Around my network we don’t have ANY user accounts called Administrator or Admin – Period.
Why you might ask?
Well for starters it’s a HUGE security risk! Let’s look at it like this. If a hacker wants to try and gain access to your machine the first thing they will do after a port scan is try and find your administrator password.
Most of the time automated scans search for weak passwords on commonly named administrator accounts including: Root, Administrator, Admin and foreign variations on them. If the potential attacker does not know what the account is called then they will have a MUCH harder time gaining admin access.
I learned way back when in school to not only rename my real administrator account but to create another account called Administrator with limited access.
This creates Honeypot of sorts. For a great example of Honeypot’s and snooping on the snoops check out this article on using Spector.
Why is it called a honey pot? Good question read this answer below:
Winnie the Pooh is a big fan of honey. In fact, he loves it so much that he will often get his paws and even his face stuck in the honey pot! In the computer world, a Honey Pot is a computer (or network of computers) designed to detect and monitor hackers. The idea is that the hacker will be lured in and trapped by the honey pot.
Now I don’t go crazy and give this sudo admin account an easy password either, after all the unauthorized user gains a small bit of access to your network that they did not have before. This is not what want. We want them to spend their time and resources looking for information that really doesn’t help them. And in the process your intrusion prevention services should catch them in the act.
So really password protect your fake administrator account. Let them spin their gears getting something that is no where near as critical as if they got your real account – you know the one you just renamed honeyp0t :)
This works on any operating system where you can rename your administrator account. Do you have other tips or tricks for securing your servers? Let us know in the comments! Put your fellow admin’s on!
Posted in 
Nice Tip!!!
Thanks!
Glad to see you back around contributing as well.
Great tip!
How do you catch an intruder that gained access to your honeypot?
Well I simply log EVERYTHING! My Active Directory server would signal me that a user has attempted x amounts of incorrect passwords (This account does not lock out the user) then I would get an alert email from my log and I can check out the firewall for IP address. I can then monitor or lock out that address.
Sometimes this pisses off the hacker and they ramp up their attack. So I tread carefully on blocking them all together!
“D-U-H-H!” I feel like an “ID10T”! I neva’thot’o'dat (too be pronounced as if Curly was sayin’it) before! A superb example of “K.I.S.S.”!
Thanx,
ID10T
Hi there, just to follow up on your point on honey pots, a very simple
and intuitive tool to setup a quick honey pot (no installation or config
needed) is a tool called HoneyBOT. Works amazingly for such a simple
app.
Thanks for the tip. Just out of curiouisty did you ever cathc someone in the honeypot?
Catch and prosecute are two very different things Aibek!
We have caught hundreds of attempts and shut them down but never put a face with an attacker…
and IF you have to use your Administrator account, make use of DropMyRights, a small program that opens selected programs under limited user rights. it’s been around for quite a while. written by Michael Howard, a MS security engineer.
http://www.download.com/DropMyRights/3000-2144_4-10722877.html
This is a great tip. I’m definitely going to put it to use.
[...] Secure your Operating System with This Simple Trick! Works on most OS’s! [...]
Renaming the Admin account isn’t a bad idea (I do it myself) but any hacker worth anything will easily discover the true Administrator account using its SID. Changing the name doesn’t change the SID.
This is a “security through obscurity” change, which is nice in combination with other real security methods, but don’t think this change alone provides any real security.
The only attacks I have seen against my environment used brute force attacks to try and guess the passwords. Without access to my network how would they retrieve the sid?
I would love to know!
This “Hack” lets you also prevent users in your network from trying password combination’s against the KNOWN admin account.
Any other opinions?
There is a long discussion of this issue in the June 2008 issue of Technet Magazine. (http://technet.microsoft.com/en-us/magazine/cc510319.aspx) It is true that someone would need to get into the network in the first place to run things like USER2SID or SID2USER to find the true Administrator, but it’s not hard to do at all once they are in.
I’m not against renaming the Admin account, but it’s more of a defense in depth measure than a real security end unto itself. You will achieve real (and better) security by limiting the Admin account use, restricting the number of people who know the true Admin password and making the password very long and complex. You should also remove the LM hashes of all domain Admin accounts if your network configuration will allow.
Ah but Peter it is a real security end because it prevents against forms of social hacking as well as compounding other security risks like passwords written down or in someones notes.
It is so simple not to do it with out any dowside.
“pass the hash” (google it).
Be afraid; be very afraid.
If you don’t have access to my network you will be unable to get the hashes. Hence changing the account name.
Any time!
I like the idea of limiting the “Adminstrator Account”, they’d get a bit of a surprise when they can’t execute their exploits. I’ll keep this tip in mind for future networking plans. Thanks.
Why does programs “programing not responding” it only happens on my vista machine
Can you be more specific?
My thoughts exactly! Thanks for stopping by John!
when I run word, firefox, thunderbird, microsoft works, it says “program not responding”, the only way to exit you have to run task manager to get program to exit. Also a block comes out with a message, check to se what caused program to stop working. Never comes back with a solution. I run Vista on a laptop.
You mentioned that “My Active Directory server would signal me that a user has attempted x amounts of incorrect passwords”. How did you set this up? I would love to set something like this up.
Thanks.
Have you run the free scan from http://safety.live.com sounds like a rouge app on your machine causing issues.
Have you run hijack this or something similar?
I have Trend firewall, spyware and run a scan at least once a week. Also I run CCleaner weekly.
IF you open up task manager and sort by memory what is using the most? And what about processor? Can you post a list of items you have starting up?
A car hits a Jewish man. The paramedic rushes over and says, “Are you comfortable?” The guy says: “I make a good living.” (Henny Youngman) :D
[...] on the right hand side. (and for those of you feeling like you want to try and crack my ftp that account is a honeypot account [...]
[...] on the right hand side. (and for those of you feeling like you want to try and crack my ftp that account is a honeypot account [...]
Great tip I’ll have to try this on the work pc
how about creating _new_ account with administrator rights and changing original ‘admin’ account group to guest? then you can also deny access for that account to folders and drives other than those needed for it to work(ie. windows,program files, docu..\admin)?
would it change anything? even more, duplicating administrative privileges group and limitating original one?
sry4my english.