|
Posted by Susan Bradley, CPA aka Ebitz - on July 1, 2005, 3:57 am
If you were Registered and logged in, you could reply and use other advanced thread options
Physical access to a box means that you can easily reset the password
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
A contract with your client saying 'you void the warranty if you reset
the password'
However... "no updates?" Sir... I'd be having you sign a contract
saying within a reasonable about of time..say a day or so...that you'd
be patching that box. There's no way I'd let a vendor of mine determine
my patch status.
serge calderara wrote:
>Dear all,
>
>We are deploying to our worldwilde customers a set of application which is
>installed on an standard industrial PC (we are delivery the same PC to all
>our customer).
>
>The system need to be stable and fully functionnal 24h/day.
>For that we have issue a deployement security policy which is as follow:
> - Administrator user has been rename to something else
> - our customers can update any program on the system
> - our customers can not install any windows update
> - our customers cannot coonect the PC to they company Domain Controler
> - Administrator password is know only by us for maintenance purpose
>
>With this rules in place, we have a really stable and fully tested known
>environment.
>This to avoid library conflict as every developer is faced on each time
>
>Unfortunatly, we have some customer which managed to hack administrator
>password either by knowing it or by resetting it.
>
>As far as I know tools that can be found on the internet can just reset the
>password, or is there some which are able to show in clear text passwords?
>
>If this occurs, which procedure can I put it place in order to block my
>application if administartor password is changed ?
>
>thnaks helping me to solve that issue
>regard
>serge
>
>
>
--
An open letter to the Security Community::
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
| 
XML site map