Creating a New User Account with Domain Admins Credentials: If you do not already have a user account that is a member of the Domain Admins group, other than the standard Administrator account, create one that you will use to perform the tasks. As the administrator of your network, you will use this new account only when you need to perform tasks that require Domain Admin credentials. Do not remain logged on with this account after you finish performing these tasks. Create another user account for data management and day-to-day tasks as running Microsoft Office and sending and receiving e-mail, but do not add that user account to the Domain Admins group. Tasks: 1. Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers. 2. Right-click the Users container, click New, and then click User. 3. Type the First name, Last name, and User logon name, and then click Next. 4. Type and confirm the user password, clear the User must change password at next logon check box, and then click Next. 5. Review the account information and then click Finish. 6. With the Users container selected, in the details pane (right pane), double-click the Domain Admins group. 7. Click the Members tab. 8. Click Add and then, in the Select Users, Contacts, or Computers dialog box, type the user logon name of the administrative account you just created, and then click OK. 9. Verify that your new account appears as a member of the Domain Admins group.
Protecting the Administrator Account: All installations of Active Directory have an account named Administrator in each domain. This account cannot be deleted or locked out. In Windows Server 2003, the Administrator account can be disabled, but it is automatically re-enabled when you start the computer in Safe Mode. A evil user attempting to break into a system would start by attempting to try to obtain the password for the all-powerful Administrator account. For this reason, rename it and change the text in the Description to eliminate anything that indicates that this is the Administrator account. In addition, create a decoy user account called Administrator that has no special permissions or user rights. Always give the Administrator account a long, complex password. Use different passwords for the Administrator and DS Restore Mode Administrator accounts. Tasks: 1. Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers. 2. In the console tree (left pane), click Users. 3. In the details pane (right pane), right-click Administrator, and then click Rename. 4. Type the fictious first and last name and press Enter. 5. In the Rename User dialog box, change the Full name, First name, Last name, Display name, User logon name, and User logon name (pre-Windows 2000) values to match your fictitious account name, and then click OK. 6. In the details pane (right pane), right-click the new name, and then click Properties. 7. On the General tab, delete the Description "Built-in account for administering the computer/domain" and type in a description to resemble other user accounts. Note: This procedure changes only the default Administrator account's logon name and account details, which someone can see if they manage to enumerate a list of accounts on your system. The procedure does not affect the ability to use the DS Restore Mode Administrator account to start Directory Services Restore Mode. Remember, we have 2 different accounts.
Creating a Decoy Administrator Account: You are going to hide the default Administrator account. Hackers who are using password attacks on the Administrator account can be fooled into attacking an account with no special privileges. Tasks: 1. Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers. 2. Right-click the Users container, click New, and then click User. 3. In First name and User logon name, type Administrator and then click Next. 4. Type and confirm a password. 5. Clear the User must change password at next logon check box. 6. Verify that the decoy account is created and click Finish. 7. In the details pane (right pane), right-click Administrator, and then click Properties. 8. On the General tab, in the Description box, type Built-in account for administering the computer/domain, and then click OK.
End of Part 2.
No comments:
Post a Comment