Web lists-archives.com

Re: [Samba] rename Administrator account

On Tue, 2017-03-21 at 16:33 +0100, Bart Coninckx via samba wrote:
> > Sure you can rename it. Being a member of the right groups decite
> > what 
> > an account can do.
> > However, I don't understand how renaming the admin account improves
> > the 
> > security. For example, every domain user can easily find out who is
> > a 
> > member of the "Domain Admins" group:
> > > dsquery group -name "Domain Admins" | dsget group -members
> "CN=DomAdm,CN=Users,DC=samdom,DC=example,DC=com"
> > Regards,
> > Marc
> Hi Marc,
> I agree that is not the holy grail of security, but as an average
> user is not able to do a dsquery, it has some added value.
> My customer asked me this, so I now I can tell him that it its
> possible,

Indeed.  I know it is often on the security checklists, and while we
can fight all day about futility, we also need to do better.

On a matter that is much more useful, Samba 4.7 will, assuming I can
land the patches, have some great audit logging for authentication and
authorization in the AD DC.  That should make some security auditors
much happier.

Andrew Bartlett

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba