RE: more info on a hopefully unsuccessful compromise

From: David Gillett (gillettdavidat_private)
Date: Mon Jul 14 2003 - 13:49:52 PDT

  • Next message: Paul Dokas: "Re: www.google.com reference in directory-traversal attack" 

      It's true, as far as it goes.  If you just rename the account,
anyone who enumerates the accounts can spot it by its SID.

  BUT ... If you disallow null sessions (not the default, but a
veeerrry good idea), then only authenticated users will be able
to enumerate accounts.

David Gillett

> -----Original Message-----
> From: Dial Joe [mailto:joe.dialat_private]
> Sent: July 14, 2003 10:23
> To: 'hermanat_private'
> Cc: Incidents List
> Subject: RE: more info on a hopefully unsuccessful compromise
> 
> 
> 
> Hi Herman,
> I'll jump in on the renaming the administrator account.
> First My disclaimer: I am not a (fulltime) Windows 
> Administrator and I don't even have an MCSE, but I have been 
> told that renaming the Administrator account is of little 
> value (Well, actually the MCSE that told me said *no* value) 
> since the Security ID for the Administrator account is a well 
> known value, and this is what hacking/cracking attempts use 
> instead of the user name.  My (so called) expert said that an 
> NT/2K/XP script kiddie could connect to the machine and 
> exploit it without even knowing that the Administrator 
> account was renamed.  I (personally) usually rename it, then 
> create a disabled guest account called administrator, just in 
> case someone gets physical access to the machine and wants to 
> *let their fingers do the walking*...
> 
> If anyone on this list can confirm or deny the value of 
> renaming the Administrator account with more info than just 
> *somebody who has been right before told me* then I would 
> love for them to enlighten me.
> 
> Thanks,
> Joe Dial
> 
> 
> -----Original Message-----
> From: Herman Sheremetyev [mailto:hermanat_private] 
> Sent: Sunday, July 13, 2003 5:16 PM
> 
> A moron?  Why would you even say that?  Oh right, you're the pro and
> he's the luser....And would you please enlighten everyone what exactly
> is wrong with renaming the Administrator account?  Again, I 
> don't use or
> even like Windows but I've had to admin Win2k boxes in my day and can
> tell you that renaming the Administrator account is actually a good
> idea.  It's the only account Windows won't let you set a timeout on so
> it's usually a safe bet for brute-forcing the password over 
> the network.
> However, if "some moron" renames it, you're going to be 
> brute-forcing a
> non-existent account, or better yet a non-priv'd dummy one.
> 
> 
> --------------------------------------------------------------
> --------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in 
> Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 
> training sessions, 
> 1,800 delegates from 30 nations including all of the top 
> experts, from CSO's to 
> "underground" security specialists.  See for yourself what 
> the buzz is about!  
> Early-bird registration ends July 3.  This event will sell 
> out. www.blackhat.com
> --------------------------------------------------------------
> --------------
> 

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 11:17:36 PDT