Microsoft computer security

Shang Tsung | 31 Jan 2011 16:58

Administrator in Domain Admins group

After an audit, I noticed that in the Domain Admins group of our
domain, there is an account named Administrator. As my engineers told
me, this account is created by default when you create a new domain
and cannot be deleted or disabled. Is this true? I am not convinced
yet.

We do not like general purpose accounts like this because we lose
accountability. I am pretty sure the password of that account is in
the hands of people who are not supposed to have it. Each domain admin
has his own account who is in the Domain Admins group, so there is no
need for this Administrator account.

Can we delete it? And if yes, what would be the consequences?

Thanks,
Shang Tsung

headers

Staats, Ryan | 31 Jan 2011 19:00

RE: Administrator in Domain Admins group

If you fear it's been compromised, just change the password.  The important point to note is that anyone with
domain admin credentials can simply modify the password of that account at any time, just as anyone with
domain admin credentials can great a dummy account, futz about, and then delete it.  If you have no live
auditing tools (like me), it'll likely be missed.

The obvious thing to note here is that if you have any other systems relying on that administrator account
for credentialing, changing the password would break that.  Try as I might, just when I think I've removed
its use from every system I have, I find another thing I didn't know someone used it for.  We have a problem
with domain admins as well... problem is that they're actually granted those permissions
intentionally.  *sigh*

MS's guide to securing the AD Admin account recommends renaming it to a bogus user account name.  :
http://technet.microsoft.com/en-us/library/cc700835.aspx 

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On Behalf Of Shang Tsung
Sent: Monday, January 31, 2011 7:58 AM
To: focus-ms <at> securityfocus.com
Subject: Administrator in Domain Admins group

After an audit, I noticed that in the Domain Admins group of our domain, there is an account named
Administrator. As my engineers told me, this account is created by default when you create a new domain and
cannot be deleted or disabled. Is this true? I am not convinced yet.

We do not like general purpose accounts like this because we lose accountability. I am pretty sure the
password of that account is in the hands of people who are not supposed to have it. Each domain admin has his
own account who is in the Domain Admins group, so there is no need for this Administrator account.

Can we delete it? And if yes, what would be the consequences?

(Continue reading)

headers

Laura A. Robinson | 31 Jan 2011 20:21

RE: Administrator in Domain Admins group

It can be both disabled (supported) and deleted (unsupported, AFAIK
undocumented). It SHOULD be disabled, in my opinion. If you delete it, you
run the risk of imploding anything that is configured to default to or use
that account, so really, don't delete it, even if you figure out how to do
it. 

Furthermore IMO, every organization using AD should implement RBAC and
privileged identity management and have no Domain Admins, Enterprise Admins
or Administrators in AD on a day-to-day basis, just in build and break-glass
scenarios. Sadly, I rarely see that implemented. 

Laura A. Robinson

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On
Behalf Of Shang Tsung
Sent: Monday, January 31, 2011 10:58 AM
To: focus-ms <at> securityfocus.com
Subject: Administrator in Domain Admins group

After an audit, I noticed that in the Domain Admins group of our domain,
there is an account named Administrator. As my engineers told me, this
account is created by default when you create a new domain and cannot be
deleted or disabled. Is this true? I am not convinced yet.

We do not like general purpose accounts like this because we lose
accountability. I am pretty sure the password of that account is in the
hands of people who are not supposed to have it. Each domain admin has his
own account who is in the Domain Admins group, so there is no need for this
Administrator account.

(Continue reading)

headers

Michael Sturtz | 31 Jan 2011 19:16

RE: Administrator in Domain Admins group

The "Built in Administrator" account CAN be deleted however it is strongly cautioned against doing this. 
One of the reasons is it is the account that is used in safe mode should a disaster occur.   If the built in
Administrator account is locked out you can reboot the system in safe mode (by hitting the F8 key at
startup) and still logon to the account and fix your system.  If you delete or remove the built in
administrator account you will be unable to logon to the system.  I would recommend renaming the built in
administrator account to a different name and then creating a new account named Administrator that is not
a member of the Administrators or Domain Administrators group and is disabled.  This account is a decoy to
prevent nuisance attacks on your default administrator account.  
Michael Sturtz

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On Behalf Of Shang Tsung
Sent: Monday, January 31, 2011 7:58 AM
To: focus-ms <at> securityfocus.com
Subject: Administrator in Domain Admins group

After an audit, I noticed that in the Domain Admins group of our domain, there is an account named
Administrator. As my engineers told me, this account is created by default when you create a new domain and
cannot be deleted or disabled. Is this true? I am not convinced yet.

We do not like general purpose accounts like this because we lose accountability. I am pretty sure the
password of that account is in the hands of people who are not supposed to have it. Each domain admin has his
own account who is in the Domain Admins group, so there is no need for this Administrator account.

Can we delete it? And if yes, what would be the consequences?

Thanks,
Shang Tsung

(Continue reading)

headers

James D. Stallard | 8 Feb 2011 11:16

RE: Administrator in Domain Admins group

IMHO you're solving the wrong problem.

The problem is not the Administrator account, it is that Shang Tsung has Domain Administrators he does not
trust. There is little point in obfuscating the Administrator account or changing its password when any
authenticated user on the Domain will be able to enumerate the members of the Domain Administrators
Group. There is little point in disabling it when it can be easily re-enabled by those untrusted Domain Administrators.

What Shang Tsung requires is Delegation of Administration (DofA). This is the application of roles-based
administration where each administrator is assigned only the rights that are specifically required to
do their job and nothing else. This is achieved by performing a Roles and Responsibilities analysis which
maps job functions to administrative access and allows the DofA designer to create appropriate
delegations that can be assigned to those job functions. My company has specialised in this for years.

As an example; Shang Tsung might identify a requirement for his first-line helpdesk team to be granted the
ability to reset the passwords and unlock the accounts of non-privileged users. A role group would be
created that has those rights, on specific Organisational Units, and the helpdesk team group would be
joined to the role group, thus assigning those rights.

This model is built up to include all the administrative staff, so that permanent Domain and Enterprise
Administrators no longer exist. Servers are analysed to ensure that no services require the Domain
Administrator Account and once the necessary service accounts are implemented, the account password
can be changed and stored in a safe under management control.

The business can then choose when Domain Administration is actually required and can wrap the requirement
in an appropriate change management mechanism.
HTH
Cheers

James D. Stallard

(Continue reading)