Re: Rename Administrator Account

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

OK. Sorry I missed that. I have been reading the article you suggested and
it is excellent. Thank you very much. There is so much to learn.
--
Thanks, Steve


"Miha Pihler [MVP]" wrote:

Hi,

As mentioned in my first reply, you can't change SIDs.

I checked the article -- it doesn't suggest anywhere to change SID. It say
rename the account but article -- just as I did -- also states that renaming
the account has limited security effect since the SID will always be 500 for
administrator account.

--
Mike
Microsoft MVP - Windows Security

"SteveP" <SteveP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:162B64F7-1009-4C28-8C2E-A88D087AECE6@xxxxxxxxxxxxxxxx
Hello, Miha:

You are a big help. Your link is for an interesting article I had not
seen.

My changes are to be made to a 2003 Standard Server network with active
directory (of course). I got the tip from a TechNet Article titled "19
Smart
Tips for Securing Active Directory" and I thought they were a good idea.

May I ask how to change the builtin administrator SID, which is
recommended
along with changing it's name?
--
Thanks, Steve


"Miha Pihler [MVP]" wrote:

Hi Steve,

A useful information would be where you plan to deploy these changes. On
standalone computer? In domain? On all member computers? What operating
systems do you intend to deploy these changes on?

While I believe it is usefeul to rename administrator account -- it has
limited effect. As you wrote all administrator accounts (like all other
built in objects (e.g. accounts and groups) have well known SIDs. Now
these
SIDs can't be changed and you can't delete built it accounts and groups
(e.g. administrator account).

Your firewall should protect your network in a manner that prevents and
criminals using tools like SID2User and User2SID from the Internet. Still
these tools can be used on LAN. Now you have to think also how likely it
is
that hacker will have physical access to your LAN and how to keep them
away
from such access.

So what to do? Rename the administrator account (to e.g. Bob) and create
new
account with username "administrator". Now disable this new administrator
account and monitor event logs for any attempts of usage.
Note - any services or applications running with administrator account
will
stop working once you change administrator account to e.g. "bob" unless
you
modify them to use new name (not recommend) or use different account with
appropriate permissions.


On Windows XP and Windows Server 2003 you can even disable built in
Administrator account if you want to go to that length. While this
account
is disabled -- it will still work in e.g. safe mode.
What I usually do in environments that require high security is deploy
Smart
Cards. Then built in administrator account and all other accounts with
domain administrator permissions are set in a way that one can only logon
with these accounts using smart cards.

I am not sure which guide you read, but personally I really like this
one.

Windows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

Among other things -- changes suggested in this article will keep you
supportable by Microsoft PSS -- in case you run into some problems. I saw
few guides that suggested changes that would make your computers
(environment) unsupportable.

--
Mike
Microsoft MVP - Windows Security

"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CFE18C82-7307-4FB2-ACAB-3E336232816D@xxxxxxxxxxxxxxxx
I would like to:
1. Rename the builtin administrator account
2. Create an account for administrators under a different name than
administrator
3. Change the builtin administrator SID because hackers would look for
it
even if the account name was changed
4. Create a dummy administrator account as a honeypot and audit it for
attempts to get in it.

I read that this was a good security measure. Can anyone direct me to
a
step by step or post one?
--
Thanks, Steve






.

Relevant Pages

  • Re: Want to restrict teenagers ability to download programs etc
    ... The standard security practice is to rename the account, set a strong password on it, and use it only to create another account for regular use, reserving the Administrator account as a "back door" in case something corrupts your regular account. ... HOW TO Use the Internet Explorer 6 Content Advisor to Control Access ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Vista Security Problem
    ... Have you changed any security permissions on files recently? ... Using the built-in administrator account, start the local group policy editor for both the local computer and your normal username: ... > running yet I cannot find the security service in admin tools/computer ...
    (microsoft.public.windows.vista.general)
  • Re: Can not figure out why?
    ... If you changed the account name without re-establishing all of your network sessions the PC where you logged in is going to be sending cached credentials that conflict with what's now stored on the domain controllers. ... Want some good security information? ... > Logon Failure: ... > I checked all service and none of service uses administrator account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... administrator account -- we should have no problems at least browsing to ... server. ... | authentication dialog box. ...
    (microsoft.public.inetserver.iis.security)
  • Re: AD Query based on SID
    ... a set of tools for discovery of various items/objects/settings. ... I saw a post back on 08/16/2006 ("Lookup account based on ... SID") with a similar question. ... security permission list. ...
    (microsoft.public.windows.server.active_directory)