Security by obscurity is an important part of any security defense in depth plan. For example, most secure organizations do not publish RDP servers on the default RDP port of TCP port 3389. Instead, they use another high number port that it unlikely to be scanned in an attacker’s attempt to find potentially vulnerable RDP servers.
Even more useful is to combine security through obscurity with misdirection. For example, you can use a number of tools that enables a machine to listen on a specific port, but once the connection is established to that port, there is no service that can be leveraged to attack the computer. The connection to TCP 3389 turns into a dead end, while legitimate connections made to another machine listening on the alternate RDP port work just fine.
Security through obscurity and misdirection are helpful, because it causes your attacker to waste time and effort. It also helps with reducing the risks of being susceptible to automated attacks. The goal is to frustrate the attacker or the automated exploit so that it moves on to more pliant victims.
However, there are times when security through obscurity doesn’t provide any added value. The classic example is that of renaming the Administrator account. While you’ll see the recommendation in a large number of books and treatises on network security, and even in the Microsoft operating system hardening guides, the relative security benefits gained by renaming the Administrator account is just about nil.
Why? Because what you want to do is prevent an attacker from logging in as administrator. In order to log on as administrator, the attacker needs to know the password. The real security is in the complexity of the password. Any complex password including mixed case letters, symbols and numbers that is at least 16 characters long will never be broken with an over the network attack.
(note that I’m not addressing the issue of when someone has physical access to the computer and tries to perform an offline attack — in that case you need to use BitLocker or sometime disk encryption tools to prevent attacks against the administrator account).
Complex passwords (I prefer not to use the term passphrase, because the term “passphrase” implies that the password has to have some sort of linguistic meaning, which of course it does not) are easy to create. One standard method I use combines a zip code, a phone number and a birth date, with the left most entry being your first initial in lower case and the right most character being your last initial in upper case. For example:
There you go — a 29 character password that’s ridiculously easy to remember. Of course, you can change the order, and make it birthday, zip code and then phone number, and you can make it even better by separating each element by a character of your choice, such as ^
It would take more time than the universe is assumed to have been in existence to break that password using current technology. So what value is there to changing the name of the administrator account? None, and in fact, changing the name of the administrator account can add to administrative overhead.
Renaming the admin account is a classic example of something that sounds like a good idea, but when you look at the overall security gains, you find that all you’ve accomplished is an increase in administrative overhead without making an realistic improvements in your overall security posture.
For an in depth discussion on this issue, check out The Great Debate: Security by Obscurity at http://technet.microsoft.com/en-us/magazine/cc510319.aspx
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)