RE: Restricting the change of the local administrator account password.
From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 05/06/04
- Previous message: Stocker, Joe: "RE: Restricting the change of the local administrator account password."
- Maybe in reply to: ddraiggoch_at_coldyne.com: "Restricting the change of the local administrator account password."
- Next in thread: Sergey V. Gordeychik: "RE: Restricting the change of the local administrator account password."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 05 May 2004 18:26:36 -0400 To: Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net>, focus-ms@securityfocus.com
You cannot prevent this, but you can create a script that will change
the password to a known value. This way even if they change the
password, you just change it back. Another option is to create a policy
that prevents them from doing so. If they disobey the policy they loose
admin rights.
Denny
-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
Sent: Wednesday, May 05, 2004 12:17 PM
To: focus-ms@securityfocus.com
Subject: Re: Restricting the change of the local administrator account
password.
On 2004-05-05 ddraiggoch@coldyne.com wrote:
> Ive come accross quite an interesting problem, currently I have an
> environment split into categories such as application management, OS
> management etc on the Windows 2000 and 2003 platform's. On the
> application side we get requests form application administrators to
> get full administrative rights on the system which is accepted on
> domain accounts.
>
> However, should this user decide to change the local administrator
> account under windows then there is nothing to restrict them doing so
> as I can see. This in essence causes an issue where the OS team builds
> the system with a renamed admin account, and a specific password. This
> isnt disabled as it is relied on should the domain become unavailable
> and access is still required.
>
> So my question to you all is as follows, how do I restrict the ability
> to change the local administrator password, even at the level of a
> domain account specified as administrator in the local group. Is there
> a setting in woindows that can be turned on so that without knowing
> what the password is the change cannot be made unless you type in the
> old password, new password , and its confirmation?
I doubt that there is a way of doing so. Even if you were able to remove
the change-password privilege from that specific user account, he could
easily regain it. Local administrators are able to acquire every right
on the local system.
Regards
Ansgar Wiechers
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Stocker, Joe: "RE: Restricting the change of the local administrator account password."
- Maybe in reply to: ddraiggoch_at_coldyne.com: "Restricting the change of the local administrator account password."
- Next in thread: Sergey V. Gordeychik: "RE: Restricting the change of the local administrator account password."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
