not_alice, I think you were posting in the “Bad username or password” thread, where the concept of security through obscurity was generally shown to be dumb, but even further, if you read through this thread, you can see that our area is following a stupid policy. If the “name” you give to windows is Fred Zappa but the ID is FZAPPA, people are still going to think that it’s got a high likelihood of being a celebrity name. Because if you can get to the point where you can see the name property on an account, you can also see that it’s a member of the DBA group, or the domain admins group, etc, so the actual name itself is going to be irrelevant.
Maybe you are not clear on how dictionary attacks work?
I think you’re less clear than I am. A dictionary attack uses stored data to slowly whack away at a chosen vulnerability point. How it chooses that vulnerability point is sort of what’s in question here. Any dictioary attack sophisticated enough to look at the actual name associated with an account is going to be much better served looking for keywords like:
Admin
Administrator
Domain Admin
DBA
Exchange Admin
Enterprise Admin
in the group membership property instead of looking to see if they have the same name as a celebrity. In other words, they are closing a hole that would only exist using the stupidest attack ever, while leaving the prime indicator, the actual ID, exposed.
Feel free to explain to me where my thought process has gone wrong. If I want hand-waving, I can contact my own internal security department for that. (In fact, I did, and hand-waving, we can’t possibly be arsed to explain ourselves to you attitudes were what was received.)
And funny thing - a computer can handle the task of zillions of possible pws, and same for account. Those are likely to be int eh list, sure. So are other likely account names - it costs nothing to keep trying. I bet starwars and other geek stuff would be in any list too.
Haven’t done Windows Admin for a while, but refresh me - would you have a list of an account’s privileges info before you are logged in? If so, maybe there is a bigger security hole than we are disccusing.
Stupid, but it works sometimes. That’s all you need.
Feel free to explain to me where my thought process has gone wrong. If I want hand-waving, I can contact my own internal security department for that. (In fact, I did, and hand-waving, we can’t possibly be arsed to explain ourselves to you attitudes were what was received.)
[/QUOTE]
Two main reasons
- you might have an employee genuinely named Ronald Reagan, and
- the obscurity can work against you: an account named RR might be fine now, but what about in 5 years time when all the IT staff have changed or perhaps you’ve merged with another company or three?
I don’t see those as being obstacles. There is already more than one John Smith where I work. The first one employed got JSMITH and the second one got JSMITH2. I’m not sure exactly what the problem is with #2. Unless you are advocating that there should be usernames like Crazyjoe_ELEV, you will always run the risk of duplicating a real person’s name.
Now quick, which one’s the one with elevated privileges? You can’t tell, can you? Imagine the poor sysadmin in 5 years time when the job has been passed on 2 or 3 times.
Edit: and imagine that the sysadmin has 5000 login IDs to scan.
I suppose it IS pretty hard to do a “net user jsmith2” and see if he is in any elevated groups.
That won’t actually work. 
Now correct the command and do that for several thousand login IDs. Plus you’ve got to recognise the elevated groups.