OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Logging out of a NT server
From: Paul L Schmehl (paulsUTDALLAS.EDU)
Date: Thu Sep 07 2000 - 18:51:29 CDT


I get over 400 email messages a day. Yet I still find time to explain
something if asked.

--On Wednesday, September 06, 2000 5:29 PM +1000 Russel Smith
<carlosARKPACIFIC.COM> wrote:

> Hello,
>
> In most circumstances it is good practice to disguise all your
> administrators usernames. I will try to explain why in the following
> points:
>
> * Knowing a Administrative username increases the likelihood that
> some cracker could use social engineering techniques to change
> the accounts password

And I can use social engineering to find out the new name. So what have
you gained?
>
> * Any information leak nearly always aids someone who is trying to gain
> unauthorised access to a system.

Security by obscurity? I thought that old bugaboo had been thoroughly
vanquished. Apparently not.

Doesn't it strike you as odd that despite the fact that Unix has been
around for over 40 years, no one has ever suggested changing the name of
"root" to something else? Yet Unix has always been considered a secure OS.
>
> Of course this does depend on what environment/circumstances you are in.
> It might
> not be neccessary to obscure the Admin accounts in all circumstances, in
> general
> it is considered good practice.

By whom?
>
> I dont think that I can adequately describe why it is considered good
> practice by
> using text. Language can't describe everything...

Perhaps it can't be described because it doesn't make sense? So far,
you've only given one reason for changing the name - security by obscurity.
If you hide things from view, supposedly people won't be able to find them.

This assumes your attacker is somewhat of a dullard. I suppose it would
help with the script kiddies and the wannabes, but a true attacker isn't
going to be deterred by this. Frankly, I'd find it more challenging and
might stop to play around for a while rather than moving on to a more
conventional target.

And if you change the admin account name, what have you really gained? A
little extra time - that's it.
>
> I wouldn't recommend merely renaming it, I would reccommend
> stripping the default Administrator account of all rights and privileges
> and ban it from just about everything you can, then leaving it their as
> a honeypot. After you have done this you can make a inconspicuous account
> for your Admin.

And if I'm any kind of attacker at all, the first thing I'm going to do is
view the privileges of the administrator account to see if you've stripped
it. Then I'm going to look for the new privileged account that has admin
rights. You've gained nothing except perhaps a few seconds.
>
> Im sorry I couldnt offer a more indepth explanation, but im getting over
> 100 emails a day...

<aol>Me too.</aol>

Paul L. Schmehl, paulsutdallas.edu
Technical Support Services Manager
The University of Texas at Dallas