Re: Basic Security Help

From: Eddie (Eddie_at_discussions.microsoft.com)
Date: 06/08/05 

Date: Tue, 7 Jun 2005 18:31:02 -0700

thanks

"Steven L Umbach" wrote:

> It sounds like you are using XP but I am not sure if you are using XP Pro or
> XP Home. I am not very familiar with XP Home but it is my understanding that
> for XP Home you "might" be able to access the built in administrator account
> by booting into safe mode and entering administrator for logon name an leave
> the password blank. This of course assumes that the built in administrator
> account has not been configured. Otherwise for XP Home and XP Pro there is a
> free utility available on the internet that allows you to create a bootable
> floppy or cdrom to reset the built in administrator account to allow you to
> logon to your computer. See the link below for details and instructions. If
> you reinstall your operating system as an "upgrade" install it will not fix
> your problem and a fresh/new install would require you to reinstall all of
> your applications and erase your data files that are on the same drive
> partition as your operating system IF you format your hard drive during the
> installation. If the instructions sound complicated to you try to find a
> friend or family member that knows a bit about computers to help you. --
> Steve
>
> http://www.petri.co.il/forgot_administrator_password.htm
> http://home.eunet.no/~pnordahl/ntpasswd/
>
> "Kymberley" <Kymberley@discussions.microsoft.com> wrote in message
> news:957AC18C-5ED0-4305-80AB-33563DC458C8@microsoft.com...
> > The info provided to 'eddie' sounds experienced & educated. I have a
> > question of my own. I did a dumb thing and i don't know how to "undo' it.
> > i
> > set up a system password - and promptly forgot it - ; I also changed the
> > logon screen from "welcome" to the more secure logon screen using a
> > username
> > and password.. I have no idea how to get around it. Please help!!! Can
> > you
> > help me? Can I reload my windows xp application cd and get around the
> > login
> > password that way.?
> >
> > "Steven L Umbach" wrote:
> >
> >> There are plenty to great articles as shown in the links below. The main
> >> things that you can do to start are the following many of which are
> >> common
> >> sense items that need to be implemented and used. By far the biggest risk
> >> to
> >> a network is weak or no passwords followed by malicious user on your
> >> network.
> >>
> >> -- Use password policy to enforce strong passwords in the domain by
> >> enabling
> >> password complexity and using password no less that seven characters in
> >> length. Be sure to educate users of any pending changes to password
> >> policy
> >> and get users to think of pass phrases instead of passwords.
> >>
> >> -- Be sure that computers are kept current of critical security updates
> >> from
> >> Windows Updates or using a SUS server to authorize and distribute
> >> security
> >> updates which can be done automatically with Automatic Updates.
> >>
> >> -- Have virus protection on all of your computers that also is kept
> >> current
> >> with virus definitions, scans all emails, and does scheduled full system
> >> virus scans.
> >>
> >> -- Modify the user rights for access this computer from the network to
> >> restrict which users/groups can access a computer for file and print
> >> sharing. Be careful using the deny access to this computer from the
> >> network
> >> as it overrides the allow user right and remember that administrators are
> >> also in the users/everyone group.
> >>
> >> -- Have an action plan now for what to do if you discover viruses on your
> >> network including how to isolate and repair infected computers. The free
> >> Antivirus in Depth Guide available at the TechNet Security Center can
> >> help
> >> you plan such.
> >>
> >> -- Use a firewall at the perimeter to protect your network computers and
> >> periodically scan it from the outside to make sure it is doing its job as
> >> configured. The free self scan sites such as http://scan.sygatetech.com/
> >> can
> >> be of help.
> >>
> >> -- Make sure that the number of domain administrators is kept to a
> >> minimum
> >> of qualified and trustworthy people and that regular domain users are not
> >> also "local" administrators unless you have a compelling business reason
> >> for
> >> such. Never allow any domain user to share user accounts or passwords.
> >>
> >> -- Windows 2003 should already have auditing enabled by default in Domain
> >> Controller Security Policy. Be sure to check the security logs
> >> periodically
> >> looking for unauthorized account management events and suspicious failed
> >> logon attempts.
> >>
> >> -- Never logon to a domain workstation computer that is not a secure
> >> admin
> >> workstation as a domain administrator as you risk capture of your
> >> credentials or their exploitation by malware/hacker.
> >>
> >> -- Disable non essential services on domain computers. Use the Microsoft
> >> Baseline Security Analyzer to help with such as it can scan your network
> >> computers and also report other vulnerabilities such as missing critical
> >> security updates.
> >>
> >> -- Physically protect to some degree your domain controllers and any
> >> other
> >> critical domain computers with sensitive information.
> >>
> >> -- Don't underestimate the impact of social engineering on network
> >> security.
> >> Helpful users often gladly give access or passwords to those that ask for
> >> such nicely posing to be part of the IT staff or a big boss. Training,
> >> strict procedures, and awareness is the best defense against such.
> >>
> >> -- Don't tolerate unauthorized computers or Wireless Access Points on
> >> your
> >> network that may be poorly secured or even infected with malware. This
> >> mainly can be employee laptops. Have a written computer use policy that
> >> the
> >> employee/user signs and understands the consequences.
> >>
> >> -- Use Group and security policy to uniformly manage security and
> >> configuration of your domain computers. One good example would be to
> >> force
> >> computers to lock their desktop after a period of idle time. The free
> >> Group
> >> Policy Management Console can make that task much easier.
> >>
> >> -- Backups are a must part of securing a network. For domain controllers
> >> be
> >> sure to backup the "System State" on a regular basis as that is where
> >> your
> >> Group Policy and other Active Directory objects such as users, groups,
> >> and
> >> computers are stored. Have a disaster recovery plan and try it out
> >> sometime
> >> on a test network so that you know what to do if the real deal happens.
> >>
> >> -- If you want to try and change security policy settings such as
> >> security
> >> options it is best to test out the changes on a test computer in a test
> >> Organizational Unit.
> >>
> >> That should be a start but maybe it is not what you expected. Securing a
> >> network is much more than some registry tweaks and modifying ntfs
> >> permissions. Be sure to read the Windows 2003 Server Security guide and
> >> the
> >> Threats and Countermeasures Guide that are available at TechNet Security
> >> Center. --- Steve
> >>
> >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
> >> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
> >> http://www.microsoft.com/smallbusiness/support/computer-security.mspx --
> >> Small business security guidance center
> >> http://www.microsoft.com/technet/security/default.mspx --- TechNet
> >> Security
> >> Center
> >>
> >>
> >> "Eddie" <Eddie@discussions.microsoft.com> wrote in message
> >> news:350C21EF-AFDE-4912-8045-1649B9270462@microsoft.com...
> >> > I have a windows 2003 single domain in native mode. All of my
> >> > workstations
> >> > are windows 2000 pro or xp pro. all of my windows servers are 2003. I
> >> > want
> >> > to
> >> > lock down security but I am affraid of causing problems. any articals i
> >> > can
> >> > read. also any advise would be great.
> >>
> >>
> >>
>
>
>