Who is looking at your server?
Have you renamed the Administrator's account?
Best Practice (Litmus Test)
Professionals rename the Administrator Account
Amateurs as usual, leave security as the default settings
Rename your Administrator Account
Renaming the Administrator account is the single best practice you can do to secure of your system. It amazes me that companies spend thousands on security reports but do not rename the Administrator's account. Also remember to delete the description: Built-in account for administering the computer/domain when you rename the account.
The two points are:-
1) Every hacker knows that Windows Server 2003 has an account called Administrator
2) By design, the Administrator account cannot be locked out. So hackers can try as many times as they like to discover the password.
Create a Dummy Administrator Account
My mate 'Barking' Eddie renames the original Administrator = fredb, then creates a new dummy Administrator account with only guest rights. This drives hackers mad because they cannot understand why the Administrators account does not do what they want! He even adds the description: Built-in account for administering the computer/domain to the dummy account.
SolarWinds' Config Generator is a free tool, which puts you in charge of controlling changes to network routers and other SNMP devices. Boost your network performance by activating network device features you've already paid for.
Guy says that for newbies the biggest benefit of this free tool is that it will provide the impetus for you to learn more about configuring the SNMP service with its 'Traps' and 'Communities'. Try Config Generator now - it's free!
Notes on Best Practices for the Administrator account
In Server Windows 2003 you CAN disable the Administrator account. Best practice would only disable the original administrator if you had created another account with at least account operator privileges.
SG wrote to me pointing more security measures for the Administrator account:-
Deny Access to this computer from the network. SG reminds me that this account has a SID ending in 500 which cannot be changed. As a result, hackers using RedButton will always know which account is the original administrator and attack it.
You could also set a Security Policy which adds additional restrictions for anonymous connections to Do not allow enumeration of SAM accounts and shares.
For much more on Server 2003 security - check this section.
Warning about Microsoft: - Microsoft is configured for ease of use. However with knowledge and skill I believe you can make Windows Server 2003 and Windows 2000 as secure as Novell or Unix.
Guy's warning: - The more security you have, the more work there will be for the administrators.
Firstly, decide on an appropriate level of security for your organisation. Take passwords as an example: - ordinary companies do not need complex passwords, which users have to change every month. Whilst it would be inappropriate for banks to allow blank passwords which never expired. See more on computer security.
Litmus Test: Professionals use account lock out
Account lockout - if an organisation has thought about account policies then they are probably professionals. However, this is a classic case of there is no 'right answer'.
Several Universities admit problems with account lockout. Immature undergraduates deliberately lockout their friends accounts by typing in the wrong password. If they can lock out a lectures account they think it's hilarious. (Sad people, but we have to deal with them.)
Guy's first suggestion was to add donotdisplaylastusername setting to the Winlogon part of the registry. This prevents users seeing the account that previously used the machine. Secondly I showed the administrators how to set up auditing; then we could see which workstations the rogue passwords were coming from.
Litmus test: Amateurs security audit log is empty
Amateurs will almost certainly have a blank Audit log. Professionals will have data on unsuccessful logon's and audits of sensitive files.
Tip: For the Boss. If I was the boss I would have a meeting with my network manager and ask to see the security log options. Just asking for this information will jog the network manger's memory. The hidden message is that even the techie's actions are accountable. If the network manager is honourable then they will have nothing to fear. If they are a rogue, then okay they can get around it by deleting the log, but that in itself would be suspicious.
Kiwi CatTools is a free program for backing up configuration settings on hardware devices. Here is Guy's challenge. If you download CatTools, then it will not only take care of backups, but also it will show you something new about the hardware on you network. I could give you a money back guarantee - but CatTools is already free! Thus, I just make a techie to techie challenge, you will learn more about your network if you:
Over 40 of Guy's litmus tests. Have fun while you learn about aspects of computing. Stacks of ideas to check your servers, networks and security.
Your eBook has printer friendly pages and lots more screen shots.
Guy's Litmus test is a concept that you can apply anywhere. Each test gives you an instant answer to the simple question:- 'Are you dealing with a professional, or are they an amateur? Is this the real deal, or is it a turkey?' The Litmus Test concept is rather like Best Practice, but it reduces a 27 page report to one sentence.
Learn about Windows 8