Reducing the Attack Surface of Admin accounts

WindowSecurity.com | Derek Melber | Aug 9 2007

This article highlights a few quick tips to reduce the exposure of Administrator within your Windows Domain. The recommendations cover creating alternate admin accounts, privelege delegation, disabling the admin account, and only using the elevated privelege account when needed.

In the interest of completeness I’d like to state that I’m all for renaming the administrator account. You should do it. It will reduce the amount of information that a potential attacker can assume. However, if the attack is on the LAN side of your network and enumerates accounts it is trivial to tell which account is Admin. The SID always ends in 500. Never the less here are a few more ideas.

1. Rename the admin account – If you keep the name the same as the default, this provides ½ of the information that an attacker needs to log on as the account.

2. Change the Description – The default description describes that it is an admin.

3. Create a false Admin account – Once you rename your administrator account then create a restricted user with the username administrator. In addition turn on verbose auth logging on this account to pinpoint unauthorized account activity. This can be a easy red flag that someone is trying something on your network.

4. Don’t forget to use complex passwords. – If you think that s3cur3pa55w0rd is a good password or you don’t understand lm hashing then you need to check out “Secure Passwords: A primer in 2 parts” immediately.

Leave a Reply