While it's true that the Administrator account uses a known number in its SID, it's also true that a unique number identifying the computer comprises the other part of the SID. To find that information, an attacker must have anonymous access. Anonymous access is the ability to connect to a computer and obtain information without having an account and password. Once connected, an attacker may be able to list account names, access information that is not properly protected by file system permissions and so on.
To deduce the SID of the Administrator account, the attacker obtains the account list, translates the account into a SID, retrieves the computer part of the SID, adds the known Administrator account portion and then uses the deduced SID in a logon attack or to figure out the new name of the Administrator account. To foil this process, use the security options below, which block anonymous access and other types of attacks that use anonymous access.
You may download a printer-friendly version.
|Checklist: Block anonymous access|
|1. Disable the option "Network Access: Allow anonymous SID/name translation."|
|This option, once disabled, prevents anonymous SID/name translation. Combine this option with the one below to keep an attacker from using an anonymous connection to|
|deduce account names.|
|2. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts."|
|When enabled, this option prevents the enumeration of the user account list via an anonymous connection. When both this and the above security options are used, you can|
|keep the changed name of the Administrator account hidden from an attacker using an anonymous connection.|
|3. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts/shares."|
|When enabled, this option also prevents anonymous enumeration of shares. Shares offer opportunities for system connections and data theft. If shares are properly protected by|
|permissions, then anonymous access won't matter. If share permissions are not correct, or when they inadvertently offer access to an anonymous connection, you need to block|
|anonymous connection to stop data theft. This option comes in handy on systems like Windows 2000, which include the anonymous SID in the Everyone group, where the group|
|is given access permissions.|
|4. Disable the option "Network Access: Let Everyone permissions apply to anonymous users."|
|On Windows XP and Windows Server 2003 systems, anonymous users are excluded from the Everyone group and cannot gain access to resources given to that group. Keep this|
|option disabled to prevent access.|
|5. Enter the names of named pipes if necessary in option "Network Access: Named Pipes that can be accessed anonymously."|
|Named pipes are another way network connections can be made by client/server programs. In this scenario, one part of a program runs on one computer and another part|
|on another computer. Some legacy programs require anonymous access over these named pipes. If anonymous access is blocked, use this option to allow it where required.|
|6. Enter the name of shares if necessary in the option "Network Access: Shares that can be accessed anonymously."|
|Here again, some legacy applications may require anonymous access to shares. Instead of allowing anonymous access to all shares, enter the names of shares that require|
Windows Security Checklists offer you step-by-step advice for planning,
setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.
More Checklists by Roberta Bragg
|ABOUT THE AUTHOR: Go back to Checklists|
|Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.|
This was first published in March 2005