From owner-freebsd-security@FreeBSD.ORG Thu Mar 3 12:57:03 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA68716A4CE for ; Thu, 3 Mar 2005 12:57:03 +0000 (GMT) Received: from splinter.bowdoin.edu (splinter.bowdoin.edu [139.140.181.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id E428643D2F for ; Thu, 3 Mar 2005 12:57:02 +0000 (GMT) (envelope-from alec@thened.net) Received: by splinter.bowdoin.edu (Postfix, from userid 12008) id 60179C11A; Thu, 3 Mar 2005 07:57:02 -0500 (EST) Date: Thu, 3 Mar 2005 07:57:02 -0500 From: Alec Berryman To: freebsd-security@freebsd.org Message-ID: <20050303125702.GA52534@thened.net> Mail-Followup-To: freebsd-security@freebsd.org References: <4226C4DF.3050806@winbot.co.uk> <1109839352.4804.24.camel@red.nativenerds.com> <4226D0A2.70508@winbot.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline In-Reply-To: <4226D0A2.70508@winbot.co.uk> X-Ned-Wuz-Here: Yes X-GPG-Fingerprint: 3DB5 8785 53D9 8BF4 5049 B6B9 02E7 7FD9 881C 85C4 X-GPG-Key: http://www.thened.net/~alec/static/alec.asc User-Agent: Mutt/1.5.8i Subject: Re: Renaming root account X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 12:57:03 -0000 --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Craig Edwards on 2005-03-03 08:53:54 +0000: > Basically i am aware of the fact that other systems (for example > windows) let you change the administrative user's username to > enhance security that little bit more. On our networks we have certainly changed the Windows Administrator account's name, but that's mostly because there's no good way to remotely log in as an unprivileged user and perform the equivalent of 'su -'. [1] I suggest that instead of changing root's username that you simply disallow direct remote logins as root and require anyone who needs root access to go through an unprivileged user account. I would guess with the level of security measures you've put in place this has already been done, but I didn't see you mention it. Certainly you mentioned that changing root's username won't fool local users, but I think that disallowing remote logins as root provides the same end as changing the Administrator account on Windows. > Security through obscurity on its own is not a good method of > securing a network but when combined with other systems, it can be > an advantage. There's certainly nothing wrong with obscuring things a little as long as it's only part of the whole security plan. [1] I'm no Windows guru - if there is a way I'd certainly like to know! --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCJwmeAud/2YgchcQRAo6kAKChVEm/jwV+6aqTDa2sXyPstgwr1QCgn0CU 3nSnCuRw4jcKKkHGEsWg5HI= =zcry -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu--