Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
In news:%23JmLUXtuFHA.2948@TK2MSFTNGP15.phx.gbl,
Rosivaldo Fernandes Alves <rfa@jfse.gov.br> typed:
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> escreveu
> na mensagem news:OKWxwphuFHA.908@tk2msftngp13.phx.gbl...
>
>> In news:Om4RJIVuFHA.3720@TK2MSFTNGP14.phx.gbl,
>> Rosivaldo Fernandes Alves <rfa@jfse.gov.br> typed:
>
>>>> Renaming an account isn't a very good way to secure anything. It
>>>> adds maybe two seconds to the time it takes someone to crack the
>>>> system. [1] The real question is, do these users know the
>>>> password? And why are users choosing RunAs anyway?
>
>>> Ok, I'm still learning all of this.
🙂 But some texts in Windows
>>> Help says that is a good idea to rename Administrator's account (a
>>> cracker should first to guess the account name). Is it a futile
>>> advice? What are the best practices on that matter?
>>
>> Well, I don't think it can hurt much, but I don't know that it will
>> stop anyone who really knows their stuff.
>
> After all, is it pointless or not to keep in secret the names of
> administrators accounts? Besides Windows Help, I've already heard from
> security experts that it is a good practice to improve security.
I personally think it's pointless. But it can't hurt if you want to do it.
>
>>>
>>> The users *may* use RunAs. Simply.
>>
>> But not successfully, if they don't know the credentials, right?
>
> Right. But the matter is simply the fact that the user can see the
> name of the administrator account. This would break the simple idea
> of keeping this name secret.
As mentioned, this is not a technique I use - and if I did, I sure wouldn't
rely on it.
>
>>> Some of them know these things. I
>>> suppose the idea of renaming the administrator's account is to
>>> prevent remote users from using a well known name. But if local
>>> users see the real (renamed) name, this name gets well known too.
>>>
>>> Any advice?
>>
>> Make sure you use good complex passwords and enable auditing. You
>> might also be able to remove runas for users if you are good with
>> group policy - you could post in a GP group for more help.
>
> Removing 'RunAs' is inconvenient since we need frequently use it while
> working in user environment, in order to have administrative rights
> without loggin off. We already use strong passowords. Aditing is
> enable for servers but disabled for workstations? Should we enable
> these too?
Yes, I think you should turn on auditing everywhere, but if you're using a
domain and ) don't allow users to know the local admin credentials b) don't
let users log on locally using any account and c) change your local admin
passwords periodically (use complex passwords, 8-char mininum), you are
really not so much at risk
You can also set CMOS passwords, lock the computer cases, don't allow the
machines to boot from anything but the hard drive. And make sure all users
have signed a written computer use policy ("this policy may change without
notice), and perhaps even use a login banner that states "clicking OK
indicates your agreement to abide by company X's written computer use
policy". Then smack anyone who misbehaves.
>
> Finally: is there a way of preventing 'RunAs' to show the name of the
> local administrator account?
Not that I know of. I think you are worrying needlessly, to be honest.
>
> Rosivaldo.
Facebook
Twitter
Instagram