General discussion


Confused by Microsoft security recommendation

By toreador ·
I was reading some of Microsoft?s security documents the other day and came across a statement that made no sense to me so I thought I would open this up to discussion with this group.

Suggestion from Microsoft;

Eliminate the dreaded ?Administrator? account. These accounts, whether local or domain, allow administrators to anonymously run amok across your network. You see something suspicious in a log and you know only that ?Administrator? made some change, not who actually did the work. (It also indicates an unskilled attacker, someone who forgot to eliminate evidence from the log.) Remove potential anonymous attack vectors by doing this with all your various ?Administrator? accounts:

1. Line up all your administrators in front of a computer. Have a corporate auditor join the line at the end.

2. Open the account properties and start to change the password.

3. Tell each of your administrators to enter four or five characters, thus contributing a portion of the password.

4. After every administrator has entered a portion, have the auditor contribute the last set of characters and save this new password.

5. Disable the account.

With this procedure you?ve practically eliminated the ability for a rogue administrator to act anonymously. You don?t need this account for anything, and now you?ve contrived a situation which requires devious administrators plus a corrupt auditor to collude in an attack. The chance of that happening is slim indeed; if it were, I?d guess that at least one of them is playing a double-agent. If you can?t trust your administrators, it?s certain that they themselves have little, if any, trust of each other!

/End suggestion from Microsoft

I hope someone can explain the logic of this to me. I do not see how lining up the admins and each contributing part of a password would do anything to stop a rogue admin. Anyone who is an administrator can enable the account, change the password and do their dirty deeds, cleaning up the logs after they are done. If I am missing something please educate me. Thanks!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by jbaker In reply to Confused by Microsoft sec ...

Are you positive that recommendation came from Microsoft? The password thing makes no sense, as you pointed out, but the rest of it does. I have seen that same basic thing here, without the password nonsense.

Collapse -

They forgot to mention ...

by stress junkie In reply to Confused by Microsoft sec ...

... that you should first create some fully privileged account to replace the function of the Administrator account. Maybe they want you to put each admin's "personal" account in the Administrator group. That isn't mentioned.

Overall I think that it is a good idea. Generally hackers can depend on at least one user account to exist on a Windows machine. That account is the Administrator account. If that account is disabled then the hacker doesn't know any account names. this creates one more hurdle for the hacker to overcome so it is a good idea.

Collapse -

I agree...somewhat

by toreador In reply to They forgot to mention .. ...

I agree with your comment that disabling this account will make it harder for a hacker, any outside facing server should have the admin account renamed and disabled. But...this article is about trusting your administrators and has nothing to do with hackers. The technique they describe, to me, is utterly worthless because any of the admins can re-enable the account and change the password.

Collapse -

It sounds like it isn't to keep out hackers, but keep out admins...

by jmgarvin In reply to They forgot to mention .. ...

So your admins must use their own admin account because the administrator account is disabled....fine...but if you trust your staff so little, why are they there!!??

Also, it isn't hard for any member of the admin groupd to reset the admin password and use the account...

Am I missing something?

Collapse -

My point exactly

by toreador In reply to It sounds like it isn't t ...

That is my point also. If I found out that my boss did not trust me I would start looking for a new job. If I did not trust a junior admin I would recommend that they be replaced.

If this funky MS password recommendation is a suggested security procedure; what will keep any of your administrators from resetting the password and destroying data, etc. I cannot see the value in this recommendation and was wondering if I was missing something.

Collapse -

Easier Solution

by BFilmFan In reply to Confused by Microsoft sec ...

If you trust your staff so little, fire them and hire new staff.

There are much easier ways to protect corporate data, such as LOGGING events on a network.

Collapse -

It seems their logic is...

by Koke In reply to Easier Solution

It looks like that if the fairly anonymous "administrator" account is disabled, with correct logging, any changes made in the future would be marked with an admin's username.

Related Discussions

Related Forums