Re: Please help : Adminstrator password consistancy ????

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/04/04 

Date: Sat, 4 Sep 2004 11:28:19 -0400

PS some common encryption utilities are listed here:

http://www.securityadmin.info/faq.asp#encryption

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:...
> This is not a problem. Configure the BIOS to require a password, and make
> sure anyone who needs to boot from floppy knows the password. Since you
are
> enabling your users to do administrative tasks like backup and software
> installation, you really can't very well expect to password protect the
> systems from those users.
>
> You can also use SYSKEY to require either a syskey password or a syskey
> floppy disk at bootup. The best solution might be using software that can
> encrypt the entire hard drive and require a password.
>
> If these things cause a little more work for you and your users, that's
> because increased security usually means decreased functionality and/or a
> little more effort. Extra security is usually a bit annoying.
>
> Note that many of those password reset utilities don't actually learn the
> admin password, they just blank it out. You could use a variety of
methods
> to detect when the local administrator password has been changed.
>
> You could also use Windows XP with EFS encryption, or use EFS encryption
> with workstations joined to the windows domain. Resetting the Admin
> password shouldn't allow access to EFS encrypted files if EFS is properly
> configured.
>
> If you're going to lock down the workstations to prevent users from making
> administrative changes, it's also probably a good idea to have a
publicized
> policy where people are reprimanded or lose privileges if they are found
> doing such things.
>
> Note also that none of these procedures would probably prevent someone
from
> gaining admin access by local privilege escalation or a local or remote
> buffer overflow sort of attack.
>
> It's generally accepted that it's difficult if not impossible to prevent
> someone with physical access to your computer from totally owning it.
>
> "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
> message news:BFCF3A25-7AFD-4515-98E6-A966995A935D@microsoft.com...
> > As previous post, prevent boot floppy from bios could be a way but, we
> have
> > some backuip and restore procedure which needs to use booting from
floppy.
> > But anyway thos software which reset administrative password, some are
> using
> > boot floppy but some other a simple boot CD. So if we use Bios locking
> that
> > is a bit enoying for handling ghost backup and restore procedure...
> >
> > I was thinking on a solution, inside group policy or local security, or
> some
> > scripting stuff which could force back proper user rights..
> >
> > Could it be possible ?
> >
> > regards
> > serge
> >
> > "Steven L Umbach" wrote:
> >
> > > In the computers cmos settings that are available during the boot
> sequence usually by
> > > holding down delete or such, configure the computer to boot only from
> the hard drive.
> > > Then password protect the cmos settings. Users may still be able to
> reset the
> > > password by removing the cover of the computer and unplugging the
> battery or using a
> > > jumper to reset cmos settings to default so try to use cases that lock
> access to the
> > > inside of the computer. If you are in a domain you can use the Group
> Policy computer
> > > configuration "restricted groups" feature at the Organizational Unit
> level to enforce
> > > domain computers local group membership for computers in that OU. ---
> Steve
> > >
> > >
> > > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
> message
> > > news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
> > > > Dear all,
> > > >
> > > > Actually we are setting up some standard office workstation with
> Windows
> > > > 2000 pro.
> > > > We have setup there different user profile with appropriate rights.
> > > > We keep for out IT team the Administrator password..
> > > >
> > > > As you may know it exist some software (a single boot floppy) that
can
> reset
> > > > the administrator password , and then final users will have access
to
> > > > everything and our IT tema start to do the police on non stable
system
> due to
> > > > some system settings changes.
> > > >
> > > > Is there a way to avoid that the administrator password is
discovered
> ?
> > > >
> > > > Thnaks for your help
> > > > regards
> > > >
> > > > Serge
> > >
> > >
> > >
>
>

Relevant Pages

  • RE: Need a Full Drive Encryption program
    ... Need a Full Drive Encryption program ... Booting from a linux or other boot disks will defeat most setups, ... Since the BIOS controls the access to the hard drive, upon power-up, the ... > the laptop back to IBM. ...
    (Security-Basics)
  • Re: Encrypted file system without initial password:
    ... >> encrypted filesystem, and setup the system such that it mounts the ... >> spend a few hours preparing a floppy image. ... > I would dispute that the matter has nothing to do with encryption. ... Anyway I still think my approach offers some protection. ...
    (comp.os.linux.security)
  • Re: Administrator Access
    ... The only possible way is encryption of the files and even then it would need ... W2K offers EFS encryption, ... administrator on a non domain machine and the original administrator account ... Even if file are EFS encrypted on a server share they may be ...
    (microsoft.public.win2000.security)
  • Re: How safe is my BIOS Power-on Password?
    ... Even securing documents with a password is again ... so if the notebook is stolen the BIOS ... Windows Vista employs Bit-Locker Encryption and similar ... data theft in case of laptop theft? ...
    (microsoft.public.windowsxp.general)
  • Re: Windows 7 upgrade not valid for Vista Ultimate users!
    ... new security holes... ... Thanks for that blog on Bitlocker encryption, ... And it looks almost similar to a BIOS password, ... is that the attacker might first clear the CMOS memory, ...
    (alt.comp.hardware.pc-homebuilt)