分享
 
 
 

解开Windows的Administrator帐号的两个疑问

王朝system·作者佚名  2006-03-16
窄屏简体版  字體: |||超大  

Debunking two myths about the Windows administrator account

解开Windows的Administrator帐号的两个疑问

by Michael Mullins CCNA, MCP

作者:Michael Mullins CCNA, MCP

翻译:endurer

英文来源:http://techrepublic.com.com/5100-1009_11-6043016.html?tag=nl.e101

Keywords: Microsoft Windows | Security | Windows 2000 | Microsoft Server 2003

关键字: 微软视窗 | 安全 | Windows 2000 | Microsoft Server 2003

Takeaway:

The administrator account has always been an appealing target for hackers, but the Window administrator account can be particularly problematic. While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. In this edition of Security Solutions, Mike Mullins debunks two of the biggest myths about this account.

概述:

Administrator帐号一直是对hacker们有吸引力的目标,但是Windows的Administrator帐号可能是独别令人存疑的。尽管一些人理解这个帐号在全面安全中扮演的重要角色,但在锁定它时存在一些误解。在本期安全解决方案中,Mike Mullins解开了Windows的Administrator帐号的两个疑问。

---------------------------------------------------------------------------

When it comes to accessing accounts, the goal of every hacker is to get access to the administrator (or root) account. On Windows systems, this can especially present a problem—the administrator account comes with no password and an obvious default name ("administrator").

每一个Hacker访问帐号时,其目标是获得对administrator (或root)帐号的访问权。在Windows系统中,这能特别表明一个问题——administrator帐号未提供密码和显而易见的默认名 ("administrator")。

《endurer注:1。come with 伴随...发生;与...一起供给》

While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. Let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account.

尽管一些人理解这个帐号在全面安全中扮演的重要角色,但在锁定它时存在一些误解。让我们看看关于Windows的Administrator帐号的两个最大疑问的理解和事实。

《endurer注:1。take a look 注视》

Myth: Renaming this account prevents hackers from finding it

疑问:重命名这个帐号防止hacker发现它

Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM.

Windows 2000: 这是不行的。Windows 2000的administrator帐号有一个以-500结尾的默认安全标识(SID)。Hacker们可以通过在活动目录或本地SAM中枚举SID而把这个帐号作为目标。

《endurer注:1。end in 以...为结果》

However, you can disable the ability to enumerate SIDs in your domain. Follow these steps:

然而,你能禁用在您的域中枚举SID的能力,步骤如下:

Open the Active Directory Users And Computers console.

打开活动目录用户和计算机控制台。

Right-click the domain, and select Properties.

右击域,选择“属性”。

On Group Policy tab, click the Default Domain Policy, and select Edit.

在组策略选项卡,点击默认域策略,选择“编辑”。

Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.

展开计算机配置 | Windows设置 | 安全设置 | 本地策略 | 安全选项

Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.

双击“附加匿名连接限制”,选择定义这个策略选项。

Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.

从下拉列表中选择“不允许SAM账户和共享的枚举。”

Click OK, and close the console.

点击“确定”,关闭控制台。

Go to Start | Run, enter cmd, and click OK.

开始 | 运行,输入:cmd,点击“确定”。

At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter].

在命令提示符下,输入:gpupdate,回车,输入:exit,回车。

Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs.

Windows Server 2003: 这是可行的。Windows Server 2003允许你完全地禁用内置的administrator帐号。但是在禁用该帐号之前,你仍然需要禁止SID枚举。

You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy.

你可以按上面列的步骤做,但有一个例外:双击网络访问(代替附加匿名连接限制),选择“允许匿名SID/名称转换”,并确认你已经禁用该策略。

In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account:

另外,在禁用administrator帐号之前,你需要创建一个新的管理员帐号。然后按下列步骤禁用老帐号:

《endurer注:1。in addition 另外》

Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container.

以新管理员帐号登录,打开活动目录用户和计算机控制台,选择用户容器。

Right-click the name of the default administrator account, and click Properties.

右击默认管理员帐号名,点击“属性”。

On the Account tab, select the Account Is Disabled check box under Account Options, and click OK.

在“帐号”选项卡,选择帐号选项下的“帐号被禁用”检查框,点击“确定”。

Now, the only account with full administrative rights has a name known only to you—and hackers can't enumerate SIDS to find it!

现在, 唯一具有完全管理权力的帐号的名字只有你知道——hacker们不能枚举SID来找到它。

Myth:You can't lock out the account after failed logon attempts

疑问:在登录尝试失败后你不能锁定帐号

《endurer注:1。lock out 把...关在外面》

Windows 2000: This is false. If you've set the security option for account lockout, you can lock out this account for network logons. (This doesn't apply to interactive or console logons.)

Windows 2000: 这是不行的。如果你已经设置帐号锁定的安全选项,则可以锁定此帐号的网络登录。(这不应用于交互式或控制台登录。)

To configure this account to lock out after x number of failed logon attempts, you need a tool called Passprop.exe. You can find this utility in the Netmgmt.cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.

要配置帐号在x次登录失败后锁定账号,你需要名为Passprop.exe的工具。你可以在Windows 2000 Professional或Windows 2000 Server的资源工具箱中的Netmgmt.cab中找到这个工具。

Windows Server 2003: This is also false! Like Windows 2000, you can use the Passprop.exe utility to set the administrator account to lock out after x number of failed logon attempts.

Windows Server 2003: 也不行!像Windows 2000一样,你可以使用Passprop.exe工具来设置administrator帐号在x次登录失败后锁定。

However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default administrator account (both network and interactive) after x number of failed logons. Make sure you have a backup method for unlocking this account.

然而,记住,在Windows Server 2003版本的这个工具在在x次登录失败后也将锁定默认管理员帐号(网络和交互式)。确认你有后备方法来为此帐号解锁。

Final thoughts

Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.

总结:

帐号安全是基本安全管理最佳惯例的要害。这就为什么执行此安全并保持管理权力安全是至关重要的原因。

《endurer注:1。at heart: 在内心里(在本质上)》

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有