Please help : Adminstrator password consistancy ????

Archived from groups: microsoft.public.win2000.security (More info?)

Dear all,

Actually we are setting up some standard office workstation with Windows
2000 pro.
We have setup there different user profile with appropriate rights.
We keep for out IT team the Administrator password..

As you may know it exist some software (a single boot floppy) that can reset
the administrator password , and then final users will have access to
everything and our IT tema start to do the police on non stable system due to
some system settings changes.

Is there a way to avoid that the administrator password is discovered ?

Thnaks for your help
regards

Serge
6 answers Last reply
More about please adminstrator password consistancy
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi

    prevent booting from the floppy from the BIOS and remember to
    password-protect the BIOS.

    cheers,

    --
    Marco [ www.neovalens.com ]
    --

    "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
    message news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
    > Dear all,
    >
    > Actually we are setting up some standard office workstation with Windows
    > 2000 pro.
    > We have setup there different user profile with appropriate rights.
    > We keep for out IT team the Administrator password..
    >
    > As you may know it exist some software (a single boot floppy) that can
    reset
    > the administrator password , and then final users will have access to
    > everything and our IT tema start to do the police on non stable system due
    to
    > some system settings changes.
    >
    > Is there a way to avoid that the administrator password is discovered ?
    >
    > Thnaks for your help
    > regards
    >
    > Serge
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    In the computers cmos settings that are available during the boot sequence usually by
    holding down delete or such, configure the computer to boot only from the hard drive.
    Then password protect the cmos settings. Users may still be able to reset the
    password by removing the cover of the computer and unplugging the battery or using a
    jumper to reset cmos settings to default so try to use cases that lock access to the
    inside of the computer. If you are in a domain you can use the Group Policy computer
    configuration "restricted groups" feature at the Organizational Unit level to enforce
    domain computers local group membership for computers in that OU. --- Steve


    "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in message
    news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
    > Dear all,
    >
    > Actually we are setting up some standard office workstation with Windows
    > 2000 pro.
    > We have setup there different user profile with appropriate rights.
    > We keep for out IT team the Administrator password..
    >
    > As you may know it exist some software (a single boot floppy) that can reset
    > the administrator password , and then final users will have access to
    > everything and our IT tema start to do the police on non stable system due to
    > some system settings changes.
    >
    > Is there a way to avoid that the administrator password is discovered ?
    >
    > Thnaks for your help
    > regards
    >
    > Serge
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes, this could be a solution but theproblem is that my end user shuld be
    able to boot from flppy without any restriction especially whe it is needed
    to recover a damage system or handling a backup procedure using ghost for
    instance.

    Any other idea?

    "Marco" wrote:

    > Hi
    >
    > prevent booting from the floppy from the BIOS and remember to
    > password-protect the BIOS.
    >
    > cheers,
    >
    > --
    > Marco [ www.neovalens.com ]
    > --
    >
    > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
    > message news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
    > > Dear all,
    > >
    > > Actually we are setting up some standard office workstation with Windows
    > > 2000 pro.
    > > We have setup there different user profile with appropriate rights.
    > > We keep for out IT team the Administrator password..
    > >
    > > As you may know it exist some software (a single boot floppy) that can
    > reset
    > > the administrator password , and then final users will have access to
    > > everything and our IT tema start to do the police on non stable system due
    > to
    > > some system settings changes.
    > >
    > > Is there a way to avoid that the administrator password is discovered ?
    > >
    > > Thnaks for your help
    > > regards
    > >
    > > Serge
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    As previous post, prevent boot floppy from bios could be a way but, we have
    some backuip and restore procedure which needs to use booting from floppy.
    But anyway thos software which reset administrative password, some are using
    boot floppy but some other a simple boot CD. So if we use Bios locking that
    is a bit enoying for handling ghost backup and restore procedure...

    I was thinking on a solution, inside group policy or local security, or some
    scripting stuff which could force back proper user rights..

    Could it be possible ?

    regards
    serge

    "Steven L Umbach" wrote:

    > In the computers cmos settings that are available during the boot sequence usually by
    > holding down delete or such, configure the computer to boot only from the hard drive.
    > Then password protect the cmos settings. Users may still be able to reset the
    > password by removing the cover of the computer and unplugging the battery or using a
    > jumper to reset cmos settings to default so try to use cases that lock access to the
    > inside of the computer. If you are in a domain you can use the Group Policy computer
    > configuration "restricted groups" feature at the Organizational Unit level to enforce
    > domain computers local group membership for computers in that OU. --- Steve
    >
    >
    > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in message
    > news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
    > > Dear all,
    > >
    > > Actually we are setting up some standard office workstation with Windows
    > > 2000 pro.
    > > We have setup there different user profile with appropriate rights.
    > > We keep for out IT team the Administrator password..
    > >
    > > As you may know it exist some software (a single boot floppy) that can reset
    > > the administrator password , and then final users will have access to
    > > everything and our IT tema start to do the police on non stable system due to
    > > some system settings changes.
    > >
    > > Is there a way to avoid that the administrator password is discovered ?
    > >
    > > Thnaks for your help
    > > regards
    > >
    > > Serge
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    There is no Group Policy able to do such. Group Policy only works within the
    operating system. Someone booting from a floppy or cdrom would be working "outside"
    of the operating system. Enabling restrictions to boot media or having a computer
    case that locks access to the computer floppy/cdrom drives is the only way to offer
    some protection against such an attack. If you password protect cmos settings, a
    authorized user that needs access to change the cmos settings to boot from a floppy
    or cdrom could do so and then change settings back when done. About your comment
    about users having access to everything - realize that applies only to that computer
    and not the domain unless they have access to domain controllers which must be
    physically secured to some degree as should servers even if it means just a sturdy
    case that locks access to the inside and drives but ideally would be in a locked room
    or cage. --- Steve


    "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in message
    news:BFCF3A25-7AFD-4515-98E6-A966995A935D@microsoft.com...
    > As previous post, prevent boot floppy from bios could be a way but, we have
    > some backuip and restore procedure which needs to use booting from floppy.
    > But anyway thos software which reset administrative password, some are using
    > boot floppy but some other a simple boot CD. So if we use Bios locking that
    > is a bit enoying for handling ghost backup and restore procedure...
    >
    > I was thinking on a solution, inside group policy or local security, or some
    > scripting stuff which could force back proper user rights..
    >
    > Could it be possible ?
    >
    > regards
    > serge
    >
    > "Steven L Umbach" wrote:
    >
    >> In the computers cmos settings that are available during the boot sequence usually
    >> by
    >> holding down delete or such, configure the computer to boot only from the hard
    >> drive.
    >> Then password protect the cmos settings. Users may still be able to reset the
    >> password by removing the cover of the computer and unplugging the battery or using
    >> a
    >> jumper to reset cmos settings to default so try to use cases that lock access to
    >> the
    >> inside of the computer. If you are in a domain you can use the Group Policy
    >> computer
    >> configuration "restricted groups" feature at the Organizational Unit level to
    >> enforce
    >> domain computers local group membership for computers in that OU. --- Steve
    >>
    >>
    >> "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in message
    >> news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
    >> > Dear all,
    >> >
    >> > Actually we are setting up some standard office workstation with Windows
    >> > 2000 pro.
    >> > We have setup there different user profile with appropriate rights.
    >> > We keep for out IT team the Administrator password..
    >> >
    >> > As you may know it exist some software (a single boot floppy) that can reset
    >> > the administrator password , and then final users will have access to
    >> > everything and our IT tema start to do the police on non stable system due to
    >> > some system settings changes.
    >> >
    >> > Is there a way to avoid that the administrator password is discovered ?
    >> >
    >> > Thnaks for your help
    >> > regards
    >> >
    >> > Serge
    >>
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    This is not a problem. Configure the BIOS to require a password, and make
    sure anyone who needs to boot from floppy knows the password. Since you are
    enabling your users to do administrative tasks like backup and software
    installation, you really can't very well expect to password protect the
    systems from those users.

    You can also use SYSKEY to require either a syskey password or a syskey
    floppy disk at bootup. The best solution might be using software that can
    encrypt the entire hard drive and require a password.

    If these things cause a little more work for you and your users, that's
    because increased security usually means decreased functionality and/or a
    little more effort. Extra security is usually a bit annoying.

    Note that many of those password reset utilities don't actually learn the
    admin password, they just blank it out. You could use a variety of methods
    to detect when the local administrator password has been changed.

    You could also use Windows XP with EFS encryption, or use EFS encryption
    with workstations joined to the windows domain. Resetting the Admin
    password shouldn't allow access to EFS encrypted files if EFS is properly
    configured.

    If you're going to lock down the workstations to prevent users from making
    administrative changes, it's also probably a good idea to have a publicized
    policy where people are reprimanded or lose privileges if they are found
    doing such things.

    Note also that none of these procedures would probably prevent someone from
    gaining admin access by local privilege escalation or a local or remote
    buffer overflow sort of attack.

    It's generally accepted that it's difficult if not impossible to prevent
    someone with physical access to your computer from totally owning it.

    "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
    message news:BFCF3A25-7AFD-4515-98E6-A966995A935D@microsoft.com...
    > As previous post, prevent boot floppy from bios could be a way but, we
    have
    > some backuip and restore procedure which needs to use booting from floppy.
    > But anyway thos software which reset administrative password, some are
    using
    > boot floppy but some other a simple boot CD. So if we use Bios locking
    that
    > is a bit enoying for handling ghost backup and restore procedure...
    >
    > I was thinking on a solution, inside group policy or local security, or
    some
    > scripting stuff which could force back proper user rights..
    >
    > Could it be possible ?
    >
    > regards
    > serge
    >
    > "Steven L Umbach" wrote:
    >
    > > In the computers cmos settings that are available during the boot
    sequence usually by
    > > holding down delete or such, configure the computer to boot only from
    the hard drive.
    > > Then password protect the cmos settings. Users may still be able to
    reset the
    > > password by removing the cover of the computer and unplugging the
    battery or using a
    > > jumper to reset cmos settings to default so try to use cases that lock
    access to the
    > > inside of the computer. If you are in a domain you can use the Group
    Policy computer
    > > configuration "restricted groups" feature at the Organizational Unit
    level to enforce
    > > domain computers local group membership for computers in that OU. ---
    Steve
    > >
    > >
    > > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
    message
    > > news:0085362A-0ADB-444D-BB0C-D864BCB1B87D@microsoft.com...
    > > > Dear all,
    > > >
    > > > Actually we are setting up some standard office workstation with
    Windows
    > > > 2000 pro.
    > > > We have setup there different user profile with appropriate rights.
    > > > We keep for out IT team the Administrator password..
    > > >
    > > > As you may know it exist some software (a single boot floppy) that can
    reset
    > > > the administrator password , and then final users will have access to
    > > > everything and our IT tema start to do the police on non stable system
    due to
    > > > some system settings changes.
    > > >
    > > > Is there a way to avoid that the administrator password is discovered
    ?
    > > >
    > > > Thnaks for your help
    > > > regards
    > > >
    > > > Serge
    > >
    > >
    > >
Ask a new question

Read More

Windows