Debunking two myths about the Windows administrator account
解开Windows的Administrator帐号的两个疑问
by Michael Mullins CCNA, MCP
作者:Michael Mullins CCNA, MCP
翻译:endurer
英文来源:http://techrepublic.com.com/5100-1009_11-6043016.html?tag=nl.e101
Keywords: Microsoft Windows | Security | Windows 2000 | Microsoft Server 2003
关键字: 微软视窗 | 安全 | Windows 2000 | Microsoft Server 2003
Takeaway:
The administrator account has always been an appealing target for hackers, but the Window administrator account can be particularly problematic. While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. In this edition of Security Solutions, Mike Mullins debunks two of the biggest myths about this account.
概述:
Administrator帐号一直是对hacker们有吸引力的目标,但是Windows的Administrator帐号可能是独别令人存疑的。尽管一些人理解这个帐号在全面安全中扮演的重要角色,但在锁定它时存在一些误解。在本期安全解决方案中,Mike Mullins解开了Windows的Administrator帐号的两个疑问。
---------------------------------------------------------------------------
When it comes to accessing accounts, the goal of every hacker is to get access to the administrator (or root) account. On Windows systems, this can especially present a problem—the administrator account comes with no password and an obvious default name ("administrator").
每一个Hacker访问帐号时,其目标是获得对administrator (或root)帐号的访问权。在Windows系统中,这能特别表明一个问题——administrator帐号未提供密码和显而易见的默认名 ("administrator")。
《endurer注:1。come with 伴随...发生;与...一起供给》
While many people understand the important role this account plays in overall security, there are several misconceptions when it comes to locking it down. Let's take a look at the perception and the reality of two of the biggest myths about the Windows administrator account.
尽管一些人理解这个帐号在全面安全中扮演的重要角色,但在锁定它时存在一些误解。让我们看看关于Windows的Administrator帐号的两个最大疑问的理解和事实。
《endurer注:1。take a look 注视》
Myth: Renaming this account prevents hackers from finding it
疑问:重命名这个帐号防止hacker发现它
Windows 2000: This is false. The Windows 2000 administrator account has a default security identifier (SID) that ends in -500. Hackers can target this account by enumerating SIDs from Active Directory or the local SAM.
Windows 2000: 这是不行的。Windows 2000的administrator帐号有一个以-500结尾的默认安全标识(SID)。Hacker们可以通过在活动目录或本地SAM中枚举SID而把这个帐号作为目标。
《endurer注:1。end in 以...为结果》
However, you can disable the ability to enumerate SIDs in your domain. Follow these steps:
然而,你能禁用在您的域中枚举SID的能力,步骤如下:
Open the Active Directory Users And Computers console.
打开活动目录用户和计算机控制台。
Right-click the domain, and select Properties.
右击域,选择“属性”。
On Group Policy tab, click the Default Domain Policy, and select Edit.
在组策略选项卡,点击默认域策略,选择“编辑”。
Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
展开计算机配置 | Windows设置 | 安全设置 | 本地策略 | 安全选项
Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.
双击“附加匿名连接限制”,选择定义这个策略选项。
Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.
从下拉列表中选择“不允许SAM账户和共享的枚举。”
Click OK, and close the console.
点击“确定”,关闭控制台。
Go to Start | Run, enter cmd, and click OK.
开始 | 运行,输入:cmd,点击“确定”。
At the command prompt, enter gpupdate, press [Enter], enter exit, and press [Enter].
在命令提示符下,输入:gpupdate,回车,输入:exit,回车。
Windows Server 2003: This is true. Windows Server 2003 allows you to completely disable the built-in administrator account. But before disabling the account, you should still disable enumeration of SIDs.
Windows Server 2003: 这是可行的。Windows Server 2003允许你完全地禁用内置的administrator帐号。但是在禁用该帐号之前,你仍然需要禁止SID枚举。
You can do so by following the steps above, with one exception: Double-click Network Access (instead of Additional Restrictions For Anonymous Connections), select Allow Anonymous SID/Name Translation, and make sure you've disabled the policy.
你可以按上面列的步骤做,但有一个例外:双击网络访问(代替附加匿名连接限制),选择“允许匿名SID/名称转换”,并确认你已经禁用该策略。
In addition, before you disable the administrator account, you should create a new administrator account. Then, follow these steps to disable the old account:
另外,在禁用administrator帐号之前,你需要创建一个新的管理员帐号。然后按下列步骤禁用老帐号:
《endurer注:1。in addition 另外》
Log on with the new administrator account, open the Active Directory Users And Computers console, and select the Users container.
以新管理员帐号登录,打开活动目录用户和计算机控制台,选择用户容器。
Right-click the name of the default administrator account, and click Properties.
右击默认管理员帐号名,点击“属性”。
On the Account tab, select the Account Is Disabled check box under Account Options, and click OK.
在“帐号”选项卡,选择帐号选项下的“帐号被禁用”检查框,点击“确定”。
Now, the only account with full administrative rights has a name known only to you—and hackers can't enumerate SIDS to find it!
现在, 唯一具有完全管理权力的帐号的名字只有你知道——hacker们不能枚举SID来找到它。
Myth:You can't lock out the account after failed logon attempts
疑问:在登录尝试失败后你不能锁定帐号
《endurer注:1。lock out 把...关在外面》
Windows 2000: This is false. If you've set the security option for account lockout, you can lock out this account for network logons. (This doesn't apply to interactive or console logons.)
Windows 2000: 这是不行的。如果你已经设置帐号锁定的安全选项,则可以锁定此帐号的网络登录。(这不应用于交互式或控制台登录。)
To configure this account to lock out after x number of failed logon attempts, you need a tool called Passprop.exe. You can find this utility in the Netmgmt.cab file on the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.
要配置帐号在x次登录失败后锁定账号,你需要名为Passprop.exe的工具。你可以在Windows 2000 Professional或Windows 2000 Server的资源工具箱中的Netmgmt.cab中找到这个工具。
Windows Server 2003: This is also false! Like Windows 2000, you can use the Passprop.exe utility to set the administrator account to lock out after x number of failed logon attempts.
Windows Server 2003: 也不行!像Windows 2000一样,你可以使用Passprop.exe工具来设置administrator帐号在x次登录失败后锁定。
However, keep in mind that the Windows Server 2003 version of this utility will also lock out the default administrator account (both network and interactive) after x number of failed logons. Make sure you have a backup method for unlocking this account.
然而,记住,在Windows Server 2003版本的这个工具在在x次登录失败后也将锁定默认管理员帐号(网络和交互式)。确认你有后备方法来为此帐号解锁。
Final thoughts
Account security is at the heart of basic security administrative best practices. That's why it's vital that you implement this security and keep your administrative rights secure.
总结:
帐号安全是基本安全管理最佳惯例的要害。这就为什么执行此安全并保持管理权力安全是至关重要的原因。
《endurer注:1。at heart: 在内心里(在本质上)》
分享到:
相关推荐
Windows Sysinternals Administrator’s Reference
riting Windows 7 Administrator’s Pocket Consultant was a lot of fun—and a lot of work. As I set out to write this book, my initial goals were to determine how Windows 7 was different from Windows ...
Windows Sysinternals Administrator’s Reference by Mark Russinovich, Microsoft Press 2011
Windows Sysinternals Administrator's Reference 英文无水印pdf pdf所有页面使用FoxitReader和PDF-XChangeViewer测试都可以打开 本资源转载自网络,如有侵权,请联系上传者或csdn删除 本资源转载自网络,如有...
如何启用Windows7超级管理员administrator账户登录
用域策略+脚本实现把客户端_administrator帐号密码统一更改
Windows 64位Smart Storage Administrator(SSACLI) 是一个基于命令行的磁盘配置程序,可帮助您配置、管理、诊断和监控 Smart Array 和 SmartRAID 控制器以及现在的其他存储设备,例如主机总线适配器 (HBA)、存储控制...
HPE Smart Storage Administrator (HPE SSA) for Windows 64-bit (cp036448.exe) HP服务器像IBM/Lenovo的 MegaRaid 工具一样在Windows Server 环境下查看和管理磁盘阵列的工具,这是2019最新版,支持到Windows ...
Windows_XP如何登陆Administrator账户以及删除管理员账户的方法
Windows Server 2008中Administrator登陆密码
重命名administrator账号,让系统用户更加完美
windows 7系统Administrator帐户已停用如何开启.docx
indows XP下如何切换用户到Administrator 我们知道,一旦新建账号Administrator账号就会被隐藏,连按ctrl+alt+delete都无法进行切换,那么如何重新以Administrator进行登录呢
Windows Server Hybrid Administrator Associate .pdf
复制并真正隐藏administrator帐号(完全批处理).htm
When you start working with Windows 7, you’ll see at once that the operating system is different from earlier releases of Windows. What won’t be apparent, however, is just how different Windows 7 is...
Win7系统用户文件夹多出一个Administrator.xxx开头的文件怎么解决
介绍如何使用Windows小工具PowerShell的书
SSA是一个基于web的应用程序,可以帮助您配置、管理、诊断、和监控智能阵列和SmartRAID控制器和其他存储设备,比如主机总线适配器(hba),存储控制器,和未来的设备(如SCSI驱动器,表达和SAS开关设备
Windows Sysinternals Administrator’s Reference by Mark Russinovich, Microsoft Press 2011