Re: Hacked Workstations

From: megascout29 (megascout29_at_discussions.microsoft.com)
Date: 03/01/05 

Date: Mon, 28 Feb 2005 16:17:03 -0800

I guess the problem is that once they have changed the local admin password
then they could have put a rootkit on the machine or anything else. Changing
the password back to something secure isn't really an option because at that
point the machine is no longer trustworthy so we just reimage it.

"Steven L Umbach" wrote:

> You did not say if you are in a domain or not but here is something that may
> help, particularly if you are in a domain. You can use Group Policy to
> configure startup and shutdown scripts. These scripts run in system context.
> You could create a startup script that uses the command [ net user
> administrator newpassword ] which would assign the built in administrator a
> new password at startup to the operating system. On a non domain computer
> they may eventually catch on but for domain computers you could put the
> script in the proper sysvol folder for the policy machine configuration and
> remove users from the script permissions and add domain computers with
> read/execute permissions. That would prevent users from navigating to the
> sysvol share to read the password you put in the script. This of course
> assumes that the administrator account has not been renamed and that they
> are not resetting passwords for another user that has administrator group
> membership. FYI users may try to bypass startup scripts by pulling the
> network cable before startup so be sure to disable logging onto the domain
> with cached credentials in the appropriate security policy which can help
> reduce success of such.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;198642
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322241
>
> Also if these are domain computers you can use Restricted Groups to force
> membership in the administrators group that you specify and I suggest that
> you do this at the OU level and make sure that just domain admins is in the
> administrators group, though that will still leave the built in
> administrator account for the domain computer also. If you can do such I
> suggest that you also shorten the Group Policy refresh interval for
> computers to around five minutes and configure security policy processing to
> process even if Group Policy objects have not changed to force Restricted
> Groups to enforce group membership more often than the default 90 minutes.
> Again assuming that you are using an Active Directory domain, there are
> tools such as PsPasswd that allow you to change the local administrator
> password on domain computers from the command line using a batch file or
> running the command against a file list that included fully qualified domain
> names of the domain computers. Other tools such as PsShutdown can remotely
> force users to loggoff or reboot the computer to force a new password to be
> used. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;320045
> http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml
> http://www.sysinternals.com/ntw2k/freeware/psshutdown.shtml
>
>
> "John John" <audetweld@nbnet.nb.ca> wrote in message
> news:uDMh8d7GFHA.2752@TK2MSFTNGP12.phx.gbl...
> > Use Server 2003 with AD and the Knoppix kiddies will be lost. There will
> > be no SAM to hack at the WORKSTATIONS in class. Does that make sense? Or
> > am I right off the rails?
> >
> > John
> >
> > megascout29 wrote:
> >
> >> I work at a school where students have been booting off Linux CDs and
> >> deleting the SAM and booting off NT password reset floppies to delete the
> >> admin password.
> >>
> >> For reasons beyond my control we have to give the students the ability to
> >> boot off of floppies and CDs. My question is how can we stop this from
> >> happening?
>
>
>

Relevant Pages

  • Re: Domain Users to have Local Admin rights
    ... make sure that your script works. ... this computer as local administrator and insert USB drive. ... startup script (e.g. OU policy or Default Domain Group Policy). ... Now close this windows and click on ...
    (microsoft.public.windows.server.security)
  • Re: Hacked Workstations
    ... You can use Group Policy to ... You could create a startup script that uses the command [net user ... administrator newpassword] which would assign the built in administrator a ... they may eventually catch on but for domain computers you could put the ...
    (microsoft.public.win2000.security)
  • Re: Changing local admin password on a set of machine in an ad network ?
    ... You could use a Group Policy "startup" script using the net user [net user ... administrator newpassword] command if you want to change the administrator ... but the domain computers group does. ...
    (microsoft.public.windows.server.security)
  • Re: Startup Scripts & Permissions
    ... On thing I would try right off the bat is to grant the "Domain Computers" group Read access to the share and the files under it, ... Script Group Policy Settings with the GPExpert Scripting Toolkit for PowerShell! ... objWshShell.Run(strInstallPath & strVNCMSI & strVNCSwitches) ...
    (microsoft.public.windows.group_policy)
  • Re: Users: Local Administrators or Not
    ... Welcome to this newsgroup. ... possible to create the domain user without administrator privilege and they ... Also as I know some applications may not be deployed through group policy. ... You need to run a script to add the user to the local administrator group, ...
    (microsoft.public.windows.server.sbs)