On 2009-05-14 nameless wrote: > Steve Quan wrote: >> Is there something like su/sudo in the Windows world ? How do windows >> administrators handle this (ie accountability) ? > > There is "runas". Indeed. There's also a variety of third-party tools like SuperiorSU [1]. > There is no accountability with the local admin account. You can > disable the account and use domain credentials, but when the domain > isn't available, you're screwed, so it is a poor decision. I wouldn't agree entirely. It depends on who is given the password for the local administrator account. You only have no accountability if more than one person knows that password. [...] > In regards to changing the Admin account name, why make it easy for > the kiddiots? It is trivial for any of us to bypass this, right? Please elaborate. What attack scenarios do you see that aren't mitigated by a strong password? Besides, even if you change the login name, the SID of the account (which is well-known) still remains the same. [...] > Changing the Administrator name is just another layer in the onion of > your defensive strategy. I entirely fail to see what additional security that will gain you, so please explain. [...] > And I'm not trying to be a smart ass, but does anyone really use > LM-hashes anymore? I don't believe they're actually used by anyone anymore. However, the use of LM-hashes is still enabled by default on any XP. [1] http://www.stefan-kuhr.de/cms/index.php?option=com_content&view=article&id=62&Itemid=73 Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
