Security Basics mailing list archives
RE: XP admin shares
From: "Schuler, Jeff" <Jeff.Schuler () hit cendant com>
Date: Tue, 10 Dec 2002 14:45:55 -0700
It's a somewhat little-known (though probably well known around here) fact that renaming the administrator account only buys you a limited increase in security. The administrator RID (relative ID) is ALWAYS 500. Even if you rename it, by enumerating the SID for the Domain Users group and then changing out the last few numbers with 500 and re-enumerating the box will quickly reveal that the renamed account as well as what it was renamed to. This can be done by using a tool like user2sid or sid2user will quickly let you know who the Administrator account really is. Mike makes a good password here though so that does buy you the increased security. Better to leave the admin account alone and get a bulletproof (though none truly are) password. That way if you get hit by a truck the company you work for isn't sitting there trying to figure out why their administrator account can't even change the screen saver. (thought it would be funny to watch) Its important to change the enumeration of accounts, shares, etc.. so that only people with explicit permissions can enumerate them. Otherwise the Everyone group has rights to enumerate the SID of any user on your box. A truly secure box is a powered down box, locked in a safe, guarded by dogs!!! :) Seriously though, I'm of the opinion that it's important to lock down the network access to the box so that people cannot even query the info. If someone can enumerate your user accounts, then they have a good list of people's accounts to social engineer from. -----Original Message----- From: Mike Cole [mailto:ColeM () ohca state ok us] Sent: Monday, December 09, 2002 12:38 PM To: security-basics () securityfocus com Subject: RE: XP admin shares Leon, What you can do is Secure the built-in accounts (which constitute much greater than average targets of attack) by going to the Control Panel, Administrative Tools, Computer Management, System Tools, Local Users and Groups, then Users: - Rename the default Administrator account to a nonconspicuous name, change the account description to "User account," and enter a very long (up to 104 characters) and as difficult-to-guess a password as possible. Record the password on the piece of paper that you place in an extremely secure location, e.g., in your wallet or purse. Do not share this password with anyone else and do not leave the slip of paper on which the password is written where anyone else might see it. Use the built-in Administrator account, which in Windows XP (as in Windows 2000) does not lock after excessive bad logon attempts, only for emergency access. - Create one additional account that is a member of the Administrators group for yourself and another for each person who needs to administer your system. Create an unprivileged account for each Administrator, also. Use the unprivileged account when you are engaged in normal activities such as web surfing, obtaining ftp access, and downloading mail. Use the privileged account only when you are performing system administration tasks. - Create a new, unprivileged account named "Administrator," a decoy account designed to deflect attacks designed to give unauthorized access to the Administrator account. Ensure that this account is in only the Guest group. Enter the description of "Built-in account for administering the system" (even though this is not true). Inspect your Event Logs often to determine whether people are trying to logon to this account. Michael |-----Original Message----- |From: Leon Pholi [mailto:L.Pholi () secureinteractive com] |Sent: Sunday, December 08, 2002 6:28 PM |To: security-basics () securityfocus com |Subject: XP admin shares | |Hi everyone, | |Just a quick one, does anyone know how to stop the default administrative |file shares in Win XP (professional edition)? One would think this would be |a standard part of locking down a box, but can't find much on it for XP. | |You can do it through Computer Management but they'll be re-enabled at |reboot, and the Win2k key of |HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShar eWks |doesn't seem to exist. Any ideas? | |Thanks, |Leon Disclaimer - 12/09/2002, 13:38:08 This message contains confidential information and is intended only for security-basics () securityfocus com. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Current thread:
- RE: XP admin shares, (continued)
- RE: XP admin shares Rick Darsey (Dec 10)
- RE: XP admin shares Bill Martin (Dec 10)
- Re: XP admin shares flur (Dec 10)
- Fwd: FW: XP admin shares Louis Cypher (Dec 10)
- RE: XP admin shares Mike Cole (Dec 10)
- Re: XP admin shares ktyler (Dec 10)
- RE: XP admin shares Leon Pholi (Dec 10)
- RE: XP admin shares Anthony, Shayla (Dec 10)
- RE: XP admin shares Anthony, Shayla (Dec 10)
- Re: XP admin shares Jill Tovey (Dec 10)
- RE: XP admin shares Schuler, Jeff (Dec 11)
- RE: XP admin shares Chris Berry (Dec 11)