How to hide administrator name

G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In order to improve security, it is possible to rename Administrator account
in an Windows XP system. But everytime a user choose "Run as.." to open an
application, the (renamed) name of the administrator is shown to her/him. Is
there a way to prevent this?

TIA,

Rosivaldo.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:OwpuHiWtFHA.1028@TK2MSFTNGP12.phx.gbl,
Rosivaldo Fernandes Alves <rfa@jfse.gov.br> typed:
> In order to improve security, it is possible to rename Administrator
> account in an Windows XP system. But everytime a user choose "Run
> as.." to open an application, the (renamed) name of the administrator
> is shown to her/him. Is there a way to prevent this?
>
> TIA,
>
> Rosivaldo.

Renaming an account isn't a very good way to secure anything. It adds maybe
two seconds to the time it takes someone to crack the system. [1] The real
question is, do these users know the password? And why are users choosing
RunAs anyway?


[1] I completely made that number up, but I'm not far off.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> escreveu na
mensagem news:OpLIPtLuFHA.908@tk2msftngp13.phx.gbl...
>
> Renaming an account isn't a very good way to secure anything. It adds
> maybe two seconds to the time it takes someone to crack the system. [1]
> The real question is, do these users know the password? And why are users
> choosing RunAs anyway?

Ok, I'm still learning all of this. :) But some texts in Windows Help says
that is a good idea to rename Administrator's account (a cracker should
first to guess the account name). Is it a futile advice? What are the best
practices on that matter?

The users *may* use RunAs. Simply. Some of them know these things. I suppose
the idea of renaming the administrator's account is to prevent remote users
from using a well known name. But if local users see the real (renamed)
name, this name gets well known too.

Any advice?

Rosivaldo.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:Om4RJIVuFHA.3720@TK2MSFTNGP14.phx.gbl,
Rosivaldo Fernandes Alves <rfa@jfse.gov.br> typed:
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> escreveu
> na mensagem news:OpLIPtLuFHA.908@tk2msftngp13.phx.gbl...
>>
>> Renaming an account isn't a very good way to secure anything. It adds
>> maybe two seconds to the time it takes someone to crack the system.
>> [1] The real question is, do these users know the password? And why
>> are users choosing RunAs anyway?
>
> Ok, I'm still learning all of this. :) But some texts in Windows
> Help says that is a good idea to rename Administrator's account (a
> cracker should first to guess the account name). Is it a futile
> advice? What are the best practices on that matter?

Well, I don't think it can hurt much, but I don't know that it will stop
anyone who really knows their stuff.
>
> The users *may* use RunAs. Simply.

But not successfully, if they don't know the credentials, right?

> Some of them know these things. I
> suppose the idea of renaming the administrator's account is to
> prevent remote users from using a well known name. But if local users
> see the real (renamed) name, this name gets well known too.
>
> Any advice?

Make sure you use good complex passwords and enable auditing. You might also
be able to remove runas for users if you are good with group policy - you
could post in a GP group for more help.
>
> Rosivaldo.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> escreveu na
mensagem news:OKWxwphuFHA.908@tk2msftngp13.phx.gbl...

> In news:Om4RJIVuFHA.3720@TK2MSFTNGP14.phx.gbl,
> Rosivaldo Fernandes Alves <rfa@jfse.gov.br> typed:

>>> Renaming an account isn't a very good way to secure anything. It adds
>>> maybe two seconds to the time it takes someone to crack the system.
>>> [1] The real question is, do these users know the password? And why
>>> are users choosing RunAs anyway?

>> Ok, I'm still learning all of this. :) But some texts in Windows
>> Help says that is a good idea to rename Administrator's account (a
>> cracker should first to guess the account name). Is it a futile
>> advice? What are the best practices on that matter?
>
> Well, I don't think it can hurt much, but I don't know that it will stop
> anyone who really knows their stuff.

After all, is it pointless or not to keep in secret the names of
administrators accounts? Besides Windows Help, I've already heard from
security experts that it is a good practice to improve security.

>>
>> The users *may* use RunAs. Simply.
>
> But not successfully, if they don't know the credentials, right?

Right. But the matter is simply the fact that the user can see the name of
the administrator account. This would break the simple idea of keeping this
name secret.

>> Some of them know these things. I
>> suppose the idea of renaming the administrator's account is to
>> prevent remote users from using a well known name. But if local users
>> see the real (renamed) name, this name gets well known too.
>>
>> Any advice?
>
> Make sure you use good complex passwords and enable auditing. You might
> also be able to remove runas for users if you are good with group policy -
> you could post in a GP group for more help.

Removing 'RunAs' is inconvenient since we need frequently use it while
working in user environment, in order to have administrative rights without
loggin off. We already use strong passowords. Aditing is enable for servers
but disabled for workstations? Should we enable these too?

Finally: is there a way of preventing 'RunAs' to show the name of the local
administrator account?

Rosivaldo.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:%23JmLUXtuFHA.2948@TK2MSFTNGP15.phx.gbl,
Rosivaldo Fernandes Alves <rfa@jfse.gov.br> typed:
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> escreveu
> na mensagem news:OKWxwphuFHA.908@tk2msftngp13.phx.gbl...
>
>> In news:Om4RJIVuFHA.3720@TK2MSFTNGP14.phx.gbl,
>> Rosivaldo Fernandes Alves <rfa@jfse.gov.br> typed:
>
>>>> Renaming an account isn't a very good way to secure anything. It
>>>> adds maybe two seconds to the time it takes someone to crack the
>>>> system. [1] The real question is, do these users know the
>>>> password? And why are users choosing RunAs anyway?
>
>>> Ok, I'm still learning all of this. :) But some texts in Windows
>>> Help says that is a good idea to rename Administrator's account (a
>>> cracker should first to guess the account name). Is it a futile
>>> advice? What are the best practices on that matter?
>>
>> Well, I don't think it can hurt much, but I don't know that it will
>> stop anyone who really knows their stuff.
>
> After all, is it pointless or not to keep in secret the names of
> administrators accounts? Besides Windows Help, I've already heard from
> security experts that it is a good practice to improve security.

I personally think it's pointless. But it can't hurt if you want to do it.
>
>>>
>>> The users *may* use RunAs. Simply.
>>
>> But not successfully, if they don't know the credentials, right?
>
> Right. But the matter is simply the fact that the user can see the
> name of the administrator account. This would break the simple idea
> of keeping this name secret.

As mentioned, this is not a technique I use - and if I did, I sure wouldn't
rely on it.
>
>>> Some of them know these things. I
>>> suppose the idea of renaming the administrator's account is to
>>> prevent remote users from using a well known name. But if local
>>> users see the real (renamed) name, this name gets well known too.
>>>
>>> Any advice?
>>
>> Make sure you use good complex passwords and enable auditing. You
>> might also be able to remove runas for users if you are good with
>> group policy - you could post in a GP group for more help.
>
> Removing 'RunAs' is inconvenient since we need frequently use it while
> working in user environment, in order to have administrative rights
> without loggin off. We already use strong passowords. Aditing is
> enable for servers but disabled for workstations? Should we enable
> these too?

Yes, I think you should turn on auditing everywhere, but if you're using a
domain and ) don't allow users to know the local admin credentials b) don't
let users log on locally using any account and c) change your local admin
passwords periodically (use complex passwords, 8-char mininum), you are
really not so much at risk

You can also set CMOS passwords, lock the computer cases, don't allow the
machines to boot from anything but the hard drive. And make sure all users
have signed a written computer use policy ("this policy may change without
notice), and perhaps even use a login banner that states "clicking OK
indicates your agreement to abide by company X's written computer use
policy". Then smack anyone who misbehaves.
>
> Finally: is there a way of preventing 'RunAs' to show the name of the
> local administrator account?

Not that I know of. I think you are worrying needlessly, to be honest.




>
> Rosivaldo.
 

TRENDING THREADS