RE: more info on a hopefully unsuccessful compromise

From: Deus, Attonbitus (Thorat_private)
Date: Mon Jul 14 2003 - 13:29:42 PDT

Next message: David Vincent: "RE: more info on a hopefully unsuccessful compromise"

Previous message: Sergey Latkin: "Re: more info on a hopefully unsuccessful compromise"
In reply to: Dial Joe: "RE: more info on a hopefully unsuccessful compromise"
Next in thread: David Gillett: "RE: more info on a hopefully unsuccessful compromise"
Next in thread: Dozal, Tim: "RE: more info on a hopefully unsuccessful compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:23 AM 7/14/2003, Dial Joe wrote:

>Hi Herman,
>I'll jump in on the renaming the administrator account.
>First My disclaimer: I am not a (fulltime) Windows Administrator and
>I  don't even have an MCSE, but I have been told that renaming the 
>Administrator account is of little value (Well, actually the MCSE
>that  told me said *no* value) since the Security ID for the
>Administrator  account is a well known value, and this is what
>hacking/cracking attempts  use instead of the user name.  My (so
>called) expert said that an NT/2K/XP  script kiddie could connect to
>the machine and exploit it without even  knowing that the
>Administrator account was renamed.  I (personally)  usually rename
>it, then create a disabled guest account called 
>administrator, just in case someone gets physical access to the
>machine  and wants to *let their fingers do the walking*...
>
>If anyone on this list can confirm or deny the value of renaming the
> Administrator account with more info than just *somebody who has
>been  right before told me* then I would love for them to enlighten
>me.

Hey Joe- et al-

To be specific, renaming the administrator account when one can hit
the 
machine with NetBIOS/CIFS is of little value for the reasons you 
state.  However, when it comes to deploying Terminal Services,
renaming the 
administrator account has real value.  Since a TS logon is a "local"
logon, 
and the administrator account cannot be locked out for "local"
logons, 
renaming the administrator for machines accessible via a TS logon can
most 
definitely help thwart brute force attacks.  IOW, if I know you have
not 
renamed your admin account from "administrator," then I can hammer on
it 
all day long knowing that the account won't be locked out.

T
  

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPxMSuohsmyD15h5gEQJH9QCgoUHDdCt2Tx2DuRpWsic7HKTAcEcAn1A0
/ASAJEoMmovG1tUocSfqZFRU
=xN5G
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: David Vincent: "RE: more info on a hopefully unsuccessful compromise"
Previous message: Sergey Latkin: "Re: more info on a hopefully unsuccessful compromise"
In reply to: Dial Joe: "RE: more info on a hopefully unsuccessful compromise"
Next in thread: David Gillett: "RE: more info on a hopefully unsuccessful compromise"
Next in thread: Dozal, Tim: "RE: more info on a hopefully unsuccessful compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 10:48:55 PDT