Re: Logon with disabled admin account possible!

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/26/04

  • Next message: Franz Schenk: "Re: Logon with disabled admin account possible!" 
    Date: Mon, 26 Jul 2004 07:10:57 -0700

    Whether this is a security hole or not has been a matter of
    discussion, and this behavior is something that has been changed
    over time between versions. With W2k and earlier it was not
    possible to disable the built-in admin account - you could rename
    it and restrict it to local (not network type) console login.
    With XP and later (i.e. W2k3) it became possible to disable the
    built-in admin account - in which case it only remains available
    in recovery/safe mode boots. 

    -- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
news:utpM5BxcEHA.1356@TK2MSFTNGP09.phx.gbl...
> We have a network with Windows Server 2003 active directory with two DC's:
> One is Windows 2000 Server SP4, the other is Windows 2003 Server. Each
> system has all windows security updates applied.
>
> The customer has discovered that his is able to logon locally or over a
> terminal session with the disabled admin account, and we are able to
> reproduce this behaviour every time!!!
>
> - This works only on the Windows 2000 DC, logon to the Windows 2003 DC is
> not possible as it should.
> - There are no errors on both DC in the DNS and Directory Service event
> logs. replmon.exe shows successful replication on all AD partitions.
> - On the Windows 2000 DC in the application eventlog, there are 4 1015
> Perflib error messages and one Userenv 1000 Message "Windows cannot
> determine the user or computer name. Return value (1317). " After logging
on
> to the Windows 2000 DC. Logging on with the disabled AD administrator
> account takes a long time, but it works!
>
> never thought that there are such security holes still open
>
>
> Thanks in advance for any advice
> Franz
>
>
  • Next message: Franz Schenk: "Re: Logon with disabled admin account possible!"

    Relevant Pages

    • Re: Set all files on Windows XP to a specified create & access date
      ... employees: the productive ones ... PC for the purpose of snooping on ... > security hole on your computer is the one you don't suspect, ... > protection came with the advent of the Windows XP security checker ...
      (microsoft.public.security)
    • Re: what do we make of this........
      ... As mentioned earlier in the show, Microsoft released a service pack for Windows XP. ... It fixes a serious security hole that Microsoft has known about for more than 11 weeks. ... If, for whatever reason, you don't or can't download the service pack, there is an alternative. ... > A little-known but critical vulnerability exists in Windows XP. ...
      (Security-Basics)
    • Re: USB2.0 and WinXP ?
      ... viruses a year ago were a result in a security hole in Windows. ... One of the earlier posts said that if your system originally installed USB ... >> Digital protable hard drive that worked on my systems until I updated ...
      (microsoft.public.windowsxp.general)
    • Re: Anoying Messenger popups
      ... the firewall will block these as well. ... a security hole (was patched ages ago, so I've assumed you've installed all the patches from ... The upcoming Service Pack 2 to Windows XP ... Microsoft MVP - Windows Messenger/MSN Messenger ...
      (microsoft.public.windowsxp.messenger)
    • Re: I really screwed up group policy this time...!
      ... admin account and revise the policy to be less restrictive. ... >>>> accessing Folder Options through Windows Explorer's Tools menu. ... >>>> In the Permissions box, change the Read setting, and only the ...
      (microsoft.public.windowsxp.security_admin)