Tales from the Crypto

This was the cover story on a TechNet Magazine a few years ago.  Jesper Johansson vs. Roger Grimes, with sidebars by Steve Riley and me supporting Jesper and Roger.  I took the "it can be a good thing" side along with Roger.

technet.microsoft.com/.../2008.06.obscurity.aspx

I used to take your position, and then my old boss convinced me otherwise. Also changes since then make it an even better move.

First, if someone just logs on as administrator and happens to do something to browse the network, you'll see a bunch of logons as administrator. It is in fact the reverse of what you say - you should treat most of these (at least on a large enterprise network) as benign.

On the other hand, if someone has sorted out your actual admin account name, and has failed logons, then that's either you with a typo, or a real attack, and you can pay attention.

Next, while it used to be trivial to get a system to tell you a lot of nice info remotely, that hasn't been the case for several versions, and starting with Win2k3, Windows won't tell you much of anything I consider useful as anonymous. So actually obtaining the new admin name isn't trivial any longer.

A further counter-argument is that the local admin account should _never_ be used if you can still log on to the domain, so most of your objections are things you ought not be doing to start with.

All that said, it isn't very high on my list of things to do when dealing with a new system. Just applying the latest patches and running the latest OS and apps gets you much more security. But I am convinced that renaming the admin account isn't really futile.

I don't think those APIs come into play when you're scanning a system that doesn't expose RPC; e.g., that exposes just HTTP/S, FTP, WebDAV, SMTP, SQL Server, ...

While I don't think there are strong guarantees that the OS won't cough up the admin's real name (and BTW, I'm fairly sure this account name is localized, so a good attacker is prepared for that), it used to be dead easy - just ask it what the user name is for SID 500, and it would tell you this without being authenticated. Those days have been gone for about 8 years. Like most security countermeasures, it only provides some level of annoyance to the attacker. Annoying and slowing down attackers is a good thing, especially if it is cheap. This is about as cheap as it gets.

Next, I'm not terribly worried about an ex-employee knowing about this speedbump, but if I needed to reset my systems, there's this handy thing called domain policy, and I can reset them all with one change. If I break some scripts, they weren't supposed to be using those scripts anyway, so they shouldn't be messing with the BOFH, or I'll put the changes in a scheduled task and change it every day to something new.

The purpose of this is _not_ to gain entropy. The purpose is to be able to distinguish someone browsing the network who wasn't trying to hack you from someone who _is_ trying to hack you. If the account is renamed, then this is dead easy. If not, well, have fun sorting through the logs. Laziness isn't just a great quality of a dev, is it also a great quality of a sys admin or security admin.

Speaking of the password, make those unique to each system, derived from a hash, and truly awful to type.

No, I was serious.  If the HTTP server can be made to give up local account names, it's got a serious security bug that will get fixed after it's been discovered.  (Maybe I'm missing your point here...)

I'm not arguing that it is *important* to change the -500 account name or that anyone's security policies are substandard if they don't.  I'm just saying that it can have *some* value, it's really easy, it's supported, and it shouldn't break anything legitimate.