Viewing and password protecting the default Windows XP Administrat

[dareys]

Greetings,

I am working on a Windows XP Professional SP2 box. In the past, I discovered
that under XP, if you configure a secondary account with administrator
privileges and password protect it, you will stop seeing the default
administrator account.

Unfortanetely, it is still there, without a password, and anyone knowing the
keystrokes to boot in safe mode can log in an hack the machine. Hence, I am
trying to find and password protect the default administrator to protect the
box.

I hope it is not too late. Any advice will be welcome. The only additional
note I have is that last time I saw this problem was witht MS Windows XP SP2
Home edition.
This is windows XP SP2 Professional edition.

Thank you.

Jean-Pierre

 

[Pegasus [MVP]]

Greetings,

I am working on a Windows XP Professional SP2 box. In the past, I
discovered
that under XP, if you configure a secondary account with administrator
privileges and password protect it, you will stop seeing the default
administrator account.

Unfortanetely, it is still there, without a password, and anyone knowing
the
keystrokes to boot in safe mode can log in an hack the machine. Hence, I
am
trying to find and password protect the default administrator to protect
the
box.

I hope it is not too late. Any advice will be welcome. The only additional
note I have is that last time I saw this problem was witht MS Windows XP
SP2
Home edition.
This is windows XP SP2 Professional edition.

Thank you.

Jean-Pierre

Try this:
- Click Start / Run
- Type the three letters cmd
- Click OK
- Type this command:
net user Administrator SomeComplexPassword

To hide user accounts on the logon screen, see here:
http://www.windows-help.net/WindowsXP/tune-10.html.

 

[Malke]

Greetings,

I am working on a Windows XP Professional SP2 box. In the past, I
discovered that under XP, if you configure a secondary account with
administrator privileges and password protect it, you will stop seeing the
default administrator account.

Unfortanetely, it is still there, without a password, and anyone knowing
the keystrokes to boot in safe mode can log in an hack the machine. Hence,
I am trying to find and password protect the default administrator to
protect the box.

I hope it is not too late. Any advice will be welcome. The only additional
note I have is that last time I saw this problem was witht MS Windows XP
SP2 Home edition.
This is windows XP SP2 Professional edition.

You can assign a password to the built-in Administrator account easily.

To change the built-in Administrator account in XP Pro from your other
administrative account:

1. Click Start, and then click Run.
2. In the Open box, type "mmc" (without the quotation marks), and then click
OK to start MMC.
3. Start the Local Users and Groups snap-in.
4. Under Console Root, expand "Local Users and Groups", and then click
Users.
5. In the right pane, right-click Administrator, and then click Set
Password.
6. Click Proceed in the message box that appears.
7. Type and confirm the new password in the appropriate boxes, and then click
OK.

However, you should be aware that any computer running any operating system
can be accessed by someone with 1) physical access; 2) time; 3) skill; 4)
tools. So if I'm sitting at your box anyway, it's mine even if you assign a
password to the built-in Administrator. Here are a few things you can do to
make it harder:

1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS Setup
can't be entered without it.

2. From the BIOS, change the boot order to hard drive first.

Malke

 

[Pegasus [MVP]]

However, you should be aware that any computer running any operating
system
can be accessed by someone with 1) physical access; 2) time; 3) skill; 4)
tools. So if I'm sitting at your box anyway, it's mine even if you assign
a
password to the built-in Administrator. Here are a few things you can do
to
make it harder:

1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup
can't be entered without it.

2. From the BIOS, change the boot order to hard drive first.

Malke

I agree with your reservations but setting BIOS passwords makes it only
marginally harder to break into a PC. Removing the motherboard battery for
10 minutes will usually reset these passwords. To really protect a PC
requires a disk encryption facility, which could cause a few different
problems for the inexperienced.

 

[Terry R.]

The date and time was Tuesday, August 18, 2009 9:47:04 AM , and on a
whim, Pegasus [MVP] pounded out on the keyboard:

I agree with your reservations but setting BIOS passwords makes it only
marginally harder to break into a PC. Removing the motherboard battery for
10 minutes will usually reset these passwords. To really protect a PC
requires a disk encryption facility, which could cause a few different
problems for the inexperienced.

Marginally harder only for those that know what to do. I always set a
BIOS password on laptops (except for those using bluetooth keyboards
that don't initiate at that point).

On one network I admin, a few years ago we even had a laptop returned
about a month after it was stolen, and I attribute it to the thief
figuring the laptop was useless to them since they couldn't get past the
BIOS screen.


Terry R.

 

[dareys]

Pegasus,

Thank you for this. I appreciate it and will try. The puzzling thing is that
I should be able to do this via the GUI. However, this is good enough for me.
I hope it works.

Jean-Pierre

 

[dareys]

Malke,

Thank you for this information. I will check out Pegasus and your
suggestions. I hope they will work. I have used MMC before, so this sounds
great.

I truly appreciate your suggestions. I had not covered them all.

So far, I have assigned a password to the machine at the BIOS level, just to
start the boot sequence. After that, another password is necessary to boot
from any of the boot devices which do not include network devices which I
have disabled.

Also the machine had a finger print reader... So... But, I think it boots
from the CD first, so I will change that. Many thanks.

One last thing. Regarding your comment. Anyone can access my machine that
has, like you say, 1) physical access; 2) time; 3) skill; 4) tools. I would
add a fifth. That would be 5) malicious intent or the will to do me harm.

Frankly, I think it is 5). I have been suffering from this kind of problem
since roughly 2002.

Anyway, thank you for the information.

Jean-Pierre

 

[dareys]

Pegasus,

I know this 100%. Some of my problems on other boxes diminushed considerably
when I added the BIOS passwords, and resumed when the battery died and they
were wiped out. Exposure of even minutes is enough to the knowing hacker.

Jean-Pierre

 

[dareys]

Terry,

That is a very good comment. If they can´t boot the machine, it is useless
to them. And few will know to open it up to disable internal power.

Jean-Pierre

 

[Pegasus [MVP]]

Pegasus,

Thank you for this. I appreciate it and will try. The puzzling thing is
that
I should be able to do this via the GUI. However, this is good enough for
me.
I hope it works.

Jean-Pierre

Malke gave you the GUI approach - try it! I gave you the Command Line method
because it takes much less time to get there, you get more descriptive error
messages and it's much easier to describe. Call me lazy if you like . . .

 

[Malke]

Pegasus [MVP] wrote:

I agree with your reservations but setting BIOS passwords makes it only
marginally harder to break into a PC. Removing the motherboard battery for
10 minutes will usually reset these passwords. To really protect a PC
requires a disk encryption facility, which could cause a few different
problems for the inexperienced.

Yes, we are in agreement. But if it's a laptop it will not be that easy
(depends on the model of course) and if it's a desktop, the person breaking
in may not want to be seen with the machine sitting there open. So it's a
deterrent like locking your car door. It won't keep a determined thief out
but if your kid or employee is the person you're protecting the machine
from, it might be enough.

Malke

 

[dareys]

Pegasus,

Frankly, I will try both, but I also preffer the CLI. Faster, and you can
script it.

Regards,

Jean-Pierre

 

[dareys]

All,

Many thanks for the prompt and technically savy and accurate feedback.

I have implemented almost all of your suggestions including setting the
password of the Administrator account, which, much to my dismay, remained
invisible, in spite of my efforts to locate it.

I succeeded with the CLI as well as the GUI. However, the GUI provided me
some additional options which were welcome.

Best regards,

Jean-Pierre

 

[Pegasus [MVP]]

All,

Many thanks for the prompt and technically savy and accurate feedback.

I have implemented almost all of your suggestions including setting the
password of the Administrator account, which, much to my dismay, remained
invisible, in spite of my efforts to locate it.

Use the Command Line approach. The command
net user{Enter}
will show you all accounts, including the Administrator. The command
net user Administrator
will show you its attributes.

 

[dareys]

Pegasus,

Thank you for the additional information.

Awsome.

Jean-Pierre

 

[dareys]

Fellows,

I appreciate all the advice. Everything worked perfectly and after a couple
of iterations, I thought that I had been able to bullet proof the box. So
well in fact, that apparently now, I don`t remember the passwords for

1. BIOS access
2. Disk access
3. Network access

In spite of having kept them simple initially and oh my, written them down.
Yep. My BIOS is now inaccessible. Hacking? Any ideas on how I could reset it.
BTW, the computer still boots in Windows mode.

My last resort would be to restore from a backup make as soon as I opened
the machine, but I doubt that this will reset BIOS.

I am going to re-post this question under a more meaningful header, but
please feel free to reply. Thank you for all your help so far.

Regards,

Jean-Pierre