RE: Restricting the change of the local administrator account password.
From: Stocker, Joe (joesto_at_safeco.com)
Date: 05/05/04
- Previous message: marco2: "RE: Restricting the change of the local administrator account password."
- In reply to: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword."
- Next in thread: Bob the Builder: "RE: Restricting the change of the local administrator account pas sword."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Wolf, Glenn'" <glenn.wolf@we-inc.com>, focus-ms@securityfocus.com Date: Wed, 5 May 2004 14:42:05 -0700
By the way, don't try that linux-based boot disk on a Win2k domain
controller - it makes the machine blue screen on start-up. It works on
everything else though.
-----Original Message-----
From: Wolf, Glenn [mailto:glenn.wolf@we-inc.com]
Sent: Wednesday, May 05, 2004 10:09 AM
To: focus-ms@securityfocus.com
Subject: RE: Restricting the change of the local administrator account
password.
By the way, a user with no Administrative privileges (but who has physical
access to the machine) can change the local Administrator password anyway
through a nifty little Linux-based boot disk:
http://home.eunet.no/~pnordahl/ntpasswd/
It boots up, and among other things, allows the user to reset any local user
password (including Administrator or renamed Administrator).
Glenn
-----Original Message-----
From: marco2 [mailto:marco2@neovalens.com]
Sent: Wednesday, May 05, 2004 8:04 AM
To: ddraiggoch@coldyne.com; focus-ms@securityfocus.com
Subject: RE: Restricting the change of the local administrator account
password.
Hi Jason
A user with Administrative privileges has full control of all local users
and groups -- and there is nothing you can do. Longhorn *may* help as it
will introduce the "Protected Administrator" which, when enabled, will allow
you to have pseudo-administrators, and full administrative privileges only
for applications you have blessed (by means of signed deployment manifest).
Applications which have not been explicitly authorized will run with a
restricted token, and that token will be used to prevent a number of actions
such as writing the Program Files tree, writing to the HKEY_LOCAL_MACHINE
and so on.
I do not have the full list (but I'd love to see it!) and hence I don't know
whether changing passwords locally is in o not.
Keith Brown published an interesting article on the subject:
http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlo
ng/html/leastprivlh.asp
The only solution I know of is not to grant administrative privileges in the
first place.
For those interested, our company has developed something very similar to
the Protected Administrator for Windows 2000/XP/2003 which allows you run
only selected applications under elevated privileges under the un-privileged
user account (we change the privs of the user on the fly).
The reason I mention our solution is because next Monday we will release a
"free for home use" version valid for up to five computers.
You can already grab it now from www.neovalens.com, the free license will
follow. Just mention FREE in the organization field.
Cheers,
Marco
-----Original Message-----
From: ddraiggoch@coldyne.com [mailto:ddraiggoch@coldyne.com]
Sent: Wednesday, May 05, 2004 4:34 PM
To: focus-ms@securityfocus.com
Subject: Restricting the change of the local administrator account password.
Hi All,
Ive come accross quite an interesting problem, currently I have an
environment split into categories such as application management, OS
management etc on the Windows 2000 and 2003 platform's. On the application
side we get requests form application administrators to get full
administrative rights on the system which is accepted on domain accounts.
However, should this user decide to change the local administrator account
under windows then there is nothing to restrict them doing so as I can see.
This in essence causes an issue where the OS team builds the system with a
renamed admin account, and a specific password. This isnt disabled as it is
relied on should the domain become unavailable and access is still required.
So my question to you all is as follows, how do I restrict the ability to
change the local administrator password, even at the level of a domain
account specified as administrator in the local group. Is there a setting in
woindows that can be turned on so that without knowing what the password is
the change cannot be made unless you type in the old password, new password
, and its confirmation?
Regards
Jason.
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: marco2: "RE: Restricting the change of the local administrator account password."
- In reply to: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword."
- Next in thread: Bob the Builder: "RE: Restricting the change of the local administrator account pas sword."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
