Re: Basic Security Help

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/07/05 

Date: Tue, 7 Jun 2005 12:45:36 -0500

It sounds like you are using XP but I am not sure if you are using XP Pro or
XP Home. I am not very familiar with XP Home but it is my understanding that
for XP Home you "might" be able to access the built in administrator account
by booting into safe mode and entering administrator for logon name an leave
the password blank. This of course assumes that the built in administrator
account has not been configured. Otherwise for XP Home and XP Pro there is a
free utility available on the internet that allows you to create a bootable
floppy or cdrom to reset the built in administrator account to allow you to
logon to your computer. See the link below for details and instructions. If
you reinstall your operating system as an "upgrade" install it will not fix
your problem and a fresh/new install would require you to reinstall all of
your applications and erase your data files that are on the same drive
partition as your operating system IF you format your hard drive during the
installation. If the instructions sound complicated to you try to find a
friend or family member that knows a bit about computers to help you. --
Steve

http://www.petri.co.il/forgot_administrator_password.htm
http://home.eunet.no/~pnordahl/ntpasswd/

"Kymberley" <Kymberley@discussions.microsoft.com> wrote in message
news:957AC18C-5ED0-4305-80AB-33563DC458C8@microsoft.com...
> The info provided to 'eddie' sounds experienced & educated. I have a
> question of my own. I did a dumb thing and i don't know how to "undo' it.
> i
> set up a system password - and promptly forgot it - ; I also changed the
> logon screen from "welcome" to the more secure logon screen using a
> username
> and password.. I have no idea how to get around it. Please help!!! Can
> you
> help me? Can I reload my windows xp application cd and get around the
> login
> password that way.?
>
> "Steven L Umbach" wrote:
>
>> There are plenty to great articles as shown in the links below. The main
>> things that you can do to start are the following many of which are
>> common
>> sense items that need to be implemented and used. By far the biggest risk
>> to
>> a network is weak or no passwords followed by malicious user on your
>> network.
>>
>> -- Use password policy to enforce strong passwords in the domain by
>> enabling
>> password complexity and using password no less that seven characters in
>> length. Be sure to educate users of any pending changes to password
>> policy
>> and get users to think of pass phrases instead of passwords.
>>
>> -- Be sure that computers are kept current of critical security updates
>> from
>> Windows Updates or using a SUS server to authorize and distribute
>> security
>> updates which can be done automatically with Automatic Updates.
>>
>> -- Have virus protection on all of your computers that also is kept
>> current
>> with virus definitions, scans all emails, and does scheduled full system
>> virus scans.
>>
>> -- Modify the user rights for access this computer from the network to
>> restrict which users/groups can access a computer for file and print
>> sharing. Be careful using the deny access to this computer from the
>> network
>> as it overrides the allow user right and remember that administrators are
>> also in the users/everyone group.
>>
>> -- Have an action plan now for what to do if you discover viruses on your
>> network including how to isolate and repair infected computers. The free
>> Antivirus in Depth Guide available at the TechNet Security Center can
>> help
>> you plan such.
>>
>> -- Use a firewall at the perimeter to protect your network computers and
>> periodically scan it from the outside to make sure it is doing its job as
>> configured. The free self scan sites such as http://scan.sygatetech.com/
>> can
>> be of help.
>>
>> -- Make sure that the number of domain administrators is kept to a
>> minimum
>> of qualified and trustworthy people and that regular domain users are not
>> also "local" administrators unless you have a compelling business reason
>> for
>> such. Never allow any domain user to share user accounts or passwords.
>>
>> -- Windows 2003 should already have auditing enabled by default in Domain
>> Controller Security Policy. Be sure to check the security logs
>> periodically
>> looking for unauthorized account management events and suspicious failed
>> logon attempts.
>>
>> -- Never logon to a domain workstation computer that is not a secure
>> admin
>> workstation as a domain administrator as you risk capture of your
>> credentials or their exploitation by malware/hacker.
>>
>> -- Disable non essential services on domain computers. Use the Microsoft
>> Baseline Security Analyzer to help with such as it can scan your network
>> computers and also report other vulnerabilities such as missing critical
>> security updates.
>>
>> -- Physically protect to some degree your domain controllers and any
>> other
>> critical domain computers with sensitive information.
>>
>> -- Don't underestimate the impact of social engineering on network
>> security.
>> Helpful users often gladly give access or passwords to those that ask for
>> such nicely posing to be part of the IT staff or a big boss. Training,
>> strict procedures, and awareness is the best defense against such.
>>
>> -- Don't tolerate unauthorized computers or Wireless Access Points on
>> your
>> network that may be poorly secured or even infected with malware. This
>> mainly can be employee laptops. Have a written computer use policy that
>> the
>> employee/user signs and understands the consequences.
>>
>> -- Use Group and security policy to uniformly manage security and
>> configuration of your domain computers. One good example would be to
>> force
>> computers to lock their desktop after a period of idle time. The free
>> Group
>> Policy Management Console can make that task much easier.
>>
>> -- Backups are a must part of securing a network. For domain controllers
>> be
>> sure to backup the "System State" on a regular basis as that is where
>> your
>> Group Policy and other Active Directory objects such as users, groups,
>> and
>> computers are stored. Have a disaster recovery plan and try it out
>> sometime
>> on a test network so that you know what to do if the real deal happens.
>>
>> -- If you want to try and change security policy settings such as
>> security
>> options it is best to test out the changes on a test computer in a test
>> Organizational Unit.
>>
>> That should be a start but maybe it is not what you expected. Securing a
>> network is much more than some registry tweaks and modifying ntfs
>> permissions. Be sure to read the Windows 2003 Server Security guide and
>> the
>> Threats and Countermeasures Guide that are available at TechNet Security
>> Center. --- Steve
>>
>> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
>> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
>> http://www.microsoft.com/smallbusiness/support/computer-security.mspx --
>> Small business security guidance center
>> http://www.microsoft.com/technet/security/default.mspx --- TechNet
>> Security
>> Center
>>
>>
>> "Eddie" <Eddie@discussions.microsoft.com> wrote in message
>> news:350C21EF-AFDE-4912-8045-1649B9270462@microsoft.com...
>> > I have a windows 2003 single domain in native mode. All of my
>> > workstations
>> > are windows 2000 pro or xp pro. all of my windows servers are 2003. I
>> > want
>> > to
>> > lock down security but I am affraid of causing problems. any articals i
>> > can
>> > read. also any advise would be great.
>>
>>
>>