Resetting local administrator password

[Gabe G]

There appears to be a way, using the net user <administrator account name> *
command via command prompt, to reset the local administrator password. While
I can block access to My Computer>Manage and Start>Run>cmd, there are still
ways for a user to get to a command prompt....

Also, doesn't it seem like a big security hole that you're allowed to reset
a local admin password without having local admin rights to that box? I
didn't think that was true, but I just logged on to a machine with a regular
domain account (that doesn't have local admin rights to the box) and was able
to reset the local admin password via My Computer>Manager and command prompt.


Anyone have any suggestions to further lock down a box to prevent this from
happening?

 

[Thee Chicago Wolf (MVP)]

command via command prompt, to reset the local administrator password. While
I can block access to My Computer>Manage and Start>Run>cmd, there are still
ways for a user to get to a command prompt....

Also, doesn't it seem like a big security hole that you're allowed to reset
a local admin password without having local admin rights to that box? I
didn't think that was true, but I just logged on to a machine with a regular
domain account (that doesn't have local admin rights to the box) and was able
to reset the local admin password via My Computer>Manager and command prompt.

Anyone have any suggestions to further lock down a box to prevent this from
happening?

The Domain Account could have rights to change a local admin password.
Domain accounts usually trump local accounts. If you want, you could
disable NTFS execute permissions on command.com and cmd.exe so no DOS
access is allowed or only for the local admin and system. That could
possibly bung-up some logon scripts unless the system account is
parsing and processing them.

Or, using group policies, go to User Configuration\Administrative
Templates\System\Prevent Access To The Command Prompt = Enabled

- Thee Chicago Wolf (MVP)

 

[Gabe G]

The Domain Account could have rights to change a local admin password.
Domain accounts usually trump local accounts. If you want, you could
disable NTFS execute permissions on command.com and cmd.exe so no DOS
access is allowed or only for the local admin and system. That could
possibly bung-up some logon scripts unless the system account is
parsing and processing them.

How would I go about disabling NTFS execute permissions on command.com and
cmd.exe? Would I go to that file in Windows, rt-click>Security and lock it
down there? Not sure how to accomplish this one...

Or, using group policies, go to User Configuration\Administrative
Templates\System\Prevent Access To The Command Prompt = Enabled

- Thee Chicago Wolf (MVP)

Would this also prevent someone from creating a notepad doc with "cmd" and
saving the doc as a .bat file and having them run it to get to a command
prompt?

 

[Thee Chicago Wolf (MVP)]

How would I go about disabling NTFS execute permissions on command.com and

cmd.exe? Would I go to that file in Windows, rt-click>Security and lock it
down there? Not sure how to accomplish this one...

Yes, that's right. You would actually set deny permissions for Users
and Guests.

Would this also prevent someone from creating a notepad doc with "cmd" and
saving the doc as a .bat file and having them run it to get to a command
prompt?

The only way to know is to test it.

- Thee Chicago Wolf (MVP)

 

[Kelly]

See line 302: http://www.kellys-korner-xp.com/xp_tweaks.htm

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Kelly]

Test it for him, Wolf.

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Thee Chicago Wolf (MVP)]

Test it for him, Wolf.

Wipe his butt for him too?

- Thee Chicago Wolf (MVP)

 

[Kelly]

Nope.

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm