Everhart,Glenn From: David LeBlanc [dleblanc@MINDSPRING.COM] Sent: Tuesday, May 05, 1998 10:40 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: name of built-in administrator At 11:08 AM 5/5/98 +0000, Luke Kenneth Casson Leighton wrote: >with the user2sid, sid2user and smbclient from BRANCH_NTDOM (see >http://samba.anu.edu.au.cvs.html) you don't _need_ to actually log in as >Administrator in order to obtain the information [converting the NT Admin >Group or User RID to its current user or group name]. >if you have put "RestrictAnonymous" in then you only need an ordinary user >account. if you have not, then you can connect with a NULL session and >request the above information. Even if RestrictAnonymous is set, the user2sid and sid2user programs (or anything else based on LookupAccountName() and LookupAccountSid()) are going to work if I either have or can guess just _one_ account name. Until these are fixed, it is completely _useless_ to rename the administrator account. Note that there is one account name on the machines that _cannot_ be changed, so that you can ALWAYS get the machine RIDs that you need. There may be another method to do the same thing, but that needs a bit of investigation. Thus if I can get a null session, I can ALWAYS get your administrator name. Once Microsoft gives us some way to control the behavior of LookupAccountXXX(), it might be useful to change the name, but I still feel like restricting the account properly (as I detailed in my reply to this thread on 4/29) is the best solution. As a reality check, you don't see many UNIX boxes with root renamed - but you see plenty of them where you can't log in as root from the network. David LeBlanc dleblanc@mindspring.com