Rename Administrator Account

I would like to:
1. Rename the builtin administrator account
2. Create an account for administrators under a different name than
administrator
3. Change the builtin administrator SID because hackers would look for it
even if the account name was changed
4. Create a dummy administrator account as a honeypot and audit it for
attempts to get in it.

I read that this was a good security measure. Can anyone direct me to a
step by step or post one?
--
Thanks, Steve

Hi Steve,

A useful information would be where you plan to deploy these changes. On
standalone computer? In domain? On all member computers? What operating
systems do you intend to deploy these changes on?

While I believe it is usefeul to rename administrator account -- it has
limited effect. As you wrote all administrator accounts (like all other
built in objects (e.g. accounts and groups) have well known SIDs. Now these
SIDs can't be changed and you can't delete built it accounts and groups
(e.g. administrator account).

Your firewall should protect your network in a manner that prevents and
criminals using tools like SID2User and User2SID from the Internet. Still
these tools can be used on LAN. Now you have to think also how likely it is
that hacker will have physical access to your LAN and how to keep them away
from such access.

So what to do? Rename the administrator account (to e.g. Bob) and create new
account with username "administrator". Now disable this new administrator
account and monitor event logs for any attempts of usage.
Note - any services or applications running with administrator account will
stop working once you change administrator account to e.g. "bob" unless you
modify them to use new name (not recommend) or use different account with
appropriate permissions.


On Windows XP and Windows Server 2003 you can even disable built in
Administrator account if you want to go to that length. While this account
is disabled -- it will still work in e.g. safe mode.
What I usually do in environments that require high security is deploy Smart
Cards. Then built in administrator account and all other accounts with
domain administrator permissions are set in a way that one can only logon
with these accounts using smart cards.

I am not sure which guide you read, but personally I really like this one.

Windows Server 2003 Security Guide
http://www.microsoft.com/technet/sec...hg/sgch00.mspx

Among other things -- changes suggested in this article will keep you
supportable by Microsoft PSS -- in case you run into some problems. I saw
few guides that suggested changes that would make your computers
(environment) unsupportable.

--
Mike
Microsoft MVP - Windows Security

"Steve" <> wrote in message
news:CFE18C82-7307-4FB2-ACAB-...
>I would like to:
> 1. Rename the builtin administrator account
> 2. Create an account for administrators under a different name than
> administrator
> 3. Change the builtin administrator SID because hackers would look for it
> even if the account name was changed
> 4. Create a dummy administrator account as a honeypot and audit it for
> attempts to get in it.
>
> I read that this was a good security measure. Can anyone direct me to a
> step by step or post one?
> --
> Thanks, Steve

Hello, Miha:

You are a big help. Your link is for an interesting article I had not seen.

My changes are to be made to a 2003 Standard Server network with active
directory (of course). I got the tip from a TechNet Article titled "19 Smart
Tips for Securing Active Directory" and I thought they were a good idea.

May I ask how to change the builtin administrator SID, which is recommended
along with changing it's name?
--
Thanks, Steve


"Miha Pihler [MVP]" wrote:

> Hi Steve,
>
> A useful information would be where you plan to deploy these changes. On
> standalone computer? In domain? On all member computers? What operating
> systems do you intend to deploy these changes on?
>
> While I believe it is usefeul to rename administrator account -- it has
> limited effect. As you wrote all administrator accounts (like all other
> built in objects (e.g. accounts and groups) have well known SIDs. Now these
> SIDs can't be changed and you can't delete built it accounts and groups
> (e.g. administrator account).
>
> Your firewall should protect your network in a manner that prevents and
> criminals using tools like SID2User and User2SID from the Internet. Still
> these tools can be used on LAN. Now you have to think also how likely it is
> that hacker will have physical access to your LAN and how to keep them away
> from such access.
>
> So what to do? Rename the administrator account (to e.g. Bob) and create new
> account with username "administrator". Now disable this new administrator
> account and monitor event logs for any attempts of usage.
> Note - any services or applications running with administrator account will
> stop working once you change administrator account to e.g. "bob" unless you
> modify them to use new name (not recommend) or use different account with
> appropriate permissions.
>
>
> On Windows XP and Windows Server 2003 you can even disable built in
> Administrator account if you want to go to that length. While this account
> is disabled -- it will still work in e.g. safe mode.
> What I usually do in environments that require high security is deploy Smart
> Cards. Then built in administrator account and all other accounts with
> domain administrator permissions are set in a way that one can only logon
> with these accounts using smart cards.
>
> I am not sure which guide you read, but personally I really like this one.
>
> Windows Server 2003 Security Guide
> http://www.microsoft.com/technet/sec...hg/sgch00.mspx
>
> Among other things -- changes suggested in this article will keep you
> supportable by Microsoft PSS -- in case you run into some problems. I saw
> few guides that suggested changes that would make your computers
> (environment) unsupportable.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Steve" <> wrote in message
> news:CFE18C82-7307-4FB2-ACAB-...
> >I would like to:
> > 1. Rename the builtin administrator account
> > 2. Create an account for administrators under a different name than
> > administrator
> > 3. Change the builtin administrator SID because hackers would look for it
> > even if the account name was changed
> > 4. Create a dummy administrator account as a honeypot and audit it for
> > attempts to get in it.
> >
> > I read that this was a good security measure. Can anyone direct me to a
> > step by step or post one?
> > --
> > Thanks, Steve
>
>
>

Hi,

As mentioned in my first reply, you can't change SIDs.

I checked the article -- it doesn't suggest anywhere to change SID. It say
rename the account but article -- just as I did -- also states that renaming
the account has limited security effect since the SID will always be 500 for
administrator account.

--
Mike
Microsoft MVP - Windows Security

"SteveP" <> wrote in message
news:162B64F7-1009-4C28-8C2E-...
> Hello, Miha:
>
> You are a big help. Your link is for an interesting article I had not
> seen.
>
> My changes are to be made to a 2003 Standard Server network with active
> directory (of course). I got the tip from a TechNet Article titled "19
> Smart
> Tips for Securing Active Directory" and I thought they were a good idea.
>
> May I ask how to change the builtin administrator SID, which is
> recommended
> along with changing it's name?
> --
> Thanks, Steve
>
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi Steve,
>>
>> A useful information would be where you plan to deploy these changes. On
>> standalone computer? In domain? On all member computers? What operating
>> systems do you intend to deploy these changes on?
>>
>> While I believe it is usefeul to rename administrator account -- it has
>> limited effect. As you wrote all administrator accounts (like all other
>> built in objects (e.g. accounts and groups) have well known SIDs. Now
>> these
>> SIDs can't be changed and you can't delete built it accounts and groups
>> (e.g. administrator account).
>>
>> Your firewall should protect your network in a manner that prevents and
>> criminals using tools like SID2User and User2SID from the Internet. Still
>> these tools can be used on LAN. Now you have to think also how likely it
>> is
>> that hacker will have physical access to your LAN and how to keep them
>> away
>> from such access.
>>
>> So what to do? Rename the administrator account (to e.g. Bob) and create
>> new
>> account with username "administrator". Now disable this new administrator
>> account and monitor event logs for any attempts of usage.
>> Note - any services or applications running with administrator account
>> will
>> stop working once you change administrator account to e.g. "bob" unless
>> you
>> modify them to use new name (not recommend) or use different account with
>> appropriate permissions.
>>
>>
>> On Windows XP and Windows Server 2003 you can even disable built in
>> Administrator account if you want to go to that length. While this
>> account
>> is disabled -- it will still work in e.g. safe mode.
>> What I usually do in environments that require high security is deploy
>> Smart
>> Cards. Then built in administrator account and all other accounts with
>> domain administrator permissions are set in a way that one can only logon
>> with these accounts using smart cards.
>>
>> I am not sure which guide you read, but personally I really like this
>> one.
>>
>> Windows Server 2003 Security Guide
>> http://www.microsoft.com/technet/sec...hg/sgch00.mspx
>>
>> Among other things -- changes suggested in this article will keep you
>> supportable by Microsoft PSS -- in case you run into some problems. I saw
>> few guides that suggested changes that would make your computers
>> (environment) unsupportable.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Steve" <> wrote in message
>> news:CFE18C82-7307-4FB2-ACAB-...
>> >I would like to:
>> > 1. Rename the builtin administrator account
>> > 2. Create an account for administrators under a different name than
>> > administrator
>> > 3. Change the builtin administrator SID because hackers would look for
>> > it
>> > even if the account name was changed
>> > 4. Create a dummy administrator account as a honeypot and audit it for
>> > attempts to get in it.
>> >
>> > I read that this was a good security measure. Can anyone direct me to
>> > a
>> > step by step or post one?
>> > --
>> > Thanks, Steve
>>
>>
>>

OK. Sorry I missed that. I have been reading the article you suggested and
it is excellent. Thank you very much. There is so much to learn.
--
Thanks, Steve


"Miha Pihler [MVP]" wrote:

> Hi,
>
> As mentioned in my first reply, you can't change SIDs.
>
> I checked the article -- it doesn't suggest anywhere to change SID. It say
> rename the account but article -- just as I did -- also states that renaming
> the account has limited security effect since the SID will always be 500 for
> administrator account.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "SteveP" <> wrote in message
> news:162B64F7-1009-4C28-8C2E-...
> > Hello, Miha:
> >
> > You are a big help. Your link is for an interesting article I had not
> > seen.
> >
> > My changes are to be made to a 2003 Standard Server network with active
> > directory (of course). I got the tip from a TechNet Article titled "19
> > Smart
> > Tips for Securing Active Directory" and I thought they were a good idea.
> >
> > May I ask how to change the builtin administrator SID, which is
> > recommended
> > along with changing it's name?
> > --
> > Thanks, Steve
> >
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi Steve,
> >>
> >> A useful information would be where you plan to deploy these changes. On
> >> standalone computer? In domain? On all member computers? What operating
> >> systems do you intend to deploy these changes on?
> >>
> >> While I believe it is usefeul to rename administrator account -- it has
> >> limited effect. As you wrote all administrator accounts (like all other
> >> built in objects (e.g. accounts and groups) have well known SIDs. Now
> >> these
> >> SIDs can't be changed and you can't delete built it accounts and groups
> >> (e.g. administrator account).
> >>
> >> Your firewall should protect your network in a manner that prevents and
> >> criminals using tools like SID2User and User2SID from the Internet. Still
> >> these tools can be used on LAN. Now you have to think also how likely it
> >> is
> >> that hacker will have physical access to your LAN and how to keep them
> >> away
> >> from such access.
> >>
> >> So what to do? Rename the administrator account (to e.g. Bob) and create
> >> new
> >> account with username "administrator". Now disable this new administrator
> >> account and monitor event logs for any attempts of usage.
> >> Note - any services or applications running with administrator account
> >> will
> >> stop working once you change administrator account to e.g. "bob" unless
> >> you
> >> modify them to use new name (not recommend) or use different account with
> >> appropriate permissions.
> >>
> >>
> >> On Windows XP and Windows Server 2003 you can even disable built in
> >> Administrator account if you want to go to that length. While this
> >> account
> >> is disabled -- it will still work in e.g. safe mode.
> >> What I usually do in environments that require high security is deploy
> >> Smart
> >> Cards. Then built in administrator account and all other accounts with
> >> domain administrator permissions are set in a way that one can only logon
> >> with these accounts using smart cards.
> >>
> >> I am not sure which guide you read, but personally I really like this
> >> one.
> >>
> >> Windows Server 2003 Security Guide
> >> http://www.microsoft.com/technet/sec...hg/sgch00.mspx
> >>
> >> Among other things -- changes suggested in this article will keep you
> >> supportable by Microsoft PSS -- in case you run into some problems. I saw
> >> few guides that suggested changes that would make your computers
> >> (environment) unsupportable.
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> "Steve" <> wrote in message
> >> news:CFE18C82-7307-4FB2-ACAB-...
> >> >I would like to:
> >> > 1. Rename the builtin administrator account
> >> > 2. Create an account for administrators under a different name than
> >> > administrator
> >> > 3. Change the builtin administrator SID because hackers would look for
> >> > it
> >> > even if the account name was changed
> >> > 4. Create a dummy administrator account as a honeypot and audit it for
> >> > attempts to get in it.
> >> >
> >> > I read that this was a good security measure. Can anyone direct me to
> >> > a
> >> > step by step or post one?
> >> > --
> >> > Thanks, Steve
> >>
> >>
> >>
>
>
>