Debunking two myths about the Windows administrator account
解开Windows的Administrator帐号的两个疑问
by Michael Mullins CCNA, MCP
作者:Michael Mullins CCNA, MCP
翻译:endurer
英文来源:http://techrepublic.com.com/5100-1009_11-6043016.html?tag=nl.e101
Keywords: Microsoft Windows | Security | Windows 2000 | Microsoft Server 2003
关键字: 微软视窗 | 安全 | Windows 2000 | Microsoft Server 2003
Takeaway:
The administrator account has always been an appealing target for hackers, but the Window administrator account can be particularly problematic. While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. In this edition of Security Solutions, Mike Mullins debunks two of the biggest myths about this account.
概述:
Administrator帐号一直是对hacker们有吸引力的目标,但是Windows的Administrator帐号可能是独别令人存疑的。尽管一些人理解这个帐号在全面安全中扮演的重要角色,但在锁定它时存在一些误解。在本期安全解决方案中,Mike Mullins解开了Windows的Administrator帐号的两个疑问。
---------------------------------------------------------------------------
When it comes to accessing accounts, the goal of every hacker is to get access to the administrator (or root) account. On Windows systems, this can especially present a problem—the administrator account comes with no password and an obvious default name ("administrator").
每一个Hacker访问帐号时,其目标是获得对administrator (或root)帐号的访问权。在Windows系统中,这能特别表明一个问题——administrator帐号未提供密码和显而易见的默认名 ("administrator")。
《endurer注:1。come with 伴随...发生;与...一起供给》
While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. Let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account.
尽管一些人理解这个帐号在全面安全中扮演的重要角色,但在锁定它时存在一些误解。让我们看看关于Windows的Administrator帐号的两个最大疑问的理解和事实。
《endurer注:1。take a look 注视》
Myth: Renaming this account prevents hackers from finding it
疑问:重命名这个帐号防止hacker发现它
Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM.
Windows 2000: 这是不行的。Windows 2000的administrator帐号有一个以-500结尾的默认安全标识(SID)。Hacker们可以通过在活动目录或本地SAM中枚举SID而把这个帐号作为目标。
《endurer注:1。end in 以...为结果》
However, you can disable the ability to enumerate SIDs in your domain. Follow these steps:
然而,你能禁用在您的域中枚举SID的能力,步骤如下:
Open the Active Directory Users And Computers console.
打开活动目录用户和计算机控制台。
Right-click the domain, and select Properties.
右击域,选择“属性”。
On Group Policy tab, click the Default Domain Policy, and select Edit.
在组策略选项卡,点击默认域策略,选择“编辑”。
Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
展开计算机配置 | Windows设置 | 安全设置 | 本地策略 | 安全选项
Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.
双击“附加匿名连接限制”,选择定义这个策略选项。
Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.
从下拉列表中选择“不允许SAM账户和共享的枚举。”
Click OK, and close the console.
点击“确定”,关闭控制台。
Go to Start | Run, enter cmd, and click OK.
开始 | 运行,输入:cmd,点击“确定”。
At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter].
在命令提示符下,输入:gpupdate,回车,输入:exit,回车。
Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs.
Windows Server 2003: 这是可行的。Windows Server 2003允许你完全地禁用内置的administrator帐号。但是在禁用该帐号之前,你仍然需要禁止SID枚举。
You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy.
你可以按上面列的步骤做,但有一个例外:双击网络访问(代替附加匿名连接限制),选择“允许匿名SID/名称转换”,并确认你已经禁用该策略。
In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account:
另外,在禁用administrator帐号之前,你需要创建一个新的管理员帐号。然后按下列步骤禁用老帐号:
《endurer注:1。in addition 另外》
Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container.
以新管理员帐号登录,打开活动目录用户和计算机控制台,选择用户容器。
Right-click the name of the default administrator account, and click Properties.
右击默认管理员帐号名,点击“属性”。
On the Account tab, select the Account Is Disabled check box under Account Options, and click OK.
在“帐号”选项卡,选择帐号选项下的“帐号被禁用”检查框,点击“确定”。
Now, the only account with full administrative rights has a name known only to you—and hackers can't enumerate SIDS to find it!
现在, 唯一具有完全管理权力的帐号的名字只有你知道——hacker们不能枚举SID来找到它。
Myth:You can't lock out the account after failed logon attempts
疑问:在登录尝试失败后你不能锁定帐号
《endurer注:1。lock out 把...关在外面》
Windows 2000: This is false. If you've set the security option for account lockout, you can lock out this account for network logons. (This doesn't apply to interactive or console logons.)
Windows 2000: 这是不行的。如果你已经设置帐号锁定的安全选项,则可以锁定此帐号的网络登录。(这不应用于交互式或控制台登录。)
To configure this account to lock out after x number of failed logon attempts, you need a tool called Passprop.exe. You can find this utility in the Netmgmt.cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.
要配置帐号在x次登录失败后锁定账号,你需要名为Passprop.exe的工具。你可以在Windows 2000 Professional或Windows 2000 Server的资源工具箱中的Netmgmt.cab中找到这个工具。
Windows Server 2003: This is also false! Like Windows 2000, you can use the Passprop.exe utility to set the administrator account to lock out after x number of failed logon attempts.
Windows Server 2003: 也不行!像Windows 2000一样,你可以使用Passprop.exe工具来设置administrator帐号在x次登录失败后锁定。
However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default administrator account (both network and interactive) after x number of failed logons. Make sure you have a backup method for unlocking this account.
然而,记住,在Windows Server 2003版本的这个工具在在x次登录失败后也将锁定默认管理员帐号(网络和交互式)。确认你有后备方法来为此帐号解锁。
Final thoughts
Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.
总结:
帐号安全是基本安全管理最佳惯例的要害。这就为什么执行此安全并保持管理权力安全是至关重要的原因。
《endurer注:1。at heart: 在内心里(在本质上)》