OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Logging out of a NT server
From: Gary McIntyre (Gary_McIntyreLGS.CA)
Date: Fri Sep 08 2000 - 15:23:20 CDT

Don't forget that "user2sid" and "sid2user" have been used to circumvent
this sort of security-through-obscurity. Renaming the "Administrator"
account is scant help if the SIDs can be obtained through a null session
(which can almost always be done provided Port 139 is still accessible, even
if "restrictAnonymous" is enabled).

SIDs associated with administrators (either local or domain if this is done
against a domain controller) are also easy to identify. This also means
that simply creating an account called "Administrator" and not putting it in
an Administrators group would not be very useful.

Take a look at http://www.ussrback.com/NT/docs/sid.htm for additional
information.

Gary McIntyre
Network Consultant
LGS Group Inc.
Gary_McIntyrelgs.ca

This user's PGP Public Keys can be
obtained from certserver.pgp.com

----- Original Message -----
From: "Deus, Attonbitus" <Thorhammerofgod.com>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Friday, September 08, 2000 3:25 PM
Subject: Re: Logging out of a NT server

> ----- Original Message -----
> From: "Paul L Schmehl" <paulsUTDALLAS.EDU>
> To: <FOCUS-MSSECURITYFOCUS.COM>
> Sent: Thursday, September 07, 2000 4:51 PM
> Subject: Re: Logging out of a NT server
>
> > Perhaps it can't be described because it doesn't make sense? So far,
> > you've only given one reason for changing the name - security by
> obscurity.
> > If you hide things from view, supposedly people won't be able to find
> them.
> >
> > This assumes your attacker is somewhat of a dullard. I suppose it would
> > help with the script kiddies and the wannabes, but a true attacker isn't
> > going to be deterred by this. Frankly, I'd find it more challenging and
> > might stop to play around for a while rather than moving on to a more
> > conventional target.
>
> The point is to not simply rename the admin account, but to then create a
> new account called "Administrator" that has no rights.
> You could then readily identify any attempts to use those credentials, and
> at least be made aware of the fact that such attempts were being made.
>
> Hopefully, if you breached my security measures and dumped my SAM to get
all
> my user info, you would see that account and give it a try.
> We would then be alerted to the attempt and could at least try to track it
> down.
>
> Mr. Maiffret said:
> >the whole administrator account name/rename thing has been done to death.
> >there are a lot of ways to learn the name of the administrator account.
for
> >example you could do RID enumeration etc... but it doesn't really matter.
> >your system should be secured to the point that even if someone gets your
> >administrator account name it wont matter.
>
> He is, of course, correct. However, if all systems were secured the way
> they 'should' be, then this list would not exist, nor would the need most
of
> eEye's products. After all, doesn't Retina tell me to rename the
> Administrator account? ;)
>
> The simple point is that it is an easy way to have a means of audit that
you
> didn't have before. It is not meant to replace standard and customary
> security measures, it is not meant to do away with the need for strong
> passwords, and it is not meant to obviate proper firewall configuration.
>
> ----------------------------------------------------------------
> Attonbitus Deus
> thorhammerofgod.com
>