Tracing a break-in attempt

  • Thread starter Thread starter Tom Del Rosso
  • Start date Start date
Re: Tracing a break-in attempt

You hit it, SBS seems special from up to down !

Why You Should Disable the Administrator Account
http://www.microsoft.com/technet/technetmag/issues/2006/01/SecurityWatch/

This list needs to be considered in every environment. For instance, if you
run Microsoft Small Business Server (SBS), you need the built-in
Administrator account. That account is used by the OS after installation.
SBS 2003 Service Pack 1 also will only apply properly if you run it as the
built-in Administrator.

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Dave the Clueless" <dave@atrbiotech.com> wrote in message
news:1188414034.215012.321790@19g2000hsx.googlegroups.com...
> On Aug 26, 4:22 am, "Mathieu CHATEAU" <gollum...@free.fr> wrote:
>> Hello,
>>
>> as best security, the administrator password would be renamed and
>> disabled.
>> Each administrator would have two account:
>> -a standard user one for daily tasks (mail/web...)
>> -an administrator account (a different of each admins)
>>
>> --
>> Cordialement,
>> Mathieu CHATEAUhttp://lordoftheping.blogspot.com
>>
>> "Anthony" <anthony.s...@spammedout.com> wrote in message
>>
>>
>
> AFAIK, renaming the Administrator account in SBS is just begging for
> trouble.
>
> Dave
>
 
Re: Tracing a break-in attempt

I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key word
here, but it has been that way for three years.

Gregg Hill



"Dave the Clueless" <dave@atrbiotech.com> wrote in message
news:1188414034.215012.321790@19g2000hsx.googlegroups.com...
> On Aug 26, 4:22 am, "Mathieu CHATEAU" <gollum...@free.fr> wrote:
>> Hello,
>>
>> as best security, the administrator password would be renamed and
>> disabled.
>> Each administrator would have two account:
>> -a standard user one for daily tasks (mail/web...)
>> -an administrator account (a different of each admins)
>>
>> --
>> Cordialement,
>> Mathieu CHATEAUhttp://lordoftheping.blogspot.com
>>
>> "Anthony" <anthony.s...@spammedout.com> wrote in message
>>
>>
>
> AFAIK, renaming the Administrator account in SBS is just begging for
> trouble.
>
> Dave
>
 
Re: Tracing a break-in attempt

"Gregg Hill" <bogus@nowhere.com> wrote in message
news:e13TSvr6HHA.1208@TK2MSFTNGP03.phx.gbl
> I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key
> word here, but it has been that way for three years.

I think he meant SBS doesn't like disabling the account and creating another
one with a different RID. Just changing the logon name seems ok.


--

Reply in group, but if emailing add another
zero, and remove the last word.
 
Re: Tracing a break-in attempt

Tom Del Rosso <td_01@att.net.invalid> wrote:
> "Gregg Hill" <bogus@nowhere.com> wrote in message
> news:e13TSvr6HHA.1208@TK2MSFTNGP03.phx.gbl
>> I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key
>> word here, but it has been that way for three years.
>
> I think he meant SBS doesn't like disabling the account and creating
> another one with a different RID. Just changing the logon name seems
> ok.

Perhaps it's been fixed now, but there was definitely a bug in SBS wherein
the Administrator name was hard-coded into some buried components of
Monitoring & Reporting, which prevented it from reinstalling properly.
Worked on the problem for *ages* with a level 2 PSS dude until we figured
that out. I no longer bother with such security by obscurity. I don't see
the point anyway; anyone who's trying to get in is just looking for that
well-known SID anyway. You'd only be fending off the completely inept.
 
Re: Tracing a break-in attempt

Good points. I did not realize the SID was all that was needed (or is it?).
However, let's say one has a terminal server with 3389 open to the Internet
(I know a VPN first or firewall authentication first would help). How does
the hacker try to get into the TS? Don't they just start with
"administrator" and a dictionary or other attack?

Gregg Hill




"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:%23Y4ZdkL7HHA.3528@TK2MSFTNGP04.phx.gbl...
> Tom Del Rosso <td_01@att.net.invalid> wrote:
>> "Gregg Hill" <bogus@nowhere.com> wrote in message
>> news:e13TSvr6HHA.1208@TK2MSFTNGP03.phx.gbl
>>> I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key
>>> word here, but it has been that way for three years.
>>
>> I think he meant SBS doesn't like disabling the account and creating
>> another one with a different RID. Just changing the logon name seems
>> ok.
>
> Perhaps it's been fixed now, but there was definitely a bug in SBS wherein
> the Administrator name was hard-coded into some buried components of
> Monitoring & Reporting, which prevented it from reinstalling properly.
> Worked on the problem for *ages* with a level 2 PSS dude until we figured
> that out. I no longer bother with such security by obscurity. I don't see
> the point anyway; anyone who's trying to get in is just looking for that
> well-known SID anyway. You'd only be fending off the completely inept.
>
 
Back
Top