Re: Please help : Adminstrator password consistancy ????

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/04/04 

Date: Sat, 4 Sep 2004 10:51:26 -0400

This is not a problem. Configure the BIOS to require a password, and make
sure anyone who needs to boot from floppy knows the password. Since you are
enabling your users to do administrative tasks like backup and software
installation, you really can't very well expect to password protect the
systems from those users.

You can also use SYSKEY to require either a syskey password or a syskey
floppy disk at bootup. The best solution might be using software that can
encrypt the entire hard drive and require a password.

If these things cause a little more work for you and your users, that's
because increased security usually means decreased functionality and/or a
little more effort. Extra security is usually a bit annoying.

Note that many of those password reset utilities don't actually learn the
admin password, they just blank it out. You could use a variety of methods
to detect when the local administrator password has been changed.

You could also use Windows XP with EFS encryption, or use EFS encryption
with workstations joined to the windows domain. Resetting the Admin
password shouldn't allow access to EFS encrypted files if EFS is properly
configured.

If you're going to lock down the workstations to prevent users from making
administrative changes, it's also probably a good idea to have a publicized
policy where people are reprimanded or lose privileges if they are found
doing such things.

Note also that none of these procedures would probably prevent someone from
gaining admin access by local privilege escalation or a local or remote
buffer overflow sort of attack.

It's generally accepted that it's difficult if not impossible to prevent
someone with physical access to your computer from totally owning it.

"serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
message news:BFCF3A25-7AFD-4515-98E6-A966995A935D@microsoft.com...
> As previous post, prevent boot floppy from bios could be a way but, we
have
> some backuip and restore procedure which needs to use booting from floppy.
> But anyway thos software which reset administrative password, some are
using
> boot floppy but some other a simple boot CD. So if we use Bios locking
that
> is a bit enoying for handling ghost backup and restore procedure...
>
> I was thinking on a solution, inside group policy or local security, or
some
> scripting stuff which could force back proper user rights..
>
> Could it be possible ?
>
> regards
> serge
>
> "Steven L Umbach" wrote:
>
> > In the computers cmos settings that are available during the boot
sequence usually by
> > holding down delete or such, configure the computer to boot only from
the hard drive.
> > Then password protect the cmos settings. Users may still be able to
reset the
> > password by removing the cover of the computer and unplugging the
battery or using a
> > jumper to reset cmos settings to default so try to use cases that lock
access to the
> > inside of the computer. If you are in a domain you can use the Group
Policy computer
> > configuration "restricted groups" feature at the Organizational Unit
level to enforce
> > domain computers local group membership for computers in that OU. ---
Steve
> >
> >
> > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
message
> > news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
> > > Dear all,
> > >
> > > Actually we are setting up some standard office workstation with
Windows
> > > 2000 pro.
> > > We have setup there different user profile with appropriate rights.
> > > We keep for out IT team the Administrator password..
> > >
> > > As you may know it exist some software (a single boot floppy) that can
reset
> > > the administrator password , and then final users will have access to
> > > everything and our IT tema start to do the police on non stable system
due to
> > > some system settings changes.
> > >
> > > Is there a way to avoid that the administrator password is discovered
?
> > >
> > > Thnaks for your help
> > > regards
> > >
> > > Serge
> >
> >
> >

Relevant Pages

  • Re: program to map out weak HD sectors?
    ... >>> I don't have a floppy drive or bootable CDROM. ... Bios Date is 1998. ... can't boot from it. ...
    (comp.sys.ibm.pc.hardware.storage)
  • Re: Cpq Presario 906
    ... which comes w/o the internal FDD. ... also has the 26-pin flexprint floppy connector on the mobo, ... properly detected during POST and the BIOS briefly scans the ... floppy in it BUT is too stupid to actually boot from it! ...
    (comp.sys.laptops)
  • Re: Cpq Presario 906
    ... which comes w/o the internal FDD. ... also has the 26-pin flexprint floppy connector on the mobo, ... properly detected during POST and the BIOS briefly scans the ... floppy in it BUT is too stupid to actually boot from it! ...
    (comp.sys.laptops)
  • Re: crash please help
    ... If so, reset the bios. ... I'm assume your Vista Disc will not boot -- but can you put any sort ...
    (microsoft.public.windows.vista.general)
  • Re: so I decided to remove SUSE 9.2 from my machine
    ... > If that works AND IF you correctly made a BOOTABLE floppy with Windows ... That will remove your old Master Boot Record. ... Now reboot and enter the BIOS as above and change your First Boot ... It must contain the Windows system files ...
    (alt.os.linux.suse)
Loading