Active Directory, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Server 2012

Active Directory Security Hardening: Domain Admin Honeypot

Rename the account
It’s a good idea to name the account like any other user account. That means giving it a real name, like Johnny Cash, with a username that matches your naming convention, say “jcash.”

Remove description
Next, you want to remove the default description for the built-in Administrator, which is “Built-in account for administering the computer/domain.”

Create user account named Administrator
Now that the built-in Administrator account is renamed, you can create a user account named “Administrator.”

New Administrator description
Give the new Administrator the description of the built-in Administrator (“Built-in account for administering the computer/domain”).

Configure monitoring of failed and successful logons
Next, make sure to configure monitoring of failed and successful logons for the new Administrator account. You will need to configure the built-in Auditing or Advanced Auditing. You will also need to have a tool to help you search and alert when this account is “touched,” which is not possible with any Microsoft built-in tool.

Setup an alert for the newly named Administrator account
Now that you’ve created a honeypot for your new Administrator account, we also suggest you set up an alert for the newly named Administrator account (i.e. jcash).
This account should not be used unless there is an emergency. So, if anyone does use this account, their actions should be triggered and tracked. While the account usage may be legitimate, it’s still important to be aware of when someone logs on, or tries to log on, to this account.

With these two honeypots, you will now get immediate email alerts when anyone tries to log on to either of these user accounts, and your network will be prepared and secure.