Re: Process running under Adminstrator account

Gregg Hill <bogus@xxxxxxxxxxx> wrote:
So in the case I presented, i.e., a terminal server on 3389, would
not the changed admin name be of some security benefit?

It sounds as though the attack mentioned by Lanwench is an attack
from the LAN, not the WAN.

Or did I just completely miss the point?

Gregg Hill

Anyone who is authenticated as a user (or computer, I think) can do the LDAP
lookup.....meaning, any end user account that's compromised can do this.


"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:OI$0e8O%23HHA.4732@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill wrote:
Lanwench,

You mentioned the well-known SID issue in a reply to someone on
9/1/07 in this same newsgroup ("Tracing a break-in attempt"). I
asked some more questions, but they got missed, so here they are
again. I did not realize the SID was all that was needed (or is it?).
However, let's say one has a terminal server with 3389 open to the
Internet (I know a VPN first or firewall authentication first would
help). How does the hacker try to get into the TS? Don't they just
start with "administrator" and a dictionary or other attack? In that
case, would not the changing of the admin name help?

How does the "well-known SID" factor into such an attack?

Renaming the account does not change the SID. The Administrator SID
always ends in -500. So, a simple ldap search of the AD sids locates
the renamed administrator account and provides the account name to
target for hacking. However, anonymous ldap AD searches are blocked by
default in 2003,
so now an authenticated account needs to make the ldap query (users,
computers, or services accounts).





"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OslDm0G%23HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx
Ryan <Ryan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I disabled the administrator account for security reasons. At the
same time the event log shows failed administrator logon attempts.
Attempts repeat every 2 till 5 hours. The calling process has PID
944 which I looked up as svchost process.
This refers to the following services:

svchost.exe 944 AeLookupSvc, AppMgmt, BITS,
Browser, CryptSvc, dmserver,
EventSystem, helpsvc,

lanmanserver, lanmanworkstation,
Netman,

Nla, RasMan, RemoteAccess,
Schedule, seclogon, SENS, ShellHWDetection,
winmgmt,
wuauserv

I can not find any service that starts with Administrator account.
Does someone have any suggestions?

As Susan said, you need to re-enable it.

I don't bother to rename the admin account anymore, either.
Security by obscurity = pretty useless, as anyone trying to hack
into your server is going after the well-known SID anyway.

--
/kj



.

Relevant Pages

  • Re: EFS on crashed OS
    ... when the client logs on (user account was ... Under the new instance of Windows, import the EFS certificate that should've ... They got a new SID in the new instance ... use the Administrator account to take ownership and then give ownership ...
    (microsoft.public.security)
  • Re: Process running under Adminstrator account
    ... I did not realize the SID was all that was needed. ... start with "administrator" and a dictionary or other attack? ... would not the changing of the admin name help? ... Renaming the account does not change the SID. ...
    (microsoft.public.windows.server.sbs)
  • Re: Stop having to do the authentication check in OS X?
    ... Not if he has an admin account with no password, it isn't secure. ... the contents of the old administrator home folders contents to the new ... In other words can an attack happen no ...
    (comp.sys.mac.system)
  • Re: Renaming Administrator account
    ... > A remote attacker with no local account CAN'T authenticate to the domain ... and so CAN'T determine a username from a well-known SID. ... > can, however, try to crack the administrator password by brute force. ...
    (microsoft.public.windows.server.sbs)
  • Re: i want to change adminstrator user name
    ... > As the first responder already said, the administrator SID is still the same so ... >> processes and anything that will be disrupted by changing the Admin account. ...
    (microsoft.public.win2000.active_directory)