Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Best security practice with Systems created accounts

Posted on 2014-01-08
6
Medium Priority
?
557 Views
Last Modified: 2014-01-12
In the system scan by security officer, they've found a few AD
& local accounts : my colleagues renamed the Window guest
accounts to these accounts & disabled them.  

In UNIX/Linux, we have lp, adm accounts etc which my
colleagues disabled them.

Q1:
Security officer recommends that these accounts be deleted
instead of just being disabled.  What's the best practice?
Delete or just leave them disabled?

Q2:
What are the impacts/implications of removing system
 created accounts?   Can go thru the impact of removing for
 each account (I only know about 'guest' in Windows but I
 see ASPNET account as well;  for UNIX,  there's uucp,
 adm, bin, daemon, ftp, nuucp, lp, tftp)

Q3:
Do people generally rename the Windows local administrator
as a good security practice?  What about renaming UNIX root?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 732 total points
ID: 39767048
Well, I think you'll find the Guest account - even though it's disabled is needed for generic share permissions behind the scenes.  Not sure you can remove it and if you do, it may impact non-published accounts like the "Everyone" group.

As for renaming the Administrator account, you should do this as best practise and it should be done (correctly) via Group Policy - rename Administrator account so that underlying registry settings get updated too.

As for linux, I'm really not sure you can rename the root account - but, of course, I could be wrong since *nix is not my strength.

The ASPNET account as well as others has extremely limited access (as does Network, Local, etc) and this is by design.  You can check the local Group Policy and see that these accounts don't even have "Allowed to Logon" rights.  They are simply there to run services in the background and nothing else.
0
 

Author Comment

by:sunhux
ID: 39767454
As we're not certain if there's any impact of removing & we don't have
a test/staging environment to test out if removal of guest could have
any impact, is there any  way that we can take a backup (of which files
/folders), then remove them.  After a couple of months, if nobody shouts,
then we can safely say, there's no impact.

Just renaming & disabling guest alone is not a sufficient test that removal
of guest is harmless.

We have a couple of AD accounts too that have been disabled & security
officer insists they should be deleted in case an unscrupulous sysadmin
or someone accidentally enable it back & thus opens up a vulnerability.

Likewise for Linux/UNIX's sys, adm, lp, ... accounts.

Can EE moderator add this thread into UNIX domains as well so that
 *ix  experts can respond on the impact to sys, adm, ...  accounts?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1268 total points
ID: 39768344
You can't delete the guest account, nor any of the default accounts (admin and guest) :(
http://technet.microsoft.com/en-us/library/cc755130.aspx
Renaming is fine, however it's security through obscurity, the SID of the accounts does not change, and the SID is often part of the authentication process.
https://support.microsoft.com/kb/243330
http://msdn.microsoft.com/en-us/library/cc230371.aspx
Nonetheless it is a recommended practice, even it's pretty easy to use any account in AD and figure out the administrator account. There are also SID enumeration utilities and methods.
System created accounts can be placed in more restrictive groups to help mitigate their potential abuse.
http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx

For unix it's about the same, you can certainly rename "root" to something else, it's not as easy as windows to figure out who is root. You should disable or remove when possible any accounts not needed. A few weeks or months should be an effective amount of time to tell if the account will be missed or not.
-rich
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 

Author Comment

by:sunhux
ID: 39772929
Hi Richrumble,

http://technet.microsoft.com/en-us/library/cc755130.aspx
I can't find any mention in the above link that Guest can't be deleted;
closest is it recommends to disable it.  The portion most related to
this is extracted below:

You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to log on to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
0
 

Author Comment

by:sunhux
ID: 39772930
Which files & folder(s) can we backup so that we can restore back
a deleted account (AD & local)?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1268 total points
ID: 39773296
You cannot delete any built-in accounts, see the screen cap attachment.
-rich
guest-delete.JPG
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question