Process running under Adminstrator account

Discussion in 'Windows Small Business Server' started by Ryan, Sep 16, 2007.

  1. Ryan

    Ryan Guest

    I disabled the administrator account for security reasons. At the same time
    the event log shows failed administrator logon attempts. Attempts repeat
    every 2 till 5 hours. The calling process has PID 944 which I looked up as
    svchost process.
    This refers to the following services:

    svchost.exe 944 AeLookupSvc, AppMgmt, BITS, Browser,
    CryptSvc, dmserver, EventSystem, helpsvc,

    lanmanserver, lanmanworkstation, Netman,

    Nla, RasMan, RemoteAccess, Schedule,

    seclogon, SENS, ShellHWDetection,
    winmgmt,
    wuauserv

    I can not find any service that starts with Administrator account.
    Does someone have any suggestions?
     
    Ryan, Sep 16, 2007
    #1
    1. Advertisements

  2.  
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Sep 16, 2007
    #2
    1. Advertisements

  3. Ryan

    Ryan Guest

    I actually created a second administrator account; should I rename the
    built-in account instead?
     
    Ryan, Sep 16, 2007
    #3
  4. Yup rename it.
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Sep 16, 2007
    #4
  5. As Susan said, you need to re-enable it.

    I don't bother to rename the admin account anymore, either. Security by
    obscurity = pretty useless, as anyone trying to hack into your server is
    going after the well-known SID anyway.
     
    Lanwench [MVP - Exchange], Sep 16, 2007
    #5
  6. Ryan

    Ryan Guest

    Thanks, I will enable it again.

     
    Ryan, Sep 16, 2007
    #6
  7. Ryan

    Gregg Hill Guest

    Lanwench,

    You mentioned the well-known SID issue in a reply to someone on 9/1/07 in
    this same newsgroup ("Tracing a break-in attempt"). I asked some more
    questions, but they got missed, so here they are again.

    I did not realize the SID was all that was needed (or is it?). However,
    let's say one has a terminal server with 3389 open to the Internet (I know a
    VPN first or firewall authentication first would help). How does the hacker
    try to get into the TS? Don't they just start with "administrator" and a
    dictionary or other attack? In that case, would not the changing of the
    admin name help?

    How does the "well-known SID" factor into such an attack?

    --
    Gregg Hill

    DISCLAIMER WARNING: the information contained in any reply I make is merely
    an OPINION, one that I hope you will consider when you make a choice as to
    what you will do on your systems or network.

    **No recommendation is to be implied by my OPINION.**

    There, that should cover it!






    "Lanwench [MVP - Exchange]"
     
    Gregg Hill, Sep 16, 2007
    #7
  8. Ryan

    kj [SBS MVP] Guest

    Renaming the account does not change the SID. The Administrator SID always
    ends in -500. So, a simple ldap search of the AD sids locates the renamed
    administrator account and provides the account name to target for hacking.

    However, anonymous ldap AD searches are blocked by default in 2003, so now
    an authenticated account needs to make the ldap query (users, computers, or
    services accounts).


     
    kj [SBS MVP], Sep 17, 2007
    #8
  9. Ryan

    Gregg Hill Guest

    So in the case I presented, i.e., a terminal server on 3389, would not the
    changed admin name be of some security benefit?

    It sounds as though the attack mentioned by Lanwench is an attack from the
    LAN, not the WAN.

    Or did I just completely miss the point?

    Gregg Hill

    --
    _________________

    DISCLAIMER WARNING: the information contained in any reply I make is merely
    an OPINION, one that I hope you will consider when you make a choice as to
    what you will do on your systems or network.

    **No recommendation is to be implied by my OPINION.**

    There, that should cover it!






     
    Gregg Hill, Sep 17, 2007
    #9
  10. Anyone who is authenticated as a user (or computer, I think) can do the LDAP
    lookup.....meaning, any end user account that's compromised can do this.
     
    Lanwench [MVP - Exchange], Sep 17, 2007
    #10
  11. Ryan

    Gregg Hill Guest

    Lanwench,

    When I first asked this question, it was in a thread about stopping, or
    finding the source of, an attack on the RWW port of SBS. Basically, my
    question was related to that and asked regarding attacks on a terminal
    server's external 3389 port, assuming all other ports are firewalled.

    Under that condition, if an attack took place from the WAN, would not a
    changed admin name be of benefit, requiring a guess of both the name and the
    password, instead of just an attack on "administrator" until a password is
    guessed (assuming one had a weak password)? Am I to understand that an LDAP
    lookup can occur from the WAN with only port 3389 open?

    In other words, obscuring the administrator account by a name change would
    help protect against WAN attacks, correct?

    Gregg Hill



    --
    _________________

    DISCLAIMER WARNING: the information contained in any reply I make is merely
    an OPINION, one that I hope you will consider when you make a choice as to
    what you will do on your systems or network.

    **No recommendation is to be implied by my OPINION.**

    There, that should cover it!






    "Lanwench [MVP - Exchange]"
     
    Gregg Hill, Sep 17, 2007
    #11
  12. Ryan

    kj [SBS MVP] Guest

    We probably don't want to go too far down the "how to crack into..." road
    here.

    Your statement is correct within the context, but in practicality, not *all*
    ports but 3389 are going to be blocked. Also 3389 isn't inherently secure by
    itself and likely there are other ways in or methods to suggest the value of
    the renamed administrator.

    Is it a benefit? I wouldn't argue that it wasn't. Perhaps only how much of a
    benefit.

    Admin rename really should be used as a stall / detection mechanism. All the
    other best practices should be in place as well.
     
    kj [SBS MVP], Sep 17, 2007
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.