Re: Please help : Adminstrator password consistancy ????
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/04/04
- Next message: Karl Levinson [x y] mvp: "Re: calc.exe"
- Previous message: Karl Levinson [x y] mvp: "Re: Please help : Adminstrator password consistancy ????"
- Maybe in reply to: serge calderara: "Please help : Adminstrator password consistancy ????"
- Next in thread: serge calderara: "Re: Please help : Adminstrator password consistancy ????"
- Reply: serge calderara: "Re: Please help : Adminstrator password consistancy ????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 4 Sep 2004 11:28:19 -0400
PS some common encryption utilities are listed here:
http://www.securityadmin.info/faq.asp#encryption
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:...
> This is not a problem. Configure the BIOS to require a password, and make
> sure anyone who needs to boot from floppy knows the password. Since you
are
> enabling your users to do administrative tasks like backup and software
> installation, you really can't very well expect to password protect the
> systems from those users.
>
> You can also use SYSKEY to require either a syskey password or a syskey
> floppy disk at bootup. The best solution might be using software that can
> encrypt the entire hard drive and require a password.
>
> If these things cause a little more work for you and your users, that's
> because increased security usually means decreased functionality and/or a
> little more effort. Extra security is usually a bit annoying.
>
> Note that many of those password reset utilities don't actually learn the
> admin password, they just blank it out. You could use a variety of
methods
> to detect when the local administrator password has been changed.
>
> You could also use Windows XP with EFS encryption, or use EFS encryption
> with workstations joined to the windows domain. Resetting the Admin
> password shouldn't allow access to EFS encrypted files if EFS is properly
> configured.
>
> If you're going to lock down the workstations to prevent users from making
> administrative changes, it's also probably a good idea to have a
publicized
> policy where people are reprimanded or lose privileges if they are found
> doing such things.
>
> Note also that none of these procedures would probably prevent someone
from
> gaining admin access by local privilege escalation or a local or remote
> buffer overflow sort of attack.
>
> It's generally accepted that it's difficult if not impossible to prevent
> someone with physical access to your computer from totally owning it.
>
> "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
> message news:BFCF3A25-7AFD-4515-98E6-A966995A935D@microsoft.com...
> > As previous post, prevent boot floppy from bios could be a way but, we
> have
> > some backuip and restore procedure which needs to use booting from
floppy.
> > But anyway thos software which reset administrative password, some are
> using
> > boot floppy but some other a simple boot CD. So if we use Bios locking
> that
> > is a bit enoying for handling ghost backup and restore procedure...
> >
> > I was thinking on a solution, inside group policy or local security, or
> some
> > scripting stuff which could force back proper user rights..
> >
> > Could it be possible ?
> >
> > regards
> > serge
> >
> > "Steven L Umbach" wrote:
> >
> > > In the computers cmos settings that are available during the boot
> sequence usually by
> > > holding down delete or such, configure the computer to boot only from
> the hard drive.
> > > Then password protect the cmos settings. Users may still be able to
> reset the
> > > password by removing the cover of the computer and unplugging the
> battery or using a
> > > jumper to reset cmos settings to default so try to use cases that lock
> access to the
> > > inside of the computer. If you are in a domain you can use the Group
> Policy computer
> > > configuration "restricted groups" feature at the Organizational Unit
> level to enforce
> > > domain computers local group membership for computers in that OU. ---
> Steve
> > >
> > >
> > > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
> message
> > > news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
> > > > Dear all,
> > > >
> > > > Actually we are setting up some standard office workstation with
> Windows
> > > > 2000 pro.
> > > > We have setup there different user profile with appropriate rights.
> > > > We keep for out IT team the Administrator password..
> > > >
> > > > As you may know it exist some software (a single boot floppy) that
can
> reset
> > > > the administrator password , and then final users will have access
to
> > > > everything and our IT tema start to do the police on non stable
system
> due to
> > > > some system settings changes.
> > > >
> > > > Is there a way to avoid that the administrator password is
discovered
> ?
> > > >
> > > > Thnaks for your help
> > > > regards
> > > >
> > > > Serge
> > >
> > >
> > >
>
>
- Next message: Karl Levinson [x y] mvp: "Re: calc.exe"
- Previous message: Karl Levinson [x y] mvp: "Re: Please help : Adminstrator password consistancy ????"
- Maybe in reply to: serge calderara: "Please help : Adminstrator password consistancy ????"
- Next in thread: serge calderara: "Re: Please help : Adminstrator password consistancy ????"
- Reply: serge calderara: "Re: Please help : Adminstrator password consistancy ????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
