Aloha Dial Joe. Renaming the built-in administrator does not change it's RID (500,) off of which the local account's SID is built. Because of this, scriptkiddies/crackers/hackers can reference the account no matter what the name is. Even though this is the case, it's still a best-practice to rename the default administrator account as another layer of security that a potential malefeasant would have to penetrate or bypass. It's particularly effective with interactive (cracker at kb/mouse/monitor) because they may not have the tools or knowledge at hand to determine which account has the admin RID. An additional layer can be added by doing the following: 1) Rename the administrator account 2) Copy the renamed account to a new account named Administrator 3) Disable Administrator account or set crazy restrictions on it with Nazi logging (keylogger in startup etc) 4) Remove the description of the renamed administrator account This procedure retains the "Built-in account for administering the computer/domain" on the copied account, but requires a tool that can copy local accounts. My preference is for ntuser.exe. Your friend was right, for the most part. Leaving an account named Administrator gives people a target to shoot for, even though it may not do what they think ;) Hth. Joel ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 11:00:03 PDT