Re: Locked out of SBS 03
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 05/26/04
- Next message: root: "Re: TrandMicro Antivirus installtion on remote clients?"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Exchange Intelligent Message Filter on SBS2003?"
- In reply to: Jeff L: "Re: Locked out of SBS 03"
- Next in thread: Jeff L: "Re: Locked out of SBS 03"
- Reply: Jeff L: "Re: Locked out of SBS 03"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 25 May 2004 17:18:15 -0700
But that's it.... we can do it BECAUSE we have physical access. We
can't do it remotely.
You cannot on any server/workstation as long as you have physical access.
THAT is the key. Restrict access. THAT is the cut off.
Law number 3. Can't remove law number 3.
Like I said, you are getting tripped up in thinking it's an issue. It's
not. Basic security means you restrict access. I have a keylock on my
floppy drive to my server.
The Ten Immutable Laws of Security
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10imlaws.asp
Law #1: If a bad guy can persuade you to run his program on your
computer, its not your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer,
its not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your
computer, its not your computer anymore.
Law #4: If you allow a bad guy to upload programs to your web site,
its not your web site any more.
Law #5: Weak passwords trump strong security.
Law #6: A machine is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as the decryption key.
Law #8: An out of date virus scanner is only marginally better than no
virus scanner at all.
Law #9: Absolute anonymity isn't practical, in real life or on the web.
Law #10: Technology is not a panacea.
Jeff L wrote:
> Mike,
>
> I am glad you know how to jumper the bios as well. Still looking for some
> advice that would stop this functionality for admin password reset. I don't
> need advice on physical security. Never once said it was an issue.
>
> Physical security can be compromised. The admin password reset is a huge
> hole. There has to be a way to wrap a .dll or something so that this can be
> cut off.
>
> Here is the question: How do you cut off access to Admin Password Reset
> tools?
> Maybe I should repost it.
>
> Regards,
> Jeff Loucks
> Available Technology ®
> Solutions For Professionals ®
> www.availabletechnology.com
>
>
> "Mike R" <research@rollesolutions.com> wrote in message
> news:OmqKS9mQEHA.3300@TK2MSFTNGP09.phx.gbl...
>
>>Hey Jeff,
>>
>>I don't think you could do it if you wanted to (remove access to admin
>
> pass
>
>>reset). The tools that I use are created for people that have a real
>>problem, they have inadvertently locked themselves out of their server.
>
> You
>
>>use it by starting setup (for whatever OS it is) and hitting F6 when it
>
> asks
>
>>if you need to load additional drivers. Once that is done it pops right
>
> into
>
>>a screen that allows the administrator password to be reset.
>>As many have already mentioned, you shouldn't have to worry about this if
>>physical access is not possible by anyone other than yourself and those
>
> you
>
>>trust (and have a reason to have access).
>>Your bios password does absolutely nothing for you as it can be reset in a
>>matter of seconds by simply swapping a jumper on the motherboard for a few
>>seconds.
>>Best of luck to you...
>>
>>
>>"Jeff L" <newsgroupsremoveandunderscore_jeff@availabletech.net> wrote in
>>message news:%23g0u4bmQEHA.2572@TK2MSFTNGP12.phx.gbl...
>>
>>>Thanks Susan,
>>>
>>>I am on top of the physical security issue but my question was not about
>>>physical security. I am aware of removing drives and gaining access to
>
> the
>
>>>data. We can and have protected against that.
>>>
>>>We have also changed the bios to password protected and removed the
>>>removable media drives from the boot order.
>>>
>>>I could get past all of that so how do I remove access to admin password
>>>reset? Anyone know how to do that?
>>>
>>>Feel free to contact me directly if you do not want to post it.
>>>
>>>Regards,
>>>Jeff Loucks
>>> Available Technology ®
>>> Solutions For Professionals ®
>>> www.availabletechnology.com
>>>
>>>
>>>"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
>>>wrote in message news:##kXjNmQEHA.568@TK2MSFTNGP12.phx.gbl...
>>>
>>>>Any operating system is vulnerable to physical access. Microsoft
>
> didn't
>
>>>>put it there. I can do likewise with any operating system. If I can
>>>>physically remove a harddrive and the data is not encrypted, I can get
>>>>to that data. Simple as that. If I have access to that drive, it's
>>
>>mine.
>>
>>>>Put a lock on the door of the computer room.
>>>>A lock on the floppy drive.
>>>>
>>>>This isn't a trick. When WinXP could be "hacked" by using a Win2k
>
> cdrom
>
>>>>and booting from that and oh horrors you could reset the admin
>
> password
>
>>>>in that manner, the security community went... ho hum... yeah? So?
>
> Call
>
>>>>me with a real security issue. One that can be hacked remotely.
>>>>
>>>>Physical security dude. Basic rules of security is restrict physical
>>>>access.
>>>>
>>>>Jeff L wrote:
>>>>
>>>>>I would prefer to see that backdoor closed.
>>>>>
>>>>>I used to have a tech that worked for me that knew all those tricks,
>
> I
>
>>>had
>>>
>>>>>forgotten about them. My bad... I would prefer there not be a
>
> backdoor
>
>>>and
>>>
>>>>>those who make mistakes have to do more work then those who plan.
>>>>>
>>>>>I agree with the physical security thing but I don't like Microsoft
>>>
>>>leaving
>>>
>>>>>a backdoor open.
>>>>>
>>>>>Anyone know how this works, what the source of the change is? Is
>
> there
>
>>a
>>
>>>way
>>>
>>>>>to protect against it?
>>>>>
>>>>>Thanks,
>>>>>Jeff
>>>>>
>>>>>"Jeff L" <newsgroupsremoveandunderscore_jeff@availabletech.net>
>
> wrote
>
>>in
>>
>>>>>message news:#hSTysdQEHA.2452@TK2MSFTNGP11.phx.gbl...
>>>>>
>>>>>
>>>>>>I am very unhappy to see that!
>>>>>>
>>>>>>How do I protect against this type of hack!
>>>>>>
>>>>>>"Mike R" <research@rollesolutions.com> wrote in message
>>>>>>news:O#uEMWdQEHA.3744@TK2MSFTNGP10.phx.gbl...
>>>>>>
>>>>>>
>>>>>>>go to www.lostpassword.com and get passware kit. It's expensive but
>>>>>
>>>>>allows
>>>>>
>>>>>
>>>>>>>you to reset the admin password. Keep it in a safe place so other
>>
>>users
>>
>>>>>>>can't get to it.
>>>>>>>
>>>>>>>
>>>>>>>"John L" <anonymous@discussions.microsoft.com> wrote in message
>>>>>>>news:A1BD6AFB-4189-494E-8B28-CA7F24CA0ABF@microsoft.com...
>>>>>>>
>>>>>>>
>>>>>>>>I got a new SBS 2003 server, while doing the intial setup I set a
>>>>>
>>>>>Admin
>>>>>
>>>>>
>>>>>>>password, setup my TCP/ip and restarted. After restarting the
>
> server,
>
>>>it
>>>
>>>>>>is
>>>>>>
>>>>>>
>>>>>>>not taking the Admin password and is not letting me in. Is there
>
> any
>
>>>way
>>>
>>>>>I
>>>>>
>>>>>
>>>>>>>can reset the password or get in?
>>>>>>>
>>>>>>>
>>>>>>>>I have tried all my domain admin accounts and the administrator
>>>>>
>>>>>account
>>>>>
>>>>>
>>>>>>>itself, but its just not letting me in.
>>>>>>>
>>>>>>>
>>>>>>>>Please Help.
>>>>>>>>John L
>>>>>>>
>>>>>>>
>>>>>
>>>>--
>>>>http://www.sbslinks.com/really.htm
>>>
>>>
>>
>
>
-- http://www.sbslinks.com/really.htm
- Next message: root: "Re: TrandMicro Antivirus installtion on remote clients?"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Exchange Intelligent Message Filter on SBS2003?"
- In reply to: Jeff L: "Re: Locked out of SBS 03"
- Next in thread: Jeff L: "Re: Locked out of SBS 03"
- Reply: Jeff L: "Re: Locked out of SBS 03"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
