RE: Restricting the change of the local administrator account password.

From: Stocker, Joe (joesto_at_safeco.com)
Date: 05/05/04

  • Next message: Depp, Dennis M.: "RE: Restricting the change of the local administrator account password."
    To: "'Wolf, Glenn'" <glenn.wolf@we-inc.com>, focus-ms@securityfocus.com
    Date: Wed, 5 May 2004 14:42:05 -0700
    
    

    By the way, don't try that linux-based boot disk on a Win2k domain
    controller - it makes the machine blue screen on start-up. It works on
    everything else though.

    -----Original Message-----
    From: Wolf, Glenn [mailto:glenn.wolf@we-inc.com]
    Sent: Wednesday, May 05, 2004 10:09 AM
    To: focus-ms@securityfocus.com
    Subject: RE: Restricting the change of the local administrator account
    password.

    By the way, a user with no Administrative privileges (but who has physical
    access to the machine) can change the local Administrator password anyway
    through a nifty little Linux-based boot disk:

    http://home.eunet.no/~pnordahl/ntpasswd/

    It boots up, and among other things, allows the user to reset any local user
    password (including Administrator or renamed Administrator).

    Glenn

    -----Original Message-----
    From: marco2 [mailto:marco2@neovalens.com]
    Sent: Wednesday, May 05, 2004 8:04 AM
    To: ddraiggoch@coldyne.com; focus-ms@securityfocus.com
    Subject: RE: Restricting the change of the local administrator account
    password.

    Hi Jason

    A user with Administrative privileges has full control of all local users
    and groups -- and there is nothing you can do. Longhorn *may* help as it
    will introduce the "Protected Administrator" which, when enabled, will allow
    you to have pseudo-administrators, and full administrative privileges only
    for applications you have blessed (by means of signed deployment manifest).

    Applications which have not been explicitly authorized will run with a
    restricted token, and that token will be used to prevent a number of actions
    such as writing the Program Files tree, writing to the HKEY_LOCAL_MACHINE
    and so on.

    I do not have the full list (but I'd love to see it!) and hence I don't know
    whether changing passwords locally is in o not.

    Keith Brown published an interesting article on the subject:
    http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlo
    ng/html/leastprivlh.asp

    The only solution I know of is not to grant administrative privileges in the
    first place.

    For those interested, our company has developed something very similar to
    the Protected Administrator for Windows 2000/XP/2003 which allows you run
    only selected applications under elevated privileges under the un-privileged
    user account (we change the privs of the user on the fly).

    The reason I mention our solution is because next Monday we will release a
    "free for home use" version valid for up to five computers.

    You can already grab it now from www.neovalens.com, the free license will
    follow. Just mention FREE in the organization field.

    Cheers,

            Marco
     

    -----Original Message-----
    From: ddraiggoch@coldyne.com [mailto:ddraiggoch@coldyne.com]
    Sent: Wednesday, May 05, 2004 4:34 PM
    To: focus-ms@securityfocus.com
    Subject: Restricting the change of the local administrator account password.

    Hi All,

    Ive come accross quite an interesting problem, currently I have an
    environment split into categories such as application management, OS
    management etc on the Windows 2000 and 2003 platform's. On the application
    side we get requests form application administrators to get full
    administrative rights on the system which is accepted on domain accounts.

    However, should this user decide to change the local administrator account
    under windows then there is nothing to restrict them doing so as I can see.
    This in essence causes an issue where the OS team builds the system with a
    renamed admin account, and a specific password. This isnt disabled as it is
    relied on should the domain become unavailable and access is still required.

    So my question to you all is as follows, how do I restrict the ability to
    change the local administrator password, even at the level of a domain
    account specified as administrator in the local group. Is there a setting in
    woindows that can be turned on so that without knowing what the password is
    the change cannot be made unless you type in the old password, new password
    , and its confirmation?

    Regards

    Jason.

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Depp, Dennis M.: "RE: Restricting the change of the local administrator account password."

    Relevant Pages

    • Re: Must all users be administrators?
      ... The familiar look of the AD objects tree you see in Group Policy Editor is ... This seems modestly confusing to an SBS Administrator because there's very ... those rights happen to be nearly unlimited. ... sit a workstation logged on as the Local Administrator, by default, there ...
      (microsoft.public.windows.server.sbs)
    • RE: AW: Security issue in Windows 2000?
      ... Change the local administrator name on the workstations i.e. local_admin ... If you want to prevent other local server ... > Evaluating SSL VPNs' Consider NEOTERIS, ...
      (Security-Basics)
    • RE: Users and Groups
      ... > To narrow down the problem, please create a local administrator (not domain ... > This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
      (microsoft.public.windows.server.sbs)
    • RE: Restricting the change of the local administrator account password.
      ... Restricting the change of the local administrator account ...
      (Focus-Microsoft)
    • Re: Program needs Administrator access
      ... application folder itself in the program files folder. ... administrator because I have 1000 users. ... to make every authenticated user logon with local administrator ... even if you are giving everyone the admin rights. ...
      (microsoft.public.windowsxp.security_admin)