OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Restricting the change of the local administrator account pas sword.

From: Wolf, Glenn (glenn.wolfwe-inc.com)
Date: Wed May 05 2004 - 12:09:27 CDT

By the way, a user with no Administrative privileges (but who has physical
access to the machine) can change the local Administrator password anyway
through a nifty little Linux-based boot disk:

http://home.eunet.no/~pnordahl/ntpasswd/

It boots up, and among other things, allows the user to reset any local user
password (including Administrator or renamed Administrator).

Glenn

-----Original Message-----
From: marco2 [mailto:marco2neovalens.com]
Sent: Wednesday, May 05, 2004 8:04 AM
To: ddraiggochcoldyne.com; focus-mssecurityfocus.com
Subject: RE: Restricting the change of the local administrator account
password.

Hi Jason

A user with Administrative privileges has full control of all local
users and groups -- and there is nothing you can do. Longhorn *may* help
as it will introduce the "Protected Administrator" which, when enabled,
will allow you to have pseudo-administrators, and full administrative
privileges only for applications you have blessed (by means of signed
deployment manifest).

Applications which have not been explicitly authorized will run with a
restricted token, and that token will be used to prevent a number of
actions such as writing the Program Files tree, writing to the
HKEY_LOCAL_MACHINE and so on.

I do not have the full list (but I'd love to see it!) and hence I don't
know whether changing passwords locally is in o not.

Keith Brown published an interesting article on the subject:
http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlo
ng/html/leastprivlh.asp

The only solution I know of is not to grant administrative privileges in
the first place.

For those interested, our company has developed something very similar
to the Protected Administrator for Windows 2000/XP/2003 which allows you
run only selected applications under elevated privileges under the
un-privileged user account (we change the privs of the user on the fly).

The reason I mention our solution is because next Monday we will release
a "free for home use" version valid for up to five computers.

You can already grab it now from www.neovalens.com, the free license
will follow. Just mention FREE in the organization field.

Cheers,

        Marco
 

-----Original Message-----
From: ddraiggochcoldyne.com [mailto:ddraiggochcoldyne.com]
Sent: Wednesday, May 05, 2004 4:34 PM
To: focus-mssecurityfocus.com
Subject: Restricting the change of the local administrator account
password.

Hi All,

Ive come accross quite an interesting problem, currently I have an
environment split into categories such as application management, OS
management etc on the Windows 2000 and 2003 platform's. On the
application side we get requests form application administrators to get
full administrative rights on the system which is accepted on domain
accounts.

However, should this user decide to change the local administrator
account under windows then there is nothing to restrict them doing so as
I can see. This in essence causes an issue where the OS team builds the
system with a renamed admin account, and a specific password. This isnt
disabled as it is relied on should the domain become unavailable and
access is still required.

So my question to you all is as follows, how do I restrict the ability
to change the local administrator password, even at the level of a
domain account specified as administrator in the local group. Is there a
setting in woindows that can be turned on so that without knowing what
the password is the change cannot be made unless you type in the old
password, new password , and its confirmation?

Regards

Jason.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------