Re: Limiting rights to a second administrator account

From: Karl Levinson [x y], mvp (levinson_k@despammed.com)
Date: 04/12/03 

From: "Karl Levinson [x y], mvp" <levinson_k@despammed.com>
Date: Sat, 12 Apr 2003 13:27:06 -0400

I agree. IMHO there is no way to reliably limit any Administrator
equivalent account. Anything you can do, another Administrator-equivalent
account can undo.

Having said that, I can understand that it would be difficult for someone
doing PC break / fix on those computers to do anything without a local
Administrator account.

If these computers all log into a network server somewhere such as a Windows
domain, you might be able to use a domain account and change the password
for the domain account every month or so. It's harder to reliably change
local accounts remotely, so those passwords tend to not change as
frequently. That also keeps the password hash off of the local computer...
any one with local access to the computer has a good chance of cracking the
password hashes from the local SAM, and resetting the admin password is
trivial for anyone with local access.

My main concern would be protecting the admin account password and limiting
what non-admins can do, instead of limiting what an admin can do. Once a
student has administrative permissions, they can do pretty much anything.
Also, note that it's hard to secure a workstation from someone who has
unrestricted physical access to the computer.

You might also consider some of these other links to further secure the
computers in other ways from both local and remote attacks:

http://securityadmin.info/faq.htm#harden
[for example, check out the list of hardening checklists there]

"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:I7Lla.98059$ug3.181951@rwcrnsc51.ops.asp.att.net...
> Hi Jose. Of course the administrator account is all powerful and
by
> design not able to be restricted in any way that the administrator could
not
> ultimately reverse. If such could be done to an administrator account it
> could open it up to attack to cause all kinds of problems by reducing it's
> power. That said when anyone is bestowed administrator privileges there is
a
> lot of trust and responsibility that goes with it and the possibility of
> abuse goes with the territory. I agree with you about using the same
> password on all computers is a concern. Possibly that could work on some
or
> most machines that do not store any critical or confidential data (student
> learning machines,etc) . I would be very adamant about critical use
> computers having unique administrator names and passwords - and those
> computers should be physically secured to some degree. I would recommend
> that account management and log on auditing be enabled on all computers
and
> monitored. If someone does change passwords to lock out another
> administrator, there are ways to work around that and you should probably
> plan for it now. The other concern is that a malicious administrator can
do
> a lot more damage to a computer than just change passwords - such as
> changing permissions on files that he is not supposed to access and then
> encrypting them. --- Steve
>
> http://securityadmin.info/faq.htm#password
>
> "JOSE G. URBINA" <JGURBINA@STCC.CC.TX.US> wrote in message
> news:069701c3007d$aa0f0950$a001280a@phx.gbl...
> > Hello,
> > Recently a friend and I, that work at a city college were
> > requested by our IT Dept. to implement an administrator
> > password for them. This poses a dilema for use since they
> > want to have full access with one same password on all the
> > computers. The thing is that if anyone gets ahold of that
> > password they will have administrative previliges to all
> > computers. This is when we stated that we have teachers
> > and students who need administrative previliges to the
> > computer, their answer was that we create a second account
> > on the computers with a diffrent password. But since both
> > have administrator rights we worry that students will
> > reset the password on the first account, which is our main
> > concern. In short is there a way to customize a new admin
> > user that cannot modify another admin, all I have recieved
> > is default windows account information, how can I
> > customize the second admin account.
> > Your reply would be greatly appreciated.
>
>

Relevant Pages

  • Re: Keep admins off of client machines
    ... the sharepoint admin is simple, just create a standard user account for them ... The 'Domain Administrator' account is ... Domain Administrator password. ... takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)
  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP (SP2) user passwords
    ... Safe Mode requires an administrator to log on the machine. ... I always suggest checking who has Admin accounts, ... administrator account, which normally does not appear, and in SP2, I don't ...
    (microsoft.public.windows.mediacenter)
  • Re: Could this be an XP problem?
    ... >> This means you have admin access under jlunis login. ... This is one way to get in as admin in XP home. ... >> tab) then type in administrator as username and blank password. ... administrator account. ...
    (microsoft.public.windowsxp.general)
  • Re: Keep admins off of client machines
    ... The 'Domain Administrator' account is ... > administration person from the domain admin account is complex and fraught ... > change the Domain Administrator password. ... > it takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)