General discussion

Locked

Rights to login to Server with?

By sostermann ·
I have beeen doing a lot of reading about network security and especially the Administrator account. We have already implimented many suggestions that have been mentioned.

My question is, what rights should you log on locally to a server with? Right now we are using the Default Administrator accounts with an extreamly strong password. Is this enough? Are there any negative effects that could arise from using lesser rights to logon to the server with?

Thanks for any info.

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

RE: Server Login Rights

by DugaDugDug In reply to Rights to login to Server ...

By doing what you are doing there is no accountability as your logs will only show that it was the Administrator who logged in at a particular time that concurred with something malicious (worse case scenario) or human error that caused some issue. Suggestion - Copy the account and name it after each individual server admin, and not just their regular user account name, or after whatever is your user naming policy. Also suggest that account be renamed and its password reset which is only known by a couple people (IT Head, Server Admin or Group leader, etc). They should keep a copy of that password locked up somewhere.

Collapse -

Exactly so

by JamesRL In reply to RE: Server Login Rights

The default Admin ID should be your safety. Create new Admin IDs for each group or preferably each individual who needs those rights, and try to pare down the rights, restricting them to what they need for their job.

James

Collapse -

Disable Administrator account

by najmal_hashim In reply to Exactly so

Best bet is to disable the Administator account and create a new account with admin right.


Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM.

However, you can disable the ability to enumerate SIDs in your domain. Follow these steps:

Open the Active Directory Users And Computers console.
Right-click the domain, and select Properties.
On Group Policy tab, click the Default Domain Policy, and select Edit.
Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.
Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.
Click OK, and close the console.
Go to Start | Run, enter cmd, and click OK.
At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter].
Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs.

You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy.

In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account:

Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container.
Right-click the name of the default administrator account, and click Properties.
On the Account tab, select the Account Is Disabled check box under Account Options, and click OK.
Now, the only account with full administrative rights has a name known only to you?and hackers can't enumerate SIDS to find it!

Back to Security Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums