RE: Restricting the change of the local administrator account password.

From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 05/06/04

  • Next message: Max: "Restricting the change of the local administrator account password."
    Date: Wed, 05 May 2004 18:26:36 -0400
    To: Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net>, focus-ms@securityfocus.com
    
    

    You cannot prevent this, but you can create a script that will change
    the password to a known value. This way even if they change the
    password, you just change it back. Another option is to create a policy
    that prevents them from doing so. If they disobey the policy they loose
    admin rights.

    Denny

    -----Original Message-----
    From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
    Sent: Wednesday, May 05, 2004 12:17 PM
    To: focus-ms@securityfocus.com
    Subject: Re: Restricting the change of the local administrator account
    password.

    On 2004-05-05 ddraiggoch@coldyne.com wrote:
    > Ive come accross quite an interesting problem, currently I have an
    > environment split into categories such as application management, OS
    > management etc on the Windows 2000 and 2003 platform's. On the
    > application side we get requests form application administrators to
    > get full administrative rights on the system which is accepted on
    > domain accounts.
    >
    > However, should this user decide to change the local administrator
    > account under windows then there is nothing to restrict them doing so
    > as I can see. This in essence causes an issue where the OS team builds

    > the system with a renamed admin account, and a specific password. This

    > isnt disabled as it is relied on should the domain become unavailable
    > and access is still required.
    >
    > So my question to you all is as follows, how do I restrict the ability

    > to change the local administrator password, even at the level of a
    > domain account specified as administrator in the local group. Is there

    > a setting in woindows that can be turned on so that without knowing
    > what the password is the change cannot be made unless you type in the
    > old password, new password , and its confirmation?

    I doubt that there is a way of doing so. Even if you were able to remove
    the change-password privilege from that specific user account, he could
    easily regain it. Local administrators are able to acquire every right
    on the local system.

    Regards
    Ansgar Wiechers

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Max: "Restricting the change of the local administrator account password."