RE: Why should we disable local administrator accounts?
- From: v-branee@xxxxxxxxxxxxxxxxxxxx ("Brandy Nee [MSFT]")
- Date: Fri, 11 Nov 2005 05:44:26 GMT
Hello Jim,
Thank you for posting to the SBS Newsgroup.
I understand that you have concerns on disabling local Administrator
Account on client workstations in SBS domain. If I have misunderstood your
concern, please let me know.
Yes, you are right. You can gain the local administrator account password
from local SAM. However, with this method, the evil user needs to
physically touch the computer, and we cannot prevent them doing so.
The document "Adding and Securing a Computer Running Windows XP
Professional by Using Windows Small Business Server 2003" excludes this
scenario when a user can physically touch a computer. Our method is from
software layer point of view. You can disable floppy and CD/DVD drivers,
set Bios password, make hard disk to start from bios and the other methods
to secure your computer. However, we cannot 100% promise there is a
definite method to secure your computer when an evil user physically
touches the computer. He can open computer mother board, unplug the bios,
plug in after a while, then the bios' password will be reset, and he still
can access the computer. So the evil user can do anything if he can
physically touch the computer.
Also, the local administrator account is being disabled, so evil user still
cannot log as local administrator.
>From our point of view, we can use ISA Server, hardware Firewall to prevent
attack. For more detail information on how to secure your SBS Network,
please see:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?FamilyID=f62b2722-267c-4642-
b287-c31115ef10a4&DisplayLang=en
If you have any further questions or concern, please feel free to let me
know. I am looking forward to hearing from you!
Best regards,
Brandy Nee
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Jim Staunton" <sbsbofh@xxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: Why should we disable local administrator accounts?
>Lines: 33
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <mHKcf.262434$Vm6.206992@xxxxxxxxxxxxxxxxxxxxxx>
>X-Complaints-To: abuse@xxxxxxxxxxxx
>Organization: EasyNews, UseNet made Easy!
>X-Complaints-Info: Please be sure to forward a copy of ALL headers
otherwise we will be unable to process your complaint properly.
>Date: Thu, 10 Nov 2005 16:37:38 GMT
>Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!newshub.sdsu.edu!newsfeed.news2me.com!newsfeed2.easynews.com!easynews.
com!easynews!easynews-local!fe06.news.easynews.com.POSTED!not-for-mail
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:220948
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I don't really understand the advice in
>http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsXP/
xp2sbs.mspx
>in which they suggest that you disable the local administrator account on
>client PCs.
>
>In terms of increased security, what, exactly, does this achieve?
>
>Even if the local administrator account account is disabled, surely the
>password hash is still present in the local SAM, and so an evil user could
>still reboot her client PC with a linux live CD, dump the hash from the
>local SAM, run it through a rainbow table and crack the password?
>
>I would have thought that password reset programs such as
>http://home.eunet.no/~pnordahl/ntpasswd/ ought to be capable of reenabling
a
>disabled administrator account anyway, in which case the evil user can
reset
>the local admin password anyway.
>
>Isn't it far more important to use a unique password for each local
>Administrator account which has nothing to do with the domain
>administrator's password? At least if your local admin passwords are
>different from the domain admin password, then the evil user only gains
>control of her PC, not of the entire domain.
>
>Jim
>
>PS I can also imagine that network admin types would be hampered by the
lack
>of a local admin account if there are network problems on a client PC. I
>often end up logging on as a local admin if I need to install extra
>software - far better to do it as a local admin than as a domain admin and
>leave your domain admin password hash cached on a client PC where anyone
can
>get at it!
>
>
>
.
- Prev by Date: Re: Don't you just love ...
- Next by Date: RE: exchange server cannot mount mailbox store
- Previous by thread: Re: Don't you just love ...
- Next by thread: ISA fwsrv keeps stopping
- Index(es):
Relevant Pages
|
