Recipe11.3.Renaming the Administrator and Guest Accounts


Recipe 11.3. Renaming the Administrator and Guest Accounts

Problem

You want to rename the administrator and guest accounts on your servers. This is a good practice because these two default accounts are often the target of attackers.

Solution

Using a graphical user interface

To rename a domain administrator or guest account, do the following:

  1. From Administrative Tools, open the Active Directory Users and Computers snap-in.

  2. In the left pane, browse to the Users container and click on it.

  3. In the right pane, right-click the administrator or guest account and select Rename.

  4. Type the new name for the account and hit Enter.

To rename a local administrator or guest account, do the following:

  1. From Administrative Tools, open the Computer Management snap-in.

  2. In the left pane, expand System Tools Local Users and Groups

    In the right pane, right-click on either the Administrator or Guest account and select Rename.

  3. Type the new name for the account and press Enter.

Using a graphical user interface

To rename a domain administrator account, use the dsmove.exe command (available on Windows Server 2003). The following shows the basic syntax:

> dsmove "cn=administrator,cn=users,<DomainDN>" -newname "<NewName>"

For example:

> dsmove "cn=administrator,cn=users,dc=rallencorp,dc=com" -newname "admn"

And this shows how to rename the domain guest account:

> dsmove "cn=guest,cn=users,dc=rallencorp,dc=com" -newname "noguest"

To rename local accounts, use the cusrmgr.exe utility from the Windows 2000 Resource Kit:

> cusrmgr -m \\<ServerName> -u admininstrator -r <NewName>

For example:

> cusrmgr -m \\srv01 -u admininstrator -r admn

And to rename the local guest account:

> cusrmgr -m \\<ServerName> -u guest -r <NewName>

For example:

> cusrmgr -m \\srv01 -u guest -r noguest

Using VBScript
' This code renames a domain account. ' ------ SCRIPT CONFIGURATION ------ strObjectOldName   = "<OldName>"         'e.g., administrator strObjectNewName   = "<NewName>"         'e.g., RallencorpAdmin strCurrentParentDN = "<CurrentParentDN>" 'e.g., cn=users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objCont = GetObject("LDAP://" & strCurrentParentDN) objCont.MoveHere "LDAP://cn=" & strObjectOldName & "," & _                  strCurrentParentDN, "cn=" & strObjectNewName WScript.Echo strAccount & " successfully renamed" ' This code renames a local account. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>"   ' e.g., srv01 strOldName = "<OldName>"       ' e.g., Guest strNewName = "<NewName>"       ' e.g., RallencorpGuest ' ------ END CONFIGURATION --------- set objComp = GetObject("WinNT://" & strComputer) set objUser = GetObject("WinNT://" & strComputer & "/" & strOldName & ",user") set objNewUser = objComp.MoveHere(objUser.ADsPath, strNewName) WScript.Echo "Successfully renamed account"

Discussion

You can also rename the administrator and guest accounts using group policy or local policy. To do so with group policy, do the following:

  1. Edit the target GPO with the Group Policy Object Editor.

  2. Navigate to Computer Configuration

    In the right pane, double-click either Rename administrator account or Rename guest account.

  3. Check the box beside Define this policy setting and type in the new name for the account.

  4. Click OK.

If you are worried about using an obscure name for your administrator account like vadar and forgetting what you used later, you can always discover the name by looking up the account by SID. There is also a Joeware tool called sidtoname to help do the job. Simply pass the SID of the account to the sidtoname command as shown here:

D:\>sidtoname S-1-5-21-1801674531-2025429265-839522115-500     SidToName V02.00.00cpp Joe Richards (joe@joeware.net) March 2003     [User]: RALLENCORP\Vadar     The command completed successfully.

You can get a complete list of the well-known accounts and their corresponding SIDs in MS KB 243330.

You may be wondering that if you can find out the actual administrator account name by looking up the SID, then what is the point of renaming it. Ultimately, attackers can find out the name of well-known accounts, but there are still many viruses and worms that have attempted to access the administrator account by name. So this is still effective against less sophisticated attackers and viruses.

See Also

MS KB 243330 (Well Known Security Identifiers in Windows Server Operating Systems) and MS KB 320053 (HOW TO: Rename the Administrator and Guest Account in Windows 2000)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net