Re: Reviewing Security Policy

["Sabo, Eric" <Eric.Sabo () CUP EDU>]

That article was great!   Thanks!

If you do any of these settings via group policy and the machine is removed from the domain - does it automatically 
give you access to the local administrator account once again ?    Would that be on the first boot ?

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, 
Matthew
Sent: Thursday, March 06, 2008 11:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Reviewing Security Policy

Here is a good article:
http://www.windowsecurity.com/articles/Protecting-Administrator-Account.
html

I agree with Lee.  I would disable and/or rename the administrator
account via GPO, and create local administrator accounts with hard to
guess names and very complex passwords that are different for each
server.  The complex passwords also get your server administrators out
of the habit of logging in to the local accounts.  All default
administrator accounts use the same SID so it is easy for an attacker to
find the default administrator account, even if it is renamed.  You need
some sort of backdoor account in case the system loses domain access.
We have had instances in the past where network reasons prevent servers
from communicating to the DCs, and the only way to resolve it is to
login with local administrative privileges.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sabo, Eric
Sent: Thursday, March 06, 2008 10:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Reviewing Security Policy

Both of these methods are on servers.

Do you use group policy to do the rename?

What about desktops?

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lee Weers
Sent: Thursday, March 06, 2008 10:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Reviewing Security Policy

On the systems I manage I rename the local admin account to something
other than Administrator, root, or admin.  On the servers each local
admin account is different for each server.

At another job we disabled the local admin account and created an
account named Backdoor that had local admin privileges.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sabo, Eric
Sent: Thursday, March 06, 2008 9:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Reviewing Security Policy

We are reviewing our current security policy for our Microsoft products.
We use MSBA all the time but we were wondering if there are any better
free tools out there to seek our vulnerabilities in Microsoft products.

How does every handle their local admin accounts for their windows
desktop?     We are thinking about disabling the local administrator
account via group policy, has anyone ever attempted to do this?  Are
there any other methods we could use?


Thanks in advance,
Eric Sabo