To catch an attack and attacker, both the administrator and the organization need to be prepared. This can come in a few different forms. One option is a honeypot: a portion of the network that is set up to lure the attacker into thinking there is value within it. In many cases, such as those included here, the honeypot is being monitored and alerts will be sent out when the attacker tries to leverage the honeypot.
For our first honeypot, we are going to manipulate the most sought-after account in Active Directory. Of course, we are talking about the built-in Administrator user account. This account cannot be deleted, so it is often attackers’ target. The key to this honeypot is to ensure the attacker thinks the account is legitimate and active.
Note: No honeypot is foolproof! No matter what you might setup, a highly sophisticated attacker will be able to determine if the source of your honeypot is legitimate or not. So, we set up numerous honeypots to catch attackers who are highly sophisticated at most security-related configurations, but not all.
In this instance, we are going to keep the Administrator account enabled, but try to hide it the best we can. Here’s what you need to do to the Administrator account:
Rename the account: It’s a good idea to name the account like any other user account. That means giving it a real name, like Tom Adams, with a username that matches your naming convention, say “tadams.”
Remove description: Next, you want to remove the default description for the built-in Administrator, which is “Built-in account for administering the computer/domain.”
Create user account named Administrator: Now that the built-in Administrator account is renamed, you can create a user account named “Administrator.”
New Administrator description: Give the new Administrator the description of the built-in Administrator (“Built-in account for administering the computer/domain”).
Next, make sure to configure monitoring of failed and successful logons for the new Administrator account. You will need to configure the built-in Auditing or Advanced Auditing, which you can accomplish as laid out in . You will also need to have a tool to help you search and alert when this account is “touched,” which is not possible with any Microsoft built-in tool. If you and use , you can monitor, search, analyze, and alert when this honeypot is triggered. is a link on how to use ADAudit Plus to trigger alerts.
Now that you’ve created a honeypot for your new Administrator account, we also suggest you set up an alert for the newly named Administrator account (i.e. tadams). This account should not be used unless there is an emergency. So, if anyone does use this account, their actions should be triggered and tracked. While the account usage may be legitimate, it’s still important to be aware of when someone logs on, or tries to log on, to this account.
With these two honeypots, you will now get immediate email alerts when anyone tries to log on to either of these user accounts, and your network will be prepared and secure.