Secure your Operating System with This Simple Trick! Works on most OS’s!
Around my network we don’t have ANY user accounts called Administrator or Admin – Period.
Why you might ask?
Well for starters it’s a HUGE security risk! Let’s look at it like this. If a hacker wants to try and gain access to your machine the first thing they will do after a port scan is try and find your administrator password.
Most of the time automated scans search for weak passwords on commonly named administrator accounts including: Root, Administrator, Admin and foreign variations on them. If the potential attacker does not know what the account is called then they will have a MUCH harder time gaining admin access.
I learned way back when in school to not only rename my real administrator account but to create another account called Administrator with limited access.
This creates Honeypot of sorts. For a great example of Honeypot’s and snooping on the snoops check out this article on using Spector.
Why is it called a honey pot? Good question read this answer below:
Winnie the Pooh is a big fan of honey. In fact, he loves it so much that he will often get his paws and even his face stuck in the honey pot! In the computer world, a Honey Pot is a computer (or network of computers) designed to detect and monitor hackers. The idea is that the hacker will be lured in and trapped by the honey pot.
Now I don’t go crazy and give this sudo admin account an easy password either, after all the unauthorized user gains a small bit of access to your network that they did not have before. This is not what want. We want them to spend their time and resources looking for information that really doesn’t help them. And in the process your intrusion prevention services should catch them in the act.
So really password protect your fake administrator account. Let them spin their gears getting something that is no where near as critical as if they got your real account – you know the one you just renamed honeyp0t :)
This works on any operating system where you can rename your administrator account. Do you have other tips or tricks for securing your servers? Let us know in the comments! Put your fellow admin’s on!
| Print article |
about 3 years ago
Nice Tip!!!
about 3 years ago
Thanks!
Glad to see you back around contributing as well.
about 3 years ago
Great tip!
How do you catch an intruder that gained access to your honeypot?
about 3 years ago
Well I simply log EVERYTHING! My Active Directory server would signal me that a user has attempted x amounts of incorrect passwords (This account does not lock out the user) then I would get an alert email from my log and I can check out the firewall for IP address. I can then monitor or lock out that address.
Sometimes this pisses off the hacker and they ramp up their attack. So I tread carefully on blocking them all together!
about 3 years ago
“D-U-H-H!” I feel like an “ID10T”! I neva’thot’o'dat (too be pronounced as if Curly was sayin’it) before! A superb example of “K.I.S.S.”!
Thanx,
ID10T
about 3 years ago
Hi there, just to follow up on your point on honey pots, a very simple
and intuitive tool to setup a quick honey pot (no installation or config
needed) is a tool called HoneyBOT. Works amazingly for such a simple
app.
about 3 years ago
Thanks for the tip. Just out of curiouisty did you ever cathc someone in the honeypot?
about 3 years ago
Catch and prosecute are two very different things Aibek!
We have caught hundreds of attempts and shut them down but never put a face with an attacker…
about 3 years ago
and IF you have to use your Administrator account, make use of DropMyRights, a small program that opens selected programs under limited user rights. it’s been around for quite a while. written by Michael Howard, a MS security engineer.
http://www.download.com/DropMyRights/3000-2144_4-10722877.html
about 3 years ago
This is a great tip. I’m definitely going to put it to use.
about 3 years ago
Renaming the Admin account isn’t a bad idea (I do it myself) but any hacker worth anything will easily discover the true Administrator account using its SID. Changing the name doesn’t change the SID.
This is a “security through obscurity” change, which is nice in combination with other real security methods, but don’t think this change alone provides any real security.
about 3 years ago
The only attacks I have seen against my environment used brute force attacks to try and guess the passwords. Without access to my network how would they retrieve the sid?
I would love to know!
This “Hack” lets you also prevent users in your network from trying password combination’s against the KNOWN admin account.
Any other opinions?
about 3 years ago
There is a long discussion of this issue in the June 2008 issue of Technet Magazine. (http://technet.microsoft.com/en-us/magazine/cc510319.aspx) It is true that someone would need to get into the network in the first place to run things like USER2SID or SID2USER to find the true Administrator, but it’s not hard to do at all once they are in.
I’m not against renaming the Admin account, but it’s more of a defense in depth measure than a real security end unto itself. You will achieve real (and better) security by limiting the Admin account use, restricting the number of people who know the true Admin password and making the password very long and complex. You should also remove the LM hashes of all domain Admin accounts if your network configuration will allow.
about 3 years ago
Ah but Peter it is a real security end because it prevents against forms of social hacking as well as compounding other security risks like passwords written down or in someones notes.
It is so simple not to do it with out any dowside.
about 3 years ago
“pass the hash” (google it).
Be afraid; be very afraid.
about 3 years ago
If you don’t have access to my network you will be unable to get the hashes. Hence changing the account name.
about 3 years ago
Any time!
about 3 years ago
I like the idea of limiting the “Adminstrator Account”, they’d get a bit of a surprise when they can’t execute their exploits. I’ll keep this tip in mind for future networking plans. Thanks.
about 3 years ago
Why does programs “programing not responding” it only happens on my vista machine
about 3 years ago
Can you be more specific?
about 3 years ago
My thoughts exactly! Thanks for stopping by John!
about 3 years ago
when I run word, firefox, thunderbird, microsoft works, it says “program not responding”, the only way to exit you have to run task manager to get program to exit. Also a block comes out with a message, check to se what caused program to stop working. Never comes back with a solution. I run Vista on a laptop.
about 3 years ago
You mentioned that “My Active Directory server would signal me that a user has attempted x amounts of incorrect passwords”. How did you set this up? I would love to set something like this up.
Thanks.
about 3 years ago
Have you run the free scan from http://safety.live.com sounds like a rouge app on your machine causing issues.
Have you run hijack this or something similar?
about 3 years ago
I have Trend firewall, spyware and run a scan at least once a week. Also I run CCleaner weekly.
about 3 years ago
IF you open up task manager and sort by memory what is using the most? And what about processor? Can you post a list of items you have starting up?
about 3 years ago
A car hits a Jewish man. The paramedic rushes over and says, “Are you comfortable?” The guy says: “I make a good living.” (Henny Youngman) :D
about 3 years ago
Great tip I’ll have to try this on the work pc
about 3 years ago
how about creating _new_ account with administrator rights and changing original ‘admin’ account group to guest? then you can also deny access for that account to folders and drives other than those needed for it to work(ie. windows,program files, docu..\admin)?
would it change anything? even more, duplicating administrative privileges group and limitating original one?
sry4my english.