RE: Restricting the change of the local administrator account password.
From: marco2 (marco2_at_neovalens.com)
Date: 05/05/04
- Previous message: Miroslaw Slawek Chorazy: "RE: Restricting the change of the local administrator account pas sword."
- Maybe in reply to: ddraiggoch_at_coldyne.com: "Restricting the change of the local administrator account password."
- Next in thread: Depp, Dennis M.: "RE: Restricting the change of the local administrator account password."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 5 May 2004 23:10:08 +0200 To: "Wolf, Glenn" <glenn.wolf@we-inc.com>, <focus-ms@securityfocus.com>
Agree: there is not much you can do against a user with physical access
to a computer. BIOS (boot sequence, & password)needs to be secured too.
Marco
-----Original Message-----
From: Wolf, Glenn [mailto:glenn.wolf@we-inc.com]
Sent: Wednesday, May 05, 2004 7:09 PM
To: focus-ms@securityfocus.com
Subject: RE: Restricting the change of the local administrator account
password.
By the way, a user with no Administrative privileges (but who has
physical access to the machine) can change the local Administrator
password anyway through a nifty little Linux-based boot disk:
http://home.eunet.no/~pnordahl/ntpasswd/
It boots up, and among other things, allows the user to reset any local
user password (including Administrator or renamed Administrator).
Glenn
-----Original Message-----
From: marco2 [mailto:marco2@neovalens.com]
Sent: Wednesday, May 05, 2004 8:04 AM
To: ddraiggoch@coldyne.com; focus-ms@securityfocus.com
Subject: RE: Restricting the change of the local administrator account
password.
Hi Jason
A user with Administrative privileges has full control of all local
users and groups -- and there is nothing you can do. Longhorn *may* help
as it will introduce the "Protected Administrator" which, when enabled,
will allow you to have pseudo-administrators, and full administrative
privileges only for applications you have blessed (by means of signed
deployment manifest).
Applications which have not been explicitly authorized will run with a
restricted token, and that token will be used to prevent a number of
actions such as writing the Program Files tree, writing to the
HKEY_LOCAL_MACHINE and so on.
I do not have the full list (but I'd love to see it!) and hence I don't
know whether changing passwords locally is in o not.
Keith Brown published an interesting article on the subject:
http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlo
ng/html/leastprivlh.asp
The only solution I know of is not to grant administrative privileges in
the first place.
For those interested, our company has developed something very similar
to the Protected Administrator for Windows 2000/XP/2003 which allows you
run only selected applications under elevated privileges under the
un-privileged user account (we change the privs of the user on the fly).
The reason I mention our solution is because next Monday we will release
a "free for home use" version valid for up to five computers.
You can already grab it now from www.neovalens.com, the free license
will follow. Just mention FREE in the organization field.
Cheers,
Marco
-----Original Message-----
From: ddraiggoch@coldyne.com [mailto:ddraiggoch@coldyne.com]
Sent: Wednesday, May 05, 2004 4:34 PM
To: focus-ms@securityfocus.com
Subject: Restricting the change of the local administrator account
password.
Hi All,
Ive come accross quite an interesting problem, currently I have an
environment split into categories such as application management, OS
management etc on the Windows 2000 and 2003 platform's. On the
application side we get requests form application administrators to get
full administrative rights on the system which is accepted on domain
accounts.
However, should this user decide to change the local administrator
account under windows then there is nothing to restrict them doing so as
I can see. This in essence causes an issue where the OS team builds the
system with a renamed admin account, and a specific password. This isnt
disabled as it is relied on should the domain become unavailable and
access is still required.
So my question to you all is as follows, how do I restrict the ability
to change the local administrator password, even at the level of a
domain account specified as administrator in the local group. Is there a
setting in woindows that can be turned on so that without knowing what
the password is the change cannot be made unless you type in the old
password, new password , and its confirmation?
Regards
Jason.
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Miroslaw Slawek Chorazy: "RE: Restricting the change of the local administrator account pas sword."
- Maybe in reply to: ddraiggoch_at_coldyne.com: "Restricting the change of the local administrator account password."
- Next in thread: Depp, Dennis M.: "RE: Restricting the change of the local administrator account password."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
