RE: Restricting the change of the local administrator account password.

From: marco2 (marco2_at_neovalens.com)
Date: 05/05/04

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Restricting the change of the local administrator account password." 
    Date: Wed, 5 May 2004 17:04:13 +0200
To: <ddraiggoch@coldyne.com>, <focus-ms@securityfocus.com>

    Hi Jason

    A user with Administrative privileges has full control of all local
    users and groups -- and there is nothing you can do. Longhorn *may* help
    as it will introduce the "Protected Administrator" which, when enabled,
    will allow you to have pseudo-administrators, and full administrative
    privileges only for applications you have blessed (by means of signed
    deployment manifest).

    Applications which have not been explicitly authorized will run with a
    restricted token, and that token will be used to prevent a number of
    actions such as writing the Program Files tree, writing to the
    HKEY_LOCAL_MACHINE and so on.

    I do not have the full list (but I'd love to see it!) and hence I don't
    know whether changing passwords locally is in o not.

    Keith Brown published an interesting article on the subject:
    http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlo
    ng/html/leastprivlh.asp

    The only solution I know of is not to grant administrative privileges in
    the first place.

    For those interested, our company has developed something very similar
    to the Protected Administrator for Windows 2000/XP/2003 which allows you
    run only selected applications under elevated privileges under the
    un-privileged user account (we change the privs of the user on the fly).

    The reason I mention our solution is because next Monday we will release
    a "free for home use" version valid for up to five computers.

    You can already grab it now from www.neovalens.com, the free license
    will follow. Just mention FREE in the organization field.

    Cheers,

            Marco
     

    -----Original Message-----
    From: ddraiggoch@coldyne.com [mailto:ddraiggoch@coldyne.com]
    Sent: Wednesday, May 05, 2004 4:34 PM
    To: focus-ms@securityfocus.com
    Subject: Restricting the change of the local administrator account
    password.

    Hi All,

    Ive come accross quite an interesting problem, currently I have an
    environment split into categories such as application management, OS
    management etc on the Windows 2000 and 2003 platform's. On the
    application side we get requests form application administrators to get
    full administrative rights on the system which is accepted on domain
    accounts.

    However, should this user decide to change the local administrator
    account under windows then there is nothing to restrict them doing so as
    I can see. This in essence causes an issue where the OS team builds the
    system with a renamed admin account, and a specific password. This isnt
    disabled as it is relied on should the domain become unavailable and
    access is still required.

    So my question to you all is as follows, how do I restrict the ability
    to change the local administrator password, even at the level of a
    domain account specified as administrator in the local group. Is there a
    setting in woindows that can be turned on so that without knowing what
    the password is the change cannot be made unless you type in the old
    password, new password , and its confirmation?

    Regards

    Jason.

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Ansgar -59cobalt- Wiechers: "Re: Restricting the change of the local administrator account password."

    Relevant Pages

    • Re: XP Home --> Pro upgrade
      ... WinXP is designed to install and upgrade the existing operating system while simultaneously preserving your applications and data, and translating as many personalized settings as possible. ... The standard security practice is to rename the account, set a strong password on it, and use it only to create another account for regular use, reserving the Administrator account as a "back door" in case something corrupts your regular account. ... As for other accounts with administrative privileges, routinely using a computer with administrative privileges is not without some risk. ...
      (microsoft.public.windowsxp.general)
    • Re: Restricting internet access completely to users/groups
      ... Realistically you can not restrict an administrator account as ... know how to restrict such a user would be to use a firewall that can be ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Loading programs in XP and making them available to Limited Accounts.
      ... I loaded the program under the> administrator because only the administrator has the> privilege of loading programs. ... The problem is that only I> can run the program from the administrator's account. ... As soon as> I changed it back to a limited account, I got the same> error message again. ... What do I do without giving> administrative privileges to my kids because this is not> the only program that has this problem. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Multiple administrator
      ... and also for log detection. ... Also use policy to rename administrator account and use logon script to use ... > without any administrative privileges and use the 'runas' functionality ...
      (microsoft.public.win2000.security)
    • Re: XP Pro Administrator question
      ... account with administrative privileges in case the built-in ... Administrator account becomes corrupted. ... The reason I would like a singular computer administrator is to force ...
      (microsoft.public.windowsxp.general)