Security Basics mailing list archives

RE: XP admin shares


From: "Schuler, Jeff" <Jeff.Schuler () hit cendant com>
Date: Tue, 10 Dec 2002 14:45:55 -0700

It's a somewhat little-known (though probably well known around here) fact
that renaming the administrator account only buys you a limited increase in
security.

The administrator RID (relative ID) is ALWAYS 500. Even if you rename it, by
enumerating the SID for the Domain Users group and then changing out the
last few numbers with 500 and re-enumerating the box will quickly reveal
that the renamed account as well as what it was renamed to.  This can be
done by using a tool like user2sid or sid2user will quickly let you know who
the Administrator account really is.

Mike makes a good password here though so that does buy you the increased
security.  Better to leave the admin account alone and get a bulletproof
(though none truly are) password.  That way if you get hit by a truck the
company you work for isn't sitting there trying to figure out why their
administrator account can't even change the screen saver.  (thought it would
be funny to watch)

Its important to change the enumeration of accounts, shares, etc.. so that
only people with explicit permissions can enumerate them.  Otherwise the
Everyone group has rights to enumerate the SID of any user on your box.

A truly secure box is a powered down box, locked in a safe, guarded by
dogs!!!  :)

Seriously though, I'm of the opinion that it's important to lock down the
network access to the box so that people cannot even query the info.  If
someone can enumerate your user accounts, then they have a good list of
people's accounts to social engineer from.

-----Original Message-----
From: Mike Cole [mailto:ColeM () ohca state ok us] 
Sent: Monday, December 09, 2002 12:38 PM
To: security-basics () securityfocus com
Subject: RE: XP admin shares

Leon,

What you can do is Secure the built-in accounts (which constitute much
greater than average targets of attack) by going to the Control Panel,
Administrative Tools, Computer Management, System Tools, Local Users and
Groups, then Users: 

- Rename the default Administrator account to a nonconspicuous name,
change the account description to "User account," and enter a very long
(up to 104 characters) and as difficult-to-guess a password as possible.
Record the password on the piece of paper that you place in an extremely
secure location, e.g., in your wallet or purse. Do not share this
password with anyone else and do not leave the slip of paper on which
the password is written where anyone else might see it. Use the built-in
Administrator account, which in Windows XP (as in Windows 2000) does not
lock after excessive bad logon attempts, only for emergency access. 

- Create one additional account that is a member of the Administrators
group for yourself and another for each person who needs to administer
your system. Create an unprivileged account for each Administrator,
also. Use the unprivileged account when you are engaged in normal
activities such as web surfing, obtaining ftp access, and downloading
mail. Use the privileged account only when you are performing system
administration tasks. 

- Create a new, unprivileged account named "Administrator," a decoy
account designed to deflect attacks designed to give unauthorized access
to the Administrator account. Ensure that this account is in only the
Guest group. Enter the description of "Built-in account for
administering the system" (even though this is not true). Inspect your
Event Logs often to determine whether people are trying to logon to this
account.


Michael

|-----Original Message-----
|From: Leon Pholi [mailto:L.Pholi () secureinteractive com]
|Sent: Sunday, December 08, 2002 6:28 PM
|To: security-basics () securityfocus com
|Subject: XP admin shares
|
|Hi everyone,
|
|Just a quick one, does anyone know how to stop the default
administrative
|file shares in Win XP (professional edition)? One would think this
would be
|a standard part of locking down a box, but can't find much on it for
XP.
|
|You can do it through Computer Management but they'll be re-enabled at
|reboot, and the Win2k key of
|HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShar
eWks
|doesn't seem to exist. Any ideas?
|
|Thanks,
|Leon
Disclaimer - 12/09/2002, 13:38:08
This message contains confidential information and is intended only for
security-basics () securityfocus com. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please notify the
sender immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secured or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail
transmission. If verification is required please request a hard-copy
version.


Current thread: