Jorge 's Quest For Knowledge! : The Default domain administrator account is locked!?

donderdag 5 oktober 2006 23:23 Jorge

The Default domain administrator account is locked!?

Yes, the default ADMINISTRATOR can be locked out (wait!)

What I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked.... you will even see and event ID 644 mentioning the account lockout.

HOWEVER.... here it comes...

While the default ADMINISTRATOR is locked, it will be unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period)

Cheers,

Jorge

------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------------

Filed under: Active Directory

Comments

# re: The Default domain administrator account is locked!?

donderdag 5 oktober 2006 14:31 by Paul

So, basically, a brute-force attack on the Administrator account is a very viable option ? After all, the moment I hit the right password, it'll unlock automatically too. Rather defies the point of account lockout, does it not ? Another excellent reason to rename the Admin-account and create a dummy 'Administrator'-account.

# re: The Default domain administrator account is locked!?

donderdag 5 oktober 2006 14:37 by Jorge

That is one of the reasons the default administrator account SHOULD have a VERY VERY VERY strong password (passphrase) and also be stored in a sealed envelope within a vault.

Renaming the account is a very small risk mitigating action. Why? If I have the possibility to query AD for the account with RID -500, I will find the administrator account.

Jorge

# re: The Default domain administrator account is locked!?

donderdag 5 oktober 2006 14:39 by Jorge

oh... and another option would be to disable it using a GPO. When a DC is rebooted in "Safe Mode with networking" the disabled status is removed

# re: The Default domain administrator account is locked!?

donderdag 5 oktober 2006 14:41 by carlos

I was so close to shooting you down on this one until I saw the HOWEVER part ;)

Good to see you back

Carlos

# re: The Default domain administrator account is locked!?

donderdag 5 oktober 2006 14:44 by Jorge

Thanks buddy!

# re: The Default domain administrator account is locked!?

donderdag 5 oktober 2006 14:44 by Paul

That'd require at least Authenticated access to the AD (presuming you're not silly enough to open up LDAP read-access to Everyone), but yes, I see your point. Putting in a strong password for an Administrator is of course absolutely vital, especially an account such as this. I know that plenty of people believe security through obscurity doesn't add much, but personally, I don't mind putting in an extra honeypot (how many people are going to query the RID of an account if they hit upon response from the default Admin account ? Only paranoid people.. like.. well, you.... me.. ehm, anyway, you see my point. ;) ) As a side-note, I'm still a very big fan of the 2-key/4-eyes principle, in which the stored password is actually cut in half and stored in two different vaults, accessible only by different people.. but that's me..

# re: The Default domain administrator account is locked!?

vrijdag 6 oktober 2006 1:12 by ptwilliams

The administrator account should be locked. This removes the DOS you mention, and as Jorge has already said, isn't an issue if every account is locked or disabled as you can still logon in safe mode. I don't buy renaming the administrator account and creating a dummy account with that name, but I can appreciate why some people do this. Good post Jorge. It's funny. I was asked a question about this yesterday and I was getting ready to go digging through all the info. on this. I don't have to now. I'll rephrase your words as my own... : ) --Paul

# re: The Default domain administrator account is locked!?

vrijdag 6 oktober 2006 2:31 by Jorge

Paul,

In your first line you say: "The administrator account should be locked". I think you mean "The administrator account should be disabled"

Sometimes, I can read people's mind and then go and posting something...

no paul, get the idea of me getting a beer for you out of your mind! ;-)

jorge

# re: The Default domain administrator account is locked!?

vrijdag 6 oktober 2006 5:27 by ptwilliams

Ha ha. You are correct of course. And as for the beer. It'll be out of my mind when you buy me two! ;-)

# Complexity of authentication ("the Password problem")

zaterdag 16 december 2006 5:29 by The things that are better left unspoken

Many IT people I know require their users to come up with complex passwords and require them to change

# Bloqueo de cuelta administrador | hilpers

zondag 18 januari 2009 3:36 by Bloqueo de cuelta administrador | hilpers

PingBack from http://www.hilpers-esp.com/661333-bloqueo-de-cuelta-administrador

# Administrator Lock-out? | A-fanatic blog

vrijdag 24 april 2009 13:47 by Administrator Lock-out? | A-fanatic blog

PingBack from http://blog.studiographic.nl/?p=268

Anonymous comments are disabled

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.

Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Powered by Community Server (Personal Edition), by Telligent Systems

Jorge 's Quest For Knowledge!

Search

Tags

News

Navigation

Archives

DISCLAIMER

Guess who?

Interesting Places

Other BLOGS

The Default domain administrator account is locked!?

Comments

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# re: The Default domain administrator account is locked!?

# Complexity of authentication ("the Password problem")

# Bloqueo de cuelta administrador | hilpers

# Administrator Lock-out? | A-fanatic blog