What is the theory behind this windows security restriction?

Where I work, I use my normal windows login to do stuff like read my e-mail and enter change orders, but when I need elevated provileges (I’m a DBA) I have to run programs using an alias. When this policy was implemented, I was told that I could pick my alias. Now, let’s assume I picked the name Anthony Dinozzo (this is an example only, in real life my alias would be as recognizable and unusual as Frank Zappa, Sonny Bono, or Salma Hayek). Obviously a famous character, well known, etc. The userid on our system would be adinozzo. I would not use Anthony in any form on the system, except for the naming of certain system folders.

I was told by our securoty department that I cannot be Anthony Dinozzo. They changed my name to Anton Dinozzo. In other words, they did nothing to change the recognizability of the userid itself, but instead changed the name portion, which you only see upon looking up the user in AD…it has almost no power whatsoever.

I then pointed out that there were plenty of other names on the system that were not so censored, such as Ronald Reagan, Steve Yzerman, etc, and I was told that it wasn’t worth the time to go back and change all the legacy accounts. I was flabbergasted…if this sort of thing is a security risk, and apparently it can be mitigated without even changing the id in question, why wouldn’t they want to change it everywhere there it occurs to close the security holes?

If someone in the security industry could enlighten me here, I would be much obliged.

I think your IT Dept has an unusual attitude to security. In fact, I’d suggest it’s a recipe for disaster. I professionally would not recommend not using such identifiers. Admin and other special accounts and groups should be clearly marked. For instance, you might start service accounts with Service_ and admin accounts with Admin_. For your DBA admin account, I might have a format of Admin_DBA_Crazyjoe. This makes the identifiers absolutely clear to the administrator, telling me that this is your DBA Admin account. Then an administrator or auditor (and auditing should be enhanced for privileged accounts) can easily check that it’s got the correct security rights, and that it’s not an account for everyday use, and that it’s not being abused. I disagree with using the names of famous people as there may well be non-famous people with that name.

They strongly subscribe to “security through obscurity” here. In other words, by not havnig special qualifiers on the user account names, an outsider can’t easily tell which are priviledged accounts and which are not.

Are you an IT Security professional?

It’s not my main focus, which is IT Support and administration, but I’ve done more than a bit. If you’ve got a user list of 2000+ IDs, it’s very helpful to know which account does what. Especially when you get a directive like, “Do this for all accounts with X access rights.”

Let me give a slightly more complex example. Accounts for Windows services often need admin rights to the local machine (as well as the Logon As A Service priv). Since all machines use the same service accounts, it’s very simple to just give the service accounts domain admin rights. Easy, eh? Well yes, except it’s a bit of a security hole. Better practice would be to create a network group, Admin_PC123456, for each PC, add the service account to that group, and add that group to the local admins group. So the service account is no longer a domain admin and can’t be used to compromise the network so badly. You can extend this to normal applications.

That is, unless the outsider can recognize Ronald Reagan, Frank Zappa, Salma Hayek, etc. and know celebrities probably don’t actually work for the company :rolleyes:

Look, you’ll only hurt yourself if you try to figure out rational, logical reasons for most ‘security’. While there are certainly some very smart people doing computer security, the vast majority either don’t understand the goals and trade-offs of security, don’t understand computers, have bosses who don’t understand trade-offs, or all of the above. And of course, because real security incidents happen so rarely, the clueless never get much chance to learn when they’re wrong.

My advice is to never assume that security ‘professionals’ really know what they’re doing. Every once in a while there really is a rational reason for seemingly stupid policy, but usually you’ve got the choice of just going along with it, or trying to find a higher-level supervisor who’s both smart enough to actually understand security and computers, secure enough mentally to challenge the supposed ‘professionals’ and has enough internal power to sustain his/her challenge of the supposed ‘professionals’ (who are just blindly imitating something they heard/read or are making a completely faulty analogy from a physical object to an information system).

I’m with Joe on this one - use of prefixes/qualifiers for account types is a security hole. As in, “Hmm, I’ll bet CrazyJoe has an Admin account so I’ll try to guess a password for Admin_CrazyJoe…”.

Most secure (without special stuff) would be randomly generated account names and secure passwords (special characters etc.) which expire frequently.

For mass changes, you simply create groups for various account types

Another factor might be to review the related literature regarding Apple and Carl Sagan. Product names instead of user names, but still, do the math.

This is part of my point. No one who logs onto a domain does a search by the actual person’s name…most people don’t have a clue how to do that. But it’s not a big stretch to see an ID like FZAPPA or SHAYEK and assume they are alias accounts because they are ids the celebrity might have. Changing them to Floyd Zappa, so that the ID is still easily recognizable, is just dumb.

And it’s dumb to make this change for recently submitted requests for aliases yet leave the dozens of old ones intact. It isn’t security through obscurity, it’s security through stupidity.

The only effect of making passwords expire frequently is to guarantee that there will be important passwords written on Post-it notes stuck to monitors. Who are you supposed to be stopping by changing a password every month? Some attacker who got a password three weeks ago? Sorry, but that dude already logged in and did all the damage he needed to do about two weeks, six days, 23 hours, and 57 minutes ago.

Did they specifically say they changed it because it was a real persons name? Or did they imply that?

I might make a guess that some part of their system requires the first name to be six letters or less … (of course that’s only based on your examples).

Alternatives: IT security were bored, IT security hadn’t exercised any power of anyone for a while, someone higher up the chain was bored and decided to implement a new policy, someone somewhere read some example of a weakness – misunderstood it – and implemented a knee-jerk policy.

It’s curious, but no more. Short of getting the IT guys drunk and asking them you’ll probably never find out.

SD – no longer IT security but I battle constantly to make sense of ours here (or change it so it’s useful)

Agreed. And if you go for weird account names, they’ll be written down on the same post-it.

I disagree with this. For ordinary user account, you’re probably right, but I’d still recommend a 3 month expiry for a number of reasons. Not least because people are constantly giving out their passwords to others when they need something done on the fly.

For service (non-user) accounts there should really be a process for changing passwords regularly. A lot of firms do this and log the latest password in some kind of encrypted system to avoid the post-it note scenario.

As for the damage already being done - Quite possibly, but so many passwords are lost due to bot harvesting, or password cracking offline files over a large period of time, etc, that it isn’t a forgone conclusion that a potential hacker has already struck. A lot of password lists/files are also sold on the black market, which means they could be out of date by the time an attack is attempted.

What good is that? People will just give out the password to the encrypted system. So you’ll have to change that password all the time, too. And then you’re back where you started, as people will have to write down the new password.

If something needs to be that secure, use some sort of thumb print thing or something.

Also, if your system is set up well, there should be no reason to give out your password to anyone else. Eliminate the need to do it, and you won’t have the problem.

If there are accounts that are used by automated processes, then the passwords should be set to never expire and have the right to login interactively removed.

Technicians’ privileged accounts should be on the same password change schedule as the others. Opinions seem to be mixed on generic privileged accounts: I suggest that passwords for these do not expire, but are changed when a member of staff leaves the team or when the project ends.

Possession of privileged accounts should be reviewed regularly. Monthly is too short a period, yearly too long.

As few people as possible should have Domain Admin rights, let alone Enterprise Admin.

Well, I certainly don’t have domain admin rights. I am a member of an AD group that gets local admin rights on all DB servers, and which is then set up on each DB server to have sysadmin rights on the database software as well. (We removed teh security hole where local admins get sysadmin rights on the DB by default.

We have very few domain admins here, and they are auditing and removing those rights wherever they can. In general, they seem to be on the ball about a lot of things, but they do some really dumb stuff as well.

I work as a developer in the PKI field, so it’s not really my area of expertise.

I’m really not getting this…why is it considered a security risk to have an account named Ronald Reagan?

That’s what I am asking…for people in IT security, what rationale could my security department possibly be using for these assenine policies?

Asked and answered. It is reasonably guessable that celebrity named accounts are accounts with special proiviliges and hence worth devoting effort to attack.

How would you know there are such account? Either having acquired the accounts list first, you can see the account names and pick out the special ones, alternatively execute "dictionary " style attacks on celebrity account names.

No, the rationale is “It’s more secure that way” “But how is it more secure?” “What, don’t you like having security? Follow the rules, because it’s not secure not to”.

Except that I just gave you a rational rationale. You can reject it irrationally if you want, but then you would have to reject the rationale that passwords ought not be words fro a dictionary, or celebrity names either, each of which are contained in well know dictionaries for attacks.