Friday 14 September 2007

SBS - Post Install - Rename that Administrator Account

There are a number of arguments we have heard over the years about "Security by Obscurity" not working.

In some cases, such as in the case of moving ports about, this may be true. A port sniffer can run the full 65K+ ports in very short order.

In the case of renaming the administrator account, this is not the case. At least, we haven't heard a convincing argument for not renaming the account yet. In our experience, there are many circumstances in life where one can discover that "Security by Obscurity" does indeed work.

So, we change the name of the admin account on all of our SBS installations. But, we do things in two tiers, that is the Group Policy Object (GPO) for the change is at the domain level, but we set another GPO at the workstation level that is enforced to change it again.

Here is a screen shot of a GPO we create by default on all of our SBS installs:

Default Domain Security Policy
As you can see, there are a number of settings that we enable by default to tighten things down. This particular screen shot is of one of our TechNet Plus SBS lab setups.

In this case, we set the default domain admin account to be renamed to: technetadm1n

In our case, we tailor the admin account to our client's circumstances. Of course, we never use their company name, or portion of their company name, for the changed admin account.

One of the objections heard to renaming the account, is that it is public. To mitigate this aspect, we create a workstation level GPO:

SBSComputers Security Policy
After creating the GPO, we right click on it, as in the screenshot, and click on "Enforced". Thus, any settings in the SBSComputers Security Policy that are different than the domain level settings will take precedence.

In this case, we make the following change in the SBSComputers Security Policy:

Rename administrator account: "Administrator"
In this example, we change it back to the default, which causes the Local Admin Account to be set back to being named Administrator. That would be the name to use to log on to the local machine with local admin rights.

One could also set an alternative name for the local administrator depending on the client situation.

With the ability to assign user management privileges to an on-site person via the "Power User" account level, there is no reason why the only people to know the admin account access are the company's partners or contact partner, and us, the supporting I.T. organization.

And, to conclude, the argument we use: If one can't first find the door, how can one pick the lock?

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

No comments: