Renaming the Administrator Account

With the different types of attacks on the internet, a dictionary attacked ran by an automated script can be the most dangerous. Often I check our logs on many of our outside honeypots and ftp servers only to see 13 megabyte log files that show a script that ran for several hours. The account that is tried the most is the administrator account. Continuously throughout the script, I will see the Administrator username and thousands of entries for different passwords from a dictionary attack.

These servers have been protected by renaming the administrator account. By renaming the account, a dictionary attack becomes useless if the correct username cannot be guessed. Many reviews argue against this point saying that it is superfluous. (This meaning seems to be taking hold in the IT industry and simply means unnecessary).

The theory behind this (being flawed) is that an attacker would get an error message and if the password was complex enough that renaming the account isn't needed. Now think of it this way, if you had two locks on your door would you leave one key in the door? Faster speed broadband connections and more complex programs allow attacks to be accelerated. Simple and Complex programs can be found on the internet to run scripts or to design hacking programs. Why wouldn't you take this extra step?

Can Hackers find the True Administrator Account if it has been renamed? Yes. This process is not easy and the complexity of doing so discourages most hackers. Administrators have to remember that as a username cannot be as complex as a password, renaming this account delays hackers. The only true way for a hacker to see a renamed administrator is if the hacker has access to ports that are defined by NetBIOS from the internal network and they (the hackers) use a program that examines SIDs. These programs are a form of SID conversion utility that can be found on the web. The odds of these attacks happening through a hardware firewall are virtually nonexistent. The delay in obtaining the proper username adds to complexity of the attack thus discouraging most hackers.

Realistically, every node should not have the Administrator account renamed. This truly could be a waste of time and resources if every computer had the administrator account renamed. So which computers should have the administrator account renamed? Important servers that are exposed in a DMZ or other area that is susceptible to malicious activity. This form of hardening a server is one of the key fundamental practices that should be included in security policies.

Although hardware firewalls usually have rules that define such malicious activity; this extra protection doesn't take long and is not an expense to the information technology department. The risk of lost assets far outweigh this simplex task. Risk management and education is the key behind all information technology security. There will always be controversy in renaming the administrator account. Renaming the this account is only one step in the ever growing complex world of security.