Recipe 11.3. Renaming the Administrator and Guest AccountsProblemYou want to rename the administrator and guest accounts on your servers. This is a good practice because these two default accounts are often the target of attackers. SolutionUsing a graphical user interfaceTo rename a domain administrator or guest account, do the following:
To rename a local administrator or guest account, do the following:
Using a graphical user interfaceTo rename a domain administrator account, use the dsmove.exe command (available on Windows Server 2003). The following shows the basic syntax: > dsmove "cn=administrator,cn=users,<DomainDN>" -newname "<NewName>" For example: > dsmove "cn=administrator,cn=users,dc=rallencorp,dc=com" -newname "admn" And this shows how to rename the domain guest account: > dsmove "cn=guest,cn=users,dc=rallencorp,dc=com" -newname "noguest" To rename local accounts, use the cusrmgr.exe utility from the Windows 2000 Resource Kit: > cusrmgr -m \\<ServerName> -u admininstrator -r <NewName> For example: > cusrmgr -m \\srv01 -u admininstrator -r admn And to rename the local guest account: > cusrmgr -m \\<ServerName> -u guest -r <NewName> For example: > cusrmgr -m \\srv01 -u guest -r noguest Using VBScript' This code renames a domain account. ' ------ SCRIPT CONFIGURATION ------ strObjectOldName = "<OldName>" 'e.g., administrator strObjectNewName = "<NewName>" 'e.g., RallencorpAdmin strCurrentParentDN = "<CurrentParentDN>" 'e.g., cn=users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objCont = GetObject("LDAP://" & strCurrentParentDN) objCont.MoveHere "LDAP://cn=" & strObjectOldName & "," & _ strCurrentParentDN, "cn=" & strObjectNewName WScript.Echo strAccount & " successfully renamed" ' This code renames a local account. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" ' e.g., srv01 strOldName = "<OldName>" ' e.g., Guest strNewName = "<NewName>" ' e.g., RallencorpGuest ' ------ END CONFIGURATION --------- set objComp = GetObject("WinNT://" & strComputer) set objUser = GetObject("WinNT://" & strComputer & "/" & strOldName & ",user") set objNewUser = objComp.MoveHere(objUser.ADsPath, strNewName) WScript.Echo "Successfully renamed account" DiscussionYou can also rename the administrator and guest accounts using group policy or local policy. To do so with group policy, do the following:
If you are worried about using an obscure name for your administrator account like vadar and forgetting what you used later, you can always discover the name by looking up the account by SID. There is also a Joeware tool called sidtoname to help do the job. Simply pass the SID of the account to the sidtoname command as shown here: D:\>sidtoname S-1-5-21-1801674531-2025429265-839522115-500 SidToName V02.00.00cpp Joe Richards (joe@joeware.net) March 2003 [User]: RALLENCORP\Vadar The command completed successfully. You can get a complete list of the well-known accounts and their corresponding SIDs in MS KB 243330. You may be wondering that if you can find out the actual administrator account name by looking up the SID, then what is the point of renaming it. Ultimately, attackers can find out the name of well-known accounts, but there are still many viruses and worms that have attempted to access the administrator account by name. So this is still effective against less sophisticated attackers and viruses. See AlsoMS KB 243330 (Well Known Security Identifiers in Windows Server Operating Systems) and MS KB 320053 (HOW TO: Rename the Administrator and Guest Account in Windows 2000) |