RE: Restricting the change of the local administrator accountpas sword.

• Previous message: Sergey V. Gordeychik: "RE: Restricting the change of the local administrator account password."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 7 May 2004 08:24:03 -0400
To: "Miroslaw Slawek Chorazy" <mchorazy@depaul.edu>, <focus-ms@securityfocus.com>, <glenn.wolf@we-inc.com>

If you're referring to enabling syskey, that was worked around quite some
time ago. It is trivial to null a local password with Petter Nordahl-Hagen's
Offline NT Password & Registry Editor or many of the other bootable Linux
CDs.

|-----Original Message-----
|From: Miroslaw Slawek Chorazy [mailto:mchorazy@depaul.edu]
|Sent: Wednesday, May 05, 2004 5:13 PM
|To: focus-ms@securityfocus.com; glenn.wolf@we-inc.com
|Subject: RE: Restricting the change of the local administrator
|accountpas sword.
|
|this is possible if you have not implemented a change in the registry
|via policies or manually which any sensible administrator would years
|ago...
|
| slawek
|
|
|>>> "Wolf, Glenn" <glenn.wolf@we-inc.com> 5/5/2004 12:09 >>>
|By the way, a user with no Administrative privileges (but who has
|physical
|access to the machine) can change the local Administrator password
|anyway
|through a nifty little Linux-based boot disk:
|
|http://home.eunet.no/~pnordahl/ntpasswd/
|
|It boots up, and among other things, allows the user to reset any local
|user
|password (including Administrator or renamed Administrator).
|
|Glenn
|
|
|-----Original Message-----
|From: marco2 [mailto:marco2@neovalens.com]
|Sent: Wednesday, May 05, 2004 8:04 AM
|To: ddraiggoch@coldyne.com; focus-ms@securityfocus.com
|Subject: RE: Restricting the change of the local administrator account
|password.
|
|Hi Jason
|
|A user with Administrative privileges has full control of all local
|users and groups -- and there is nothing you can do. Longhorn *may*
|help
|as it will introduce the "Protected Administrator" which, when
|enabled,
|will allow you to have pseudo-administrators, and full administrative
|privileges only for applications you have blessed (by means of signed
|deployment manifest).
|
|Applications which have not been explicitly authorized will run with a
|restricted token, and that token will be used to prevent a number of
|actions such as writing the Program Files tree, writing to the
|HKEY_LOCAL_MACHINE and so on.
|
|I do not have the full list (but I'd love to see it!) and hence I
|don't
|know whether changing passwords locally is in o not.
|
|Keith Brown published an interesting article on the subject:
|http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/e
n-us/dnlo
|
|ng/html/leastprivlh.asp
|
|The only solution I know of is not to grant administrative privileges
|in
|the first place.
|
|For those interested, our company has developed something very similar
|to the Protected Administrator for Windows 2000/XP/2003 which allows
|you
|run only selected applications under elevated privileges under the
|un-privileged user account (we change the privs of the user on the
|fly).
|
|The reason I mention our solution is because next Monday we will
|release
|a "free for home use" version valid for up to five computers.
|
|You can already grab it now from www.neovalens.com, the free license
|will follow. Just mention FREE in the organization field.
|
|Cheers,
|
| Marco
|
|
|-----Original Message-----
|From: ddraiggoch@coldyne.com [mailto:ddraiggoch@coldyne.com]
|Sent: Wednesday, May 05, 2004 4:34 PM
|To: focus-ms@securityfocus.com
|Subject: Restricting the change of the local administrator account
|password.
|
|Hi All,
|
|Ive come accross quite an interesting problem, currently I have an
|environment split into categories such as application management, OS
|management etc on the Windows 2000 and 2003 platform's. On the
|application side we get requests form application administrators to
|get
|full administrative rights on the system which is accepted on domain
|accounts.
|
|However, should this user decide to change the local administrator
|account under windows then there is nothing to restrict them doing so
|as
|I can see. This in essence causes an issue where the OS team builds
|the
|system with a renamed admin account, and a specific password. This
|isnt
|disabled as it is relied on should the domain become unavailable and
|access is still required.
|
|So my question to you all is as follows, how do I restrict the ability
|to change the local administrator password, even at the level of a
|domain account specified as administrator in the local group. Is there
|a
|setting in woindows that can be turned on so that without knowing what
|the password is the change cannot be made unless you type in the old
|password, new password , and its confirmation?
|
|Regards
|
|Jason.
|
|---------------------------------------------------------------
|---------
|---
|---------------------------------------------------------------
|---------
|---
|
|
|
|
|---------------------------------------------------------------
|------------
|---------------------------------------------------------------
|------------
|
|---------------------------------------------------------------
|------------
|---------------------------------------------------------------
|------------
|
|
|
|---------------------------------------------------------------
|------------
|---------------------------------------------------------------
|------------
|
|

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Sergey V. Gordeychik: "RE: Restricting the change of the local administrator account password."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]