Saturday, January 28, 2012

Windows Server Administration Best Practices #1

By Isuru Rakshitha Senadheera

It’s a known fact that if a hacker wants to gain access to a server running Windows, first thing he would do is try to login by using either the Guest or the Administrator account. With enough time and luck he would finally be able to find to gain access by guessing the password, brute force or other available methods depending on the OS version and the Service Packs applied. But what can we as administrators do in our capacity to mitigate this?

Well, the most common thing we do is to disable the guest account and rename the Administrator account to something else. Different administrators use different methods to achieve this but let me give you a method that is 90% fool proof.
First you need to disable or delete the guest account (obviously). Then you need to make another account with a non-suspecting name an Administrator and delete the default Administrator account (Yes, Windows lets you do it!!). You may be wondering as to why you would want to do that. The reason is, in Windows even if you rename the default Guest or the Administrator accounts, the Security Identifier (SID) associated with that account will not change. And for some reason, in all the Windows versions the SIDs for these too accounts have stayed in a same format even to this day. This means that a smart hacker by looking at the SID (there are tools for that) can tell which one the real administrator is.

By performing the above method, a hacker would have a hard time figuring out which is the Administrator since the default well known Administrator SID (one that ends with -500) is nowhere to be found!!

But like I said earlier, given enough time, luck and resources a smart mind can still come up with a way to break in. that’s why having the latest Service Packs and tested security patches applied always pay off.

No comments:

Post a Comment