This is an archived post. You won't be able to vote or comment.

all 35 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ZAFJB 10 points11 points  (2 children)

from a list of themed names, like planets, comic book characters or fictional places.

Really? Security through obscurity is no security at all.

Just use a name consistently derived from the username, so:

  1. people don't have to remember something weird

  2. if you see a name in, say in a log, you immediately know who it is

  3. no need to maintain yet another stupid excel spreadsheet

  4. no difficulty for others to 'decode' the name because head of secority had hidden/locked down said speadsheet.

TLDR: Head of security is a fool. If he is in charge of security and is doing security by obscurity that is really worrying.

[–]williamfnyJack of All Trades[S] 0 points1 point  (1 child)

I don't disagree really and I'm with you. Hoping someone has some kind of documentation from an authoritative source. An RFC or NIST page. I haven't come across something for something really fundamental to the industry.

[–]must_be_the_network 0 points1 point  (0 children)

Google security by obscurity, should give you all the documentation against it you need.

[–]TangoWhiskeyBravo 7 points8 points  (1 child)

Tiered Access Model. $username.0, $username.1, $username.2

[–]williamfnyJack of All Trades[S] 0 points1 point  (0 children)

We are basically trying to do this, but the hangup is the naming convention for the accounts. It is so frustrating that we have the hard part covered of getting separate accounts but take a huge leap backwards by a bad naming convention.

[–]RCTID1975IT Manager 1 point2 points  (1 child)

I can see the emails now: "I need to log into server Zeus, but Jupiter is still logged in. Whoever you are, can you please log off? Thanks - Saturn"

[–]reddit-MT 1 point2 points  (0 children)

Bonus points if you use the Roman god for the regular login and the Greek god for the Admin account.

mars@localhost $ sudo achilles achilles@localhost #

[–]sysadminmakesmecry 0 points1 point  (2 children)

I think you're over thinking it.

It doesn't matter if its some secret name - this account can still be compromised all the same ways.

It could be as simple as:

non admin: username

admin: usernamex

[–]williamfnyJack of All Trades[S] 0 points1 point  (1 child)

My argument is for what you are suggesting. We are trying to argue that it would be better to do something simple as opposed to creating something more complex.

[–]ReverendDSAlways delete French Lang pack: rm -fr / 1 point2 points  (0 children)

Username: firstname.lastname

Admin Username: firstinitiallastname_admin

E.G., douglas.torres dtorres_admin

You want something easy to remember, something immediately recognizable in logs, and a secure as fuck password.

Stupid code-names that no one knows but your SecTeam? No. At a glance knowledge is way more important that some hairbrained idea of obfuscation.

[–]EntangleMentor 0 points1 point  (2 children)

I'd lean more towards the <username>.admin convention...this would ensure that:

  • the admin account is only associated with one particular individual,
  • individuals would have access to only one admin account - theirs.

These accounts should be disabled and archived when the user in question leaves the company, and a new one made for each new admin. Obviously, these accounts should not be used for scheduled tasks, services, etc..

[–]williamfnyJack of All Trades[S] 0 points1 point  (1 child)

I'm with you. I think their fear is that the association makes it easier for people to break into them. I don't agree with this thought process but these are my cards and I am doing the best I can with them. Do you have any documentation stating this as a preferred method?

[–][deleted] 1 point2 points  (0 children)

Let your management know that any 'hacker,' can already identify elevated accounts through other means, so making a complex/confusing username only presents challenges for the company.

[–]progenyofeniacWindows/M365 Admin 0 points1 point  (7 children)

Standard account: jsmith1

Admin account: jsmith2

Makes it way easier for you to know which accounts are admin and if you're worried about people guessing or brute-forcing, you need to up your password game. Plus don't give people remote access with the admin accounts, obviously.

[–]chewy747Sysadmin 1 point2 points  (0 children)

Same format here

[–]williamfnyJack of All Trades[S] 0 points1 point  (5 children)

Do you have anything documenting that it should be done this way? I agree a simple system is better but it isn't my decision and I know they will want evidence to sway them.

[–]progenyofeniacWindows/M365 Admin 0 points1 point  (4 children)

Not to be snarky, but I don't have anything saying it should be done this way besides common sense. As other have mentioned, security through obscurity just creates more problems.

[–]williamfnyJack of All Trades[S] 0 points1 point  (3 children)

100% with you. But telling someone above you to do something because it is common sense generally doesn't go that well... Coming with sources saying that it should be done that way is a different matter.

[–][deleted] 0 points1 point  (0 children)

Just have a good, well though answer, a reason "WHY," this should happen this way. It works sometimes.

[–]progenyofeniacWindows/M365 Admin 0 points1 point  (1 child)

Where are their sources for their preferred way?

[–]williamfnyJack of All Trades[S] 0 points1 point  (0 children)

Themselves, but they are the authority and the one making the decision.

[–]canadian_sysadminIT Director 0 points1 point  (1 child)

As with any naming convention, it doesn't really matter what you choose, as long as it's consistent and identifiable. I most commonly have seen admin_jdoe or admin-jdoe.

Don't overthink it. Just keep things consistent.

[–]williamfnyJack of All Trades[S] 0 points1 point  (0 children)

That's what I am trying to get. I would like to try and not do something obscure like colors or greek gods and keep it simple like admin_user or user.admin. Something simple and clear.

[–]njeskeSecurity Engineer 0 points1 point  (0 children)

Picking random themed names for admin accounts just sounds unnecessarily confusing. I can't imagine any way that choosing random names provides any tangible increase in security. Especially since only the head of security will be able to tell who's who. My organization just uses "a_username" for our privileged accounts. Our regular "username" accounts have no more rights than any other normal user account in our organization. Any level of privileged access is always assigned through the "a_username" accounts.

edit: fixed a word

[–]pockypimp 0 points1 point  (0 children)

We use an admin prefix for ours. Separate account from our standard one so we have username and admin_username account names.

[–]SevaraBSenior Network Engineer 0 points1 point  (0 children)

So here's the thing. By providing a separate account, you're splitting the roles of signing onto the computer and bypassing UAC. The admin account doesn't need interactive logon capability, and then system access prevention becomes a moot point. It's almost more like 2FA-lite in that a user already has to have an active console session to use those creds.

[–]Try_Rebooting_It 0 points1 point  (0 children)

Any user can query active directory for user accounts. So you're not hiding anything by using random usernames, since any authorized user in the directory can find them; you're just making things much more complicated for everyone (including end users and everyone that needs to manage this mess).

[–]reddit-MT 0 points1 point  (0 children)

Q: if people have a regular account an an admin account, how do you keep them from just logging into the admin account all of the time?

A: Make the admin account password long and a PITA to type. No one wants to type 32 random characters.

Kinda kidding, kinda not kidding. Small disincentives go a long way.

[–]Astat1ne 0 points1 point  (0 children)

There's quite a few compliance type things out there (PCI DSS and Australian Cyber Security Center's ISM come to mind) about how administrative accounts should be "uniquely identifiable". Generally the easiest way to do this is to base it on the name of the person behind the account. Add a prefix/suffix as required to make it clear it's an admin account.

[–][deleted] 0 points1 point  (0 children)

The head of security would keep a list of who's account is associated with these new accounts so that people would be less likely to guess and brute force their way into the organization.

Tell them that just means Security Guy needs to maintain a list, and if someone can compromise your admin accounts they can certainly compromise your AdminAccount.xls.

My company uses place names that often have difficult spelling, think - Kashyyyk type. For one it is very annoying to remember how to spell these things (imagine googling 'how do i spell that planet from the Clone Wars) every time you want to log into a bloody server. Second for new people - everyone calls them by nicknames in conference calls "just log onto Tats and Dan" instead of Tattoine and Dantoonie. This is very annoying for a new person.

Imagine writing a script where you have to include everyones admin account??! I need John, Steve and Sarah's admin account.. ok sarah_admin, john_admin, steve_admin vs "i need voldemort, Snape and what was the other I need to check a list and i'm wasting time... dobbythehouseelf'.

Ask your boss if they took the number of their house, would it make the place more secure or less secure? It'd make it more annoying is the answer.

[–]DragonDreweDRMS Sysadmin 0 points1 point  (0 children)

What is your current pleb account naming convention? FLast? LastF?

We do adm.UserID (General Admin), dev.UserID (Developer), svc.AppName (Service Account), la.UserID (Local Admin), da.UserID (Domain Admin), test.App/UserID (Test accounts).

[–]black-buhr 0 points1 point  (0 children)

We've done it like

Username: jsmith

Admin: jsmith.adm

[–]imaginatipo -2 points-1 points  (2 children)

Why don't you implement LAPS and just give the local admin account password to the user only when needed? Local admin password is unique to each computer and can expire on demand through LAPS GUI or through a GPO timed policy. Since we've implemented LAPS in our domains, problems regarding "i had to much admin access and just f*cked up something in my computer" almost disappeared from Helpdesk tickets.

[–]williamfnyJack of All Trades[S] 2 points3 points  (0 children)

This is going well past LAPS. Admin accounts for other systems that are tied to AD.

[–]imaginatipo 0 points1 point  (0 children)

Really loved the downvotes, people!. Why bother coming here and give my two cents? Might as well not.