RE: Restricting the change of the local administrator account pas sword.
From: Miroslaw Slawek Chorazy (mchorazy_at_depaul.edu)
Date: 05/05/04
- Previous message: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword."
- Maybe in reply to: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword."
- Next in thread: Stocker, Joe: "RE: Restricting the change of the local administrator account password."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 05 May 2004 16:12:45 -0500 To: <focus-ms@securityfocus.com>, <glenn.wolf@we-inc.com>
this is possible if you have not implemented a change in the registry
via policies or manually which any sensible administrator would years
ago...
slawek
>>> "Wolf, Glenn" <glenn.wolf@we-inc.com> 5/5/2004 12:09 >>>
By the way, a user with no Administrative privileges (but who has
physical
access to the machine) can change the local Administrator password
anyway
through a nifty little Linux-based boot disk:
http://home.eunet.no/~pnordahl/ntpasswd/
It boots up, and among other things, allows the user to reset any local
user
password (including Administrator or renamed Administrator).
Glenn
-----Original Message-----
From: marco2 [mailto:marco2@neovalens.com]
Sent: Wednesday, May 05, 2004 8:04 AM
To: ddraiggoch@coldyne.com; focus-ms@securityfocus.com
Subject: RE: Restricting the change of the local administrator account
password.
Hi Jason
A user with Administrative privileges has full control of all local
users and groups -- and there is nothing you can do. Longhorn *may*
help
as it will introduce the "Protected Administrator" which, when
enabled,
will allow you to have pseudo-administrators, and full administrative
privileges only for applications you have blessed (by means of signed
deployment manifest).
Applications which have not been explicitly authorized will run with a
restricted token, and that token will be used to prevent a number of
actions such as writing the Program Files tree, writing to the
HKEY_LOCAL_MACHINE and so on.
I do not have the full list (but I'd love to see it!) and hence I
don't
know whether changing passwords locally is in o not.
Keith Brown published an interesting article on the subject:
http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlo
ng/html/leastprivlh.asp
The only solution I know of is not to grant administrative privileges
in
the first place.
For those interested, our company has developed something very similar
to the Protected Administrator for Windows 2000/XP/2003 which allows
you
run only selected applications under elevated privileges under the
un-privileged user account (we change the privs of the user on the
fly).
The reason I mention our solution is because next Monday we will
release
a "free for home use" version valid for up to five computers.
You can already grab it now from www.neovalens.com, the free license
will follow. Just mention FREE in the organization field.
Cheers,
Marco
-----Original Message-----
From: ddraiggoch@coldyne.com [mailto:ddraiggoch@coldyne.com]
Sent: Wednesday, May 05, 2004 4:34 PM
To: focus-ms@securityfocus.com
Subject: Restricting the change of the local administrator account
password.
Hi All,
Ive come accross quite an interesting problem, currently I have an
environment split into categories such as application management, OS
management etc on the Windows 2000 and 2003 platform's. On the
application side we get requests form application administrators to
get
full administrative rights on the system which is accepted on domain
accounts.
However, should this user decide to change the local administrator
account under windows then there is nothing to restrict them doing so
as
I can see. This in essence causes an issue where the OS team builds
the
system with a renamed admin account, and a specific password. This
isnt
disabled as it is relied on should the domain become unavailable and
access is still required.
So my question to you all is as follows, how do I restrict the ability
to change the local administrator password, even at the level of a
domain account specified as administrator in the local group. Is there
a
setting in woindows that can be turned on so that without knowing what
the password is the change cannot be made unless you type in the old
password, new password , and its confirmation?
Regards
Jason.
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword."
- Maybe in reply to: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword."
- Next in thread: Stocker, Joe: "RE: Restricting the change of the local administrator account password."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
