Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2006-10-05) The Default Domain Administrator Account Is Locked!?

Posted by Jorge on 2006-10-05


Yes, the default ADMINISTRATOR can be locked out (wait!)

What I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked…. you will even see and event ID 644 mentioning the account lockout.

HOWEVER…. here it comes…

While the default ADMINISTRATOR is locked, it will be unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

9 Responses to “(2006-10-05) The Default Domain Administrator Account Is Locked!?”

  1. Paul said

    So, basically, a brute-force attack on the Administrator account is a very viable option ? After all, the moment I hit the right password, it’ll unlock automatically too. Rather defies the point of account lockout, does it not ?
    Another excellent reason to rename the Admin-account and create a dummy ‘Administrator’-account.

  2. Jorge said

    That is one of the reasons the default administrator account SHOULD have a VERY VERY VERY strong password (passphrase) and also be stored in a sealed envelope within a vault.

    Renaming the account is a very small risk mitigating action. Why? If I have the possibility to query AD for the account with RID -500, I will find the administrator account.

    Jorge

  3. Jorge said

    oh… and another option would be to disable it using a GPO. When a DC is rebooted in “Safe Mode with networking” the disabled status is removed

  4. I was so close to shooting you down on this one until I saw the HOWEVER part๐Ÿ˜‰

    Good to see you back
    Carlos

  5. Jorge said

    Thanks buddy!

  6. Paul said

    That’d require at least Authenticated access to the AD (presuming you’re not silly enough to open up LDAP read-access to Everyone), but yes, I see your point.

    Putting in a strong password for an Administrator is of course absolutely vital, especially an account such as this. I know that plenty of people believe security through obscurity doesn’t add much, but personally, I don’t mind putting in an extra honeypot (how many people are going to query the RID of an account if they hit upon response from the default Admin account ? Only paranoid people.. like.. well, you…. me.. ehm, anyway, you see my point.๐Ÿ˜‰ )

    As a side-note, I’m still a very big fan of the 2-key/4-eyes principle, in which the stored password is actually cut in half and stored in two different vaults, accessible only by different people.. but that’s me..

  7. ptwilliams said

    The administrator account should be locked. This removes the DOS you mention, and as Jorge has already said, isn’t an issue if every account is locked or disabled as you can still logon in safe mode.

    I don’t buy renaming the administrator account and creating a dummy account with that name, but I can appreciate why some people do this.

    Good post Jorge. It’s funny. I was asked a question about this yesterday and I was getting ready to go digging through all the info. on this. I don’t have to now. I’ll rephrase your words as my own… : )

    –Paul

  8. Jorge said

    Paul,

    In your first line you say: “The administrator account should be locked”. I think you mean “The administrator account should be disabled”

    Sometimes, I can read people’s mind and then go and posting something…

    no paul, get the idea of me getting a beer for you out of your mind!๐Ÿ˜‰

    jorge

  9. ptwilliams said

    Ha ha. You are correct of course. And as for the beer. It’ll be out of my mind when you buy me two! ๐Ÿ˜‰

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: