrator Account from Administrators Group
- Index(es):
Relevant Pages
|
Loading
