Re: Process running under Adminstrator account

Gregg Hill wrote:
Lanwench,

You mentioned the well-known SID issue in a reply to someone on
9/1/07 in this same newsgroup ("Tracing a break-in attempt"). I asked
some more questions, but they got missed, so here they are again.

I did not realize the SID was all that was needed (or is it?).
However, let's say one has a terminal server with 3389 open to the
Internet (I know a VPN first or firewall authentication first would
help). How does the hacker try to get into the TS? Don't they just
start with "administrator" and a dictionary or other attack? In that
case, would not the changing of the admin name help?

How does the "well-known SID" factor into such an attack?

Renaming the account does not change the SID. The Administrator SID always
ends in -500. So, a simple ldap search of the AD sids locates the renamed
administrator account and provides the account name to target for hacking.

However, anonymous ldap AD searches are blocked by default in 2003, so now
an authenticated account needs to make the ldap query (users, computers, or
services accounts).





"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OslDm0G%23HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx
Ryan <Ryan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I disabled the administrator account for security reasons. At the
same time the event log shows failed administrator logon attempts.
Attempts repeat every 2 till 5 hours. The calling process has PID
944 which I looked up as svchost process.
This refers to the following services:

svchost.exe 944 AeLookupSvc, AppMgmt, BITS,
Browser, CryptSvc, dmserver,
EventSystem, helpsvc,

lanmanserver, lanmanworkstation,
Netman,

Nla, RasMan, RemoteAccess,
Schedule, seclogon, SENS, ShellHWDetection,
winmgmt,
wuauserv

I can not find any service that starts with Administrator account.
Does someone have any suggestions?

As Susan said, you need to re-enable it.

I don't bother to rename the admin account anymore, either. Security
by obscurity = pretty useless, as anyone trying to hack into your
server is going after the well-known SID anyway.

--
/kj


.

Relevant Pages

  • Re: Creating SID Manaully
    ... Those typically use LDAP under the hood to actually create the user ... you can't specify the GUID or SID. ... however when the students request an account ...
    (microsoft.public.windows.server.active_directory)
  • Re: EFS on crashed OS
    ... when the client logs on (user account was ... Under the new instance of Windows, import the EFS certificate that should've ... They got a new SID in the new instance ... use the Administrator account to take ownership and then give ownership ...
    (microsoft.public.security)
  • Re: Process running under Adminstrator account
    ... It sounds as though the attack mentioned by Lanwench is an attack ... I did not realize the SID was all that was needed. ... Renaming the account does not change the SID. ... The Administrator SID ...
    (microsoft.public.windows.server.sbs)
  • Re: Renaming Administrator account
    ... > A remote attacker with no local account CAN'T authenticate to the domain ... and so CAN'T determine a username from a well-known SID. ... > can, however, try to crack the administrator password by brute force. ...
    (microsoft.public.windows.server.sbs)
  • Re: i want to change adminstrator user name
    ... > As the first responder already said, the administrator SID is still the same so ... >> processes and anything that will be disrupted by changing the Admin account. ...
    (microsoft.public.win2000.active_directory)