|
Posted by =?Utf-8?B?ZmFmMTk2Nw==?= on September 4, 2005, 11:56 am
If you were Registered and logged in, you could reply and use other advanced thread options
Patrick I agree with some of the things you say about passwords. The only
problem is if gains access to the local admin passwords and every computer
uses the same local admin password you can map a drive to almost any
computer. This has been my experience. I think the best bet is to change th
eboot disk order but don't forget to password protect access to the BIOS.
If the user is logging into the computer as the local administrator there is
one way to catch him/her in the act. Use the net send command to send a pop
up message to your computer when someone logs on as the local administrator.
[net send {your computer name} {your message} save it as a .cmd file to
C:\Documents and Settings\All Users\Start Menu\Programs\Startup. Now every
time some one logs on as the local administrator your computer will receive a
pop up. (of course you will have to work with the rest of your IT team) I
have used this method before and caught individual red handed. They never
figured out how I caught them.
"Patrick J. LoPresti" wrote:
> Sorry I am late to this discussion.
>
> As others have mentioned, if he can boot from media of his choosing,
> he can reset the local admin password and do many other things. To
> defend against this, configure the boot order in the BIOS, set a BIOS
> password, and put a padlock on the case (to prevent manual BIOS
> reset).
>
> But a better idea might be to ask yourself why you care if he has
> local admin rights to the machine? Unless your network is horribly
> misconfigured, in which case you have bigger problems, his admin
> access is "local" and thus cannot bother anybody else.
>
> If you are worried about supporting such systems, then don't. In my
> I.T. group, we make a simple deal with each user: They can have
> non-admin access and let us support the machine; or they can have
> local admin access and support it themselves. In the latter case, our
> assistance is limited to wiping the machine and rebuilding it from
> scratch, which amounts to two minutes of our time. This works for us
> and keeps the "power users" happy.
>
> The best I.T. people know that enforcing policy is always secondary to
> providing good service.
>
> - Pat
>
>
>
> > I have an employee who apparently has a way of cracking local administrative
> > passwords. I just learned of this and he has thus far been using this trick
> > "for good" (e.g. to by-pass corporate buracracies that impede productivity.)
> > Regardless, I've asked him to cease this practice. However, I'd like to know
> > if there's a way to make sure he's no longer able. The problem is that I
> > don't know how he's done it except that I was told by a coworker that a
> > floppy disk of some sort was invovled. I realize that's scant information to
> > go on, but I was hoping that someone might be able to offer some guidance on
> > shoring up the security on my PCs.
> >
> > thanks,
> > spence
>
| 
XML site map