NT Gatekeeper: Protecting the Administrator Account

Get answers to your security-related NT questions

[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!]

A security consultant told me that renaming the Windows NT Administrator account offers no protection from intruders because the account is associated with a SID that lets intruders easily recognize it as an Administrator account. Is this statement correct? How can I retrieve an Administrator account's SID, and what makes it so recognizable?

The problem is that Administrator account SIDs always have the format S-1-5-21-XXXX-XXXX-XXXX-500. In other words, an Administrator account SID always starts with S-1-5-21 and ends with 500. This statement is true for both local and domain Administrator accounts.

Anyone can use Evgenii Rudnyi's user2sid tool to query the SAM database to view the SID that corresponds to an account name. Rudnyi's sid2user tool performs the reverse operation: retrieving the username associated with a SID. Anyone can download these tools for free from http://www.chem.msu.su/~rudnyi/NT.

You can use a registry entry to make sure that unauthorized users can't connect to your systems anonymously and execute these tools. Under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa registry subkey, set the RestrictAnonymous entry (of type REG_DWORD) to a value of 1.