ERD bootable cd , and no security in windows

  • Thread starter babak via WindowsKB.com
  • Start date
B

babak via WindowsKB.com

What is the meaning of Security on windows when your Administrator password
can be easily change by ERD cd ?
Are you tested the ERD bootable cd ? with this bootable cd you can boot up
your windows and you can change local administrator password very very easy ..

what can we do in our Domain to avoid our users to change their local admin
passwords and hack the domain ?

--
regards
babak fruzanfar
Microsoft Certified Professional

Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200608/1
 
D

Doug Knox MS-MVP

Physical access is the single weakest link in any system.

1) Publish a Corporate IT Security Policy stating specifically what is and what is not allowed. State that violation of the policy is subject to disciplinary action, up to and including termination.
2) Ensure that every employee signs a statement that they have read, understand and will comply with said policy.
3) Terminate the first one you catch. Let everyone know why.

Outside of that

1) Set all PC's to boot from the hard disk first.
2) Set a password for BIOS setup
3) If the PC's support it, disable the boot menu that allows the user to choose a boot device. If not, see item 3 above.
 
K

Karl Levinson

babak via WindowsKB.com said:
What is the meaning of Security on windows when your Administrator
password
can be easily change by ERD cd ?
Are you tested the ERD bootable cd ? with this bootable cd you can boot up
your windows and you can change local administrator password very very
easy ..
Click to expand...

This is the case with pretty much every OS on the planet, not just Windows.
If you have physical access to the box, you can escalate your privileges in
any number of ways. It is challenging to secure your environment against
insiders who have accounts and physical access, but you can often focus on
detecting violations of policy and punish them.
what can we do in our Domain to avoid our users to change their local
admin
passwords and hack the domain ?
Click to expand...

Well, they can't exactly hack the domain, just the local account.

You can control boot drive order in system bios, and set a bios password.
The user can blank the bios password by removing the battery or changing a
jumper, but you can lock the case and/or set intrusion detection in some
bioses to alert you when a case is opened.

You can also run a script that tries to connect to every system across the
network using the local admin password, and alert if it encounters an access
denied error message.

You can also create a different local admin account that is always used, and
monitor for use of or changes to that account's status. Someone booting
from a CD might be most likely to go for the default admin account, which
would alert you if no one else is supposed to be using it.

You might also consider enabling Windows auditing and monitor for logins and
use of the local administrator account.

http://securityadmin.info/faq.asp?auditing
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Grpedit.msc from bootable cd 17
Domain Policies , Security Center and Windows Update 1
Windows Encryption - All too easy workaround? 3
Help: Avoid admin password acking 6
why don't I have Security tab in Windows Explorer? 5
Windows Log In Problem 5
Windows XP security 1
Offer Remote Assistance - "Permission denied" - Windows XP SP2 2

Top