Re: Hacked Workstations
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/26/05
- Next message: Roger Abell: "Re: Setting Act As Part of Operating System - VBScript"
- Previous message: John John: "Re: Hacked Workstations"
- In reply to: John John: "Re: Hacked Workstations"
- Next in thread: Steven L Umbach: "Re: Hacked Workstations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 26 Feb 2005 03:41:46 -0600
You did not say if you are in a domain or not but here is something that may
help, particularly if you are in a domain. You can use Group Policy to
configure startup and shutdown scripts. These scripts run in system context.
You could create a startup script that uses the command [ net user
administrator newpassword ] which would assign the built in administrator a
new password at startup to the operating system. On a non domain computer
they may eventually catch on but for domain computers you could put the
script in the proper sysvol folder for the policy machine configuration and
remove users from the script permissions and add domain computers with
read/execute permissions. That would prevent users from navigating to the
sysvol share to read the password you put in the script. This of course
assumes that the administrator account has not been renamed and that they
are not resetting passwords for another user that has administrator group
membership. FYI users may try to bypass startup scripts by pulling the
network cable before startup so be sure to disable logging onto the domain
with cached credentials in the appropriate security policy which can help
reduce success of such.
http://support.microsoft.com/default.aspx?scid=kb;en-us;198642
http://support.microsoft.com/default.aspx?scid=kb;en-us;322241
Also if these are domain computers you can use Restricted Groups to force
membership in the administrators group that you specify and I suggest that
you do this at the OU level and make sure that just domain admins is in the
administrators group, though that will still leave the built in
administrator account for the domain computer also. If you can do such I
suggest that you also shorten the Group Policy refresh interval for
computers to around five minutes and configure security policy processing to
process even if Group Policy objects have not changed to force Restricted
Groups to enforce group membership more often than the default 90 minutes.
Again assuming that you are using an Active Directory domain, there are
tools such as PsPasswd that allow you to change the local administrator
password on domain computers from the command line using a batch file or
running the command against a file list that included fully qualified domain
names of the domain computers. Other tools such as PsShutdown can remotely
force users to loggoff or reboot the computer to force a new password to be
used. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;320045
http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml
http://www.sysinternals.com/ntw2k/freeware/psshutdown.shtml
"John John" <audetweld@nbnet.nb.ca> wrote in message
news:uDMh8d7GFHA.2752@TK2MSFTNGP12.phx.gbl...
> Use Server 2003 with AD and the Knoppix kiddies will be lost. There will
> be no SAM to hack at the WORKSTATIONS in class. Does that make sense? Or
> am I right off the rails?
>
> John
>
> megascout29 wrote:
>
>> I work at a school where students have been booting off Linux CDs and
>> deleting the SAM and booting off NT password reset floppies to delete the
>> admin password.
>>
>> For reasons beyond my control we have to give the students the ability to
>> boot off of floppies and CDs. My question is how can we stop this from
>> happening?
- Next message: Roger Abell: "Re: Setting Act As Part of Operating System - VBScript"
- Previous message: John John: "Re: Hacked Workstations"
- In reply to: John John: "Re: Hacked Workstations"
- Next in thread: Steven L Umbach: "Re: Hacked Workstations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
