JSI Tip 0519 - Everyone can find your renamed administrator.

Two small utilities for Windows NT allow you to query the SAM to find a SID for a given account name and vice versa.

Download SID.ZIP which contains User2sid.exe and Sid2user.exe.

User2sid is a command line interface to a WIN32 function, LookupAccountName. Usage:

user2sid [\computer_name] account_name

Sid2user is a command line interface to a WIN32 function, LookupSidName. Usage:

sid2user [\computer_name] authority subauthority1

Everyone can use these functions. To find out the name of your Administrator account:

user2sid "domain users"

S-1-5-21-201642981-56263093-24269216-513

This reveals the domain authority (5 21 201642981 56263093 24269216). The accounts are only different by the last string, the RID (513). To look up the built in Administrator:

sid2user 5 21 201642981 56263093 24269216 500

You can look up all the accounts:

sid2user 5 21 201642981 56263093 24269216 1000
sid2user 5 21 201642981 56263093 24269216 1001
sid2user 5 21 201642981 56263093 24269216 1002
.......

The Anonymous logon is also a member of Everyone, so if you don't disable it:

nslookup www.xyz.com      or      tracert www.xyz.com displays the IP Address.

net use \131.107.2.200ipc$ "" /user:""
The command completed successfully.

user2sid \131.107.2.200 "domain users"

S-1-5-21-201642981-56263093-24269216-513

Number of subauthorities is 5
Domain is XYZ_domain
Length of SID in memory is 28 bytes
Type of SID is SidTypeGroup

sid2user \131.107.2.200 5 21 201642981 56263093 24269216 500

Name is XYZAdmin
Domain is XYZ_domain
Type of SID is SidTypeUser

sid2user \131.107.2.200 5 21 201642981 56263093 24269216 1000

Name is
Domain is XYZ_domain
Type of SID is SidTypeDeletedAccount

sid2user \131.107.2.200 5 21 201642981 56263093 24269216 1001

Name is Simpson
Domain is XYZ_domain
Type of SID is SidTypeUser

sid2user \131.107.2.200 5 21 201642981 56263093 24269216 1112

LookupSidName failed - no such account

To restrict Anonymous logons, edit:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA

On the edit menu, Add Value name RestrictAnonymous and set this REG_DWORD to 1. You must reboot.