In this month's TechNet Magazine, Jesper Johansson and Roger Grimes take opposite sides of the great IT debate on security through obscurity. They focus much of their attention in the article on the old "should you rename the Administrator account" argument. The article is a great read. Check it out here.

But what's more telling about the argument has only a portion to do with actually renaming the Administrator account. It deals more with the problems of focusing on "stupid security" instead of "important security".

When thinking of this issue, I like to consider the analogy of going through the airport security lines these days. In the old days, airport security personnel were laser focused on making sure you aren't bringing weapons onto an airplane. Weapons in those days were arguably easy to find: Knives look like knives, guns look like guns, and explosives usually have an explosive look to them as well.

But these days, due to decisions made by individuals at certain levels of government, we've got airport security looking for liquids. They're scanning bags to make sure you took your little soap bottles out before sending them through. Their original focus has been diluted away from the "high-risk" threats to a wide spread of "low-risk" ones. If you're like me, you probably wonder how they can keep a focus with that many extraneous things to watch out for.

This analogy holds true in the TechNet article. There are a lot of companies that are excessively concerned about security and baselines that they lose sight of what they're actually attempting to protect. Renaming the Administrator account adds one tiny extra secret for a would-be attacker to find out. But that Administrator account will always have a RID of 500. With most successful attacks involving some form of social hacking, obtaining this information requires very little work.

What it does do is increase the management overhead of managing your systems. If you're spending quantities of time renaming each server's Administrator account to a unique name and password, then you're spending time admnistratively dealing with a low-risk and low-value threat. That time could be better spent towards higher-value risk mitigation. Additionally, when you're adding an overhead of complexity to the network, that reduces your agility in resolving problems when they occur (e.g., when a problem hits that server, you've got to search to find the Administrator username and password just like the hacker).

So, definitely take a look at the article. What I see is necessary in today's IT marketplace is a reconfiguration of what we think of as "security". With so many organizations willing to sell you products, and so many using that "boogeyman" approach to doing so, we've become excessively afraid of low-impact problems and not afraid enough of the high-impact ones (like someone walking in the front door and asking for a password as a means of social hacking).

Sometimes the best security is simply a better-educated workforce. Heck, if you're doing the training yourself, its definitely less expensive than any product on the market.