Web lists-archives.com

Re: [Samba] rename Administrator account




On Tue, 2017-03-21 at 16:33 +0100, Bart Coninckx via samba wrote:
> > Sure you can rename it. Being a member of the right groups decite
> > what 
> > an account can do.
> > However, I don't understand how renaming the admin account improves
> > the 
> > security. For example, every domain user can easily find out who is
> > a 
> > member of the "Domain Admins" group:
> > > dsquery group -name "Domain Admins" | dsget group -members
> 
> "CN=DomAdm,CN=Users,DC=samdom,DC=example,DC=com"
> 
> > Regards,
> > Marc
> 
> Hi Marc,
> 
>  
> I agree that is not the holy grail of security, but as an average
> user is not able to do a dsquery, it has some added value.
> 
> My customer asked me this, so I now I can tell him that it its
> possible,

Indeed.  I know it is often on the security checklists, and while we
can fight all day about futility, we also need to do better.

On a matter that is much more useful, Samba 4.7 will, assuming I can
land the patches, have some great audit logging for authentication and
authorization in the AD DC.  That should make some security auditors
much happier.

Andrew Bartlett


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba