Re: Admin Passwords on workstations

From: Stephen Souza (ssouza@.usa.#Niner.net)
Date: 01/16/03 

From: Stephen Souza <ssouza@.usa.#Niner.net>
Date: 16 Jan 2003 11:11:56 -0600

"Seeker" <newsgroups@minusthespam.pcuptime.com> wrote in
news:n4BV9.2462$KA6.830@twister.nyroc.rr.com:

> I use Hyena in a mixed environment and it works well. We are
> about to deploy WinXP workstations and I have a similar
> question. It seems that I have two options. The first is to
> assign each workstation a random strong administrator password
> as it is initially set up. Since no one should be using the
> Admin account it makes sense. This has the benefit of not using
> one password for this powerful account, but makes aging
> difficult. The other option is to use one strong password and
> periodically change it with Hyena, or change it if there is any
> indication that someone knows it.
>
> What is the best practice here, based on the balance between
> security and real-world administration?
>

My personal opinion is that the local admin password should be
changed as needed, I have on occasions had to logon local to fix
issues, while I can and have cracked/hacked local passwords it is
just one extra step and software to run when you are trying to
debug/fix a workstation issue. These same hack tools are available
to anyone via Internet so schedule changes can help control the
local password. As I am the only one who knows the local admin
password your situation maybe differnet. 

-- 
Stephen Souza
remove #Niner from e-mail address

Relevant Pages

  • Re: SBS 2003 Premium, user changes password and loses network share access
    ... If no local admin account, log on as a domain admin. ... profile that has local admin permissions on the workstation. ... Merv Porter [SBS-MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: Must all users be administrators?
    ... Correct me if I am wrong, but GROUP POLICIES override this (local admin can ... I have one workstation that has a user as Administrator and I ... install/add/remove anything, they can't save to desktop, can't change screen ...
    (microsoft.public.windows.server.sbs)
  • Re: Add the loged in user to the local admin group during logon pr
    ... This was something my predecessor implemented because one of the applications running on the users desktop requires local admin. ... users only logginto their own workstaion so there is no risk to haev soembody logging to someone else workstation. ... This way you only need to change the membership of the group when a new account is created or when someone else needs access. ... I'd probably give the group a name that matches the application and perhaps change the access permissions for the applications folder/files so that only members of that group are even allowed access to the application. ...
    (microsoft.public.scripting.vbscript)
  • RE: local admin compromised
    ... Subject: local admin compromised ... L0phtcrack has a feature that will allow the SMSAdmin user passsword to ... Boot any SMS managed workstation to DOS with a windows 9x boot floppy ... Domain Admin accounts. ...
    (Focus-Microsoft)
  • Re: desperately needing help with a Server Error
    ... I see that it works if you are a local admin on your workstation. ... under Tools/Internet Settings. ... And the .NET framework mentioned is on the server, not your workstation. ... Then open SQL Enterprise Manager, and drill down to this stored procedure ...
    (microsoft.public.dotnet.framework.aspnet)