Re: Impact of Disabling the Local Administrator Account
- From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
- Date: Fri, 7 Sep 2007 12:44:09 +0200
Hello,
for security reason, you may reduce the cached logon count to 1, which may break your back door domain account.
It's sound to me very bad to do so, it's possible to break this account using the hash in cache, with rainbow table + brute force (new rainbow table are appearing for cached credentials with many login name)
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message news:O$PnRJO8HHA.4880@xxxxxxxxxxxxxxxxxxxxxxx
1) Good point about booting from a CD or in safe mode. I had not thought of that, but it seems obvious in retrospect.
2) We do the vast majority of our software installations using Novell ZENworks. I'm not sure what protocols it uses. We are moving more into group policies, so there is a possibility of rolling out software that way in the future.
3) We use our domain administrator accounts to add and remove machines from the domain. As for the local login, we are considering having a special domain account that will have administrator rights on all our machines, and should be able to login with cached credentials when offline. At least, that's the plan (We're having a meeting tomorrow to discuss the idea).
Right now, we really don't have any good reason to disable the local Administrator account. I was just asking about it in order to gather information on the pros and cons. Our current plan is to rename the local Administrator account, randomize the password on each machine, and disable the LAN Man hash in group policy. I was just thinking that we might bypass all that and simply disable the account altogether. But for the time being we'll probably just stick with our original plan.
--Tom
"Mathieu CHATEAU" <gollum123@xxxxxxx> wrote in message news:e3x1W2K8HHA.2476@xxxxxxxxxxxxxxxxxxxxxxxHello,
1) yes but that may be workarounded by booting on a CD or in safe mode if you know the password
2) is it SMS ? It's using a domain admin account or even local system
3) if the computer need to be put out of the domain and then back, you will need this account.
You may have to give it to laptop user to install software while out of office (depend of your security rules)
The key is, apart from finding this GPO, do you have reasons for doing it ?
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message news:ex5y%23uK8HHA.5424@xxxxxxxxxxxxxxxxxxxxxxxXP SP2
I'm really new to group policies and I have just noticed that the "Administrator account status" policy appears to allow for the disabling of the local Administrator account. I have three questions about this.
1) Am I correct that this policy allows the local Administrator account to be disabled?
2) In our environment we do a lot of automated software distributions, many of which are for software packages that require administrator rights during the installation process. Our software distribution process runs with administrator rights. Would disabling the local Administrator account prevent some of our software distributions from running on desktop machines?
3) What problems or issues should we expect if we disable the local Administrator account?
Thanks for any help that you can offer.
--Tom
.
- References:
- Impact of Disabling the Local Administrator Account
- From: Thomas M.
- Re: Impact of Disabling the Local Administrator Account
- From: Mathieu CHATEAU
- Re: Impact of Disabling the Local Administrator Account
- From: Thomas M.
- Impact of Disabling the Local Administrator Account
- Prev by Date: Re: Domain Login Reminder
- Next by Date: Re: file screening
- Previous by thread: Re: Impact of Disabling the Local Administrator Account
- Next by thread: Re: Impact of Disabling the Local Administrator Account
- Index(es):
Relevant Pages
|
