Re: cracking local admin account

From: Patrick J. LoPresti (patl_at_users.sourceforge.net)
Date: 11/14/04 

Date: 14 Nov 2004 10:48:54 -0500

Sorry I am late to this discussion.

As others have mentioned, if he can boot from media of his choosing,
he can reset the local admin password and do many other things. To
defend against this, configure the boot order in the BIOS, set a BIOS
password, and put a padlock on the case (to prevent manual BIOS
reset).

But a better idea might be to ask yourself why you care if he has
local admin rights to the machine? Unless your network is horribly
misconfigured, in which case you have bigger problems, his admin
access is "local" and thus cannot bother anybody else.

If you are worried about supporting such systems, then don't. In my
I.T. group, we make a simple deal with each user: They can have
non-admin access and let us support the machine; or they can have
local admin access and support it themselves. In the latter case, our
assistance is limited to wiping the machine and rebuilding it from
scratch, which amounts to two minutes of our time. This works for us
and keeps the "power users" happy.

The best I.T. people know that enforcing policy is always secondary to
providing good service.

 - Pat

spence <spence@discussions.microsoft.com> writes:

> I have an employee who apparently has a way of cracking local administrative
> passwords. I just learned of this and he has thus far been using this trick
> "for good" (e.g. to by-pass corporate buracracies that impede productivity.)
> Regardless, I've asked him to cease this practice. However, I'd like to know
> if there's a way to make sure he's no longer able. The problem is that I
> don't know how he's done it except that I was told by a coworker that a
> floppy disk of some sort was invovled. I realize that's scant information to
> go on, but I was hoping that someone might be able to offer some guidance on
> shoring up the security on my PCs.
>
> thanks,
> spence

Relevant Pages

  • Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?
    ... If you can't find the tool on your own that can reset the local admin ... account you need help. ... I carry it in floppy and cd form with me ...
    (Full-Disclosure)
  • Re: local admin password
    ... Reset the password via other sources ... Create a dual boot of Win XP on the machine and "Take Ownership" of the files/folders you need to recover ... MS-MVP Windows Media Center\Windows Powered Smart Display ... > I don't know what the local admin has been set to and i ...
    (microsoft.public.windowsxp.security_admin)
  • help needed with password recovery
    ... if this is a workstation the is not part of a domain, ... can logon as local admin and ... if is is part of a domain, ask you admin to reset it. ...
    (microsoft.public.win2000.security)
  • Re: Forgot sa password
    ... Try logging in using Windows Authentication as a Local Admin (or Domain ... Then reset the "sa" password. ... I have installed sqlserver 7.0 and set sa password. ...
    (microsoft.public.sqlserver.security)
  • RE: Service account
    ... domain admin group shall be a in the local administrators group ... and they shall have the local admin rights. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.sqlserver.setup)