The same is true in all spheres, whether debating Christianity against Islam, Linux against Windows, or Cagney vs Lacey.
In security, there are a few divisive issues that are always going to crop up.
Is your datacentre network trustworthy enough to pump secret data around it at any speed?
Are virtual machines on the same host PC “separated” for segregation of duties purposes?
Is SHA-1 completely broken yet?
There’s nothing more infuriating than arguing your position on one side of such a debate, only to see those infuriating people on the other side sit smugly in their assertion that what you state has no bearing on their view, which is still more correct than yours, nyaah nyaah.
I hope it doesn’t get that way with a debate between two people I like to claim as friends – Jesper Johansson and Roger Grimes – who are currently waging their war of words in TechNet, in what I hope will become a regular series.
The current article is on the big debate between those who think it’s a great security idea to rename the Administrator account to something else, and those who perceive little or no benefit in the practice – so little that it’s not worth doing.
For those of you too lazy to follow the link and read the article, Jesper (and his Microsoft insider, Steve Riley) are on the “don’t bother renaming Administrator” side, while Roger (with his own insider, Aaron Margosis) are on the side that renaming the Administrator account is a security win.
I really can’t dispute the mathematics, which says that if you have a 10-character password, you have a 1-in-umpteen-thousand chance of someone guessing and logging in as Administrator; if you have a 10-character password and a renamed Administrator account, however, the chances rise to 1-in-umpty-thousand. A couple of orders of magnitude of benefit, yes?
Sure – but there’s a couple of points I’d make here:
- There’s not much difference between zero and zero, and the two numbers representing the probability of a random guess succeeding are as close to zero as makes no realistic difference. At that level of difference between near-zeroes, you’re as likely to find your password is weakened by poor choice of random number generator as you are to find that renaming the account protected you while the password did not. In essence, you’re saying “we’re already protected against the sort of guy with enough luck to win the lottery a million times in a row, but just in case, we want to protect ourselves against the guy with luck enough that he could win a million and one times.”
- You could get the same increase in probabilistic protection by lengthening the password. Even if all you did was to add into the password the name that you were going to give the Administrator account, you’ve provided yourself with just as much mathematical protection against random guessing as you would have by changing the Administrator account name.
Okay, so maybe you’re not really getting orders of magnitude better protection – but surely it can’t hurt security, and it feels enough like security that several people in the field recommend it.
To me, that’s old-style security thinking, where the goal was to disable, disable, disable – when the web sites and applications were so full of holes that any time you saw something that looked like a hole, you immediately knew that the right thing was to plug it up.
Modern information security, though, should be more about enabling – enabling business and customers alike, to conduct business without unnecessary inconvenience. Without wishing to sound like Yoda, inconvenience leads to confusion; confusion leads to mistakes, which lead inexorably to insecurity.
If you rename the administrator account, you’re asking for its name to be a part of the secret that secures its access. You won’t get any cooperation in that, however, as the operating system and all of your applications are designed around the principle that the username is not a secret. You’re also asking your system administrators – the people who are going to be using the Administrator account – to remember that it’s been renamed, to remember what it’s been renamed to, and to remember to not let anyone else know that.
So, yeah, I’m on the side that says “renaming the administrator account doesn’t add any significant security benefit”.
The one benefit I do see is that the “random noise” of random attacks on any account named Administrator can be separated from the log entries indicating that someone is attacking your Administrator account. I think this is a bit of a false saving, though – you really shouldn’t be allowing any external access to the Administrator account. If your staff wants to access the Administrator account remotely, they should VPN in under their own account, and then use RDP, or some other protocol to connect to the machine they wish to administer.
I’m hoping to entice some of the Security MVPs to contribute to this debate – maybe even Roger and Jesper. There are two sides, here, and I doubt that I’ll actually end up converting anyone to my side who wasn’t already there to begin with.