rename Administrator account

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

rename Administrator account

Samba - General mailing list
Hi all,

 
Renaming the admin account in Windows server context is a popular measure to make the network more safe. 

Can we do this also in Samba 4? Are there any negative consequences?

 
Met Vriendelijke Groet,
Kind Regards,
Salutations,
 
 
Bart Coninckx
Bits 'n Tricks BVBA
 
Hoge Mierdse Heide 182
2360 Oud-Turnhout
tel. +32 14 480 820

gsm +32 478 88 33 08
[hidden email]
http://www.bitsandtricks.com
BTW: BE0817.401.875

Crelan BE46 8601 0806 3436

Voor onze Algemene Voorwaarden, zie: http://www.bitsandtricks.com/index.php/contact/algemene-voorwaarden

 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: rename Administrator account

Samba - General mailing list
Am 17.03.2017 um 15:52 schrieb Bart Coninckx via samba:
> Renaming the admin account in Windows server context is a
> popular measure to make the network more safe.
>
> Can we do this also in Samba 4? Are there any negative consequences?

Sure you can rename it. Being a member of the right groups decite what
an account can do.

However, I don't understand how renaming the admin account improves the
security. For example, every domain user can easily find out who is a
member of the "Domain Admins" group:

 > dsquery group -name "Domain Admins" | dsget group -members
"CN=DomAdm,CN=Users,DC=samdom,DC=example,DC=com"

Regards,
Marc


PS. By the way talking about "Samba 4" can be misleading. It's better if
you use the terms "Samba AD", "Samba NT4 domain", "Samba standalone
server", "Samba domain member", etc. depending on what you are talking
about. Samba 4 can act as all of them.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: rename Administrator account

Samba - General mailing list
>Sure you can rename it. Being a member of the right groups decite what
>an account can do.

>However, I don't understand how renaming the admin account improves the
>security. For example, every domain user can easily find out who is a
>member of the "Domain Admins" group:

>> dsquery group -name "Domain Admins" | dsget group -members
"CN=DomAdm,CN=Users,DC=samdom,DC=example,DC=com"

>Regards,
>Marc

Hi Marc,

 
I agree that is not the holy grail of security, but as an average user is not able to do a dsquery, it has some added value.

My customer asked me this, so I now I can tell him that it its possible,

 
cheers,

 
BC

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: rename Administrator account

Samba - General mailing list
On Tue, 2017-03-21 at 16:33 +0100, Bart Coninckx via samba wrote:

> > Sure you can rename it. Being a member of the right groups decite
> > what 
> > an account can do.
> > However, I don't understand how renaming the admin account improves
> > the 
> > security. For example, every domain user can easily find out who is
> > a 
> > member of the "Domain Admins" group:
> > > dsquery group -name "Domain Admins" | dsget group -members
>
> "CN=DomAdm,CN=Users,DC=samdom,DC=example,DC=com"
>
> > Regards,
> > Marc
>
> Hi Marc,
>
>  
> I agree that is not the holy grail of security, but as an average
> user is not able to do a dsquery, it has some added value.
>
> My customer asked me this, so I now I can tell him that it its
> possible,

Indeed.  I know it is often on the security checklists, and while we
can fight all day about futility, we also need to do better.

On a matter that is much more useful, Samba 4.7 will, assuming I can
land the patches, have some great audit logging for authentication and
authorization in the AD DC.  That should make some security auditors
much happier.

Andrew Bartlett


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba