|
| If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|||||||
|
|
Thread Tools | Display Modes |
|
#1
January 9th 09, 10:45 AM
posted to microsoft.public.windows.server.security,microsoft.public.windows.vista.security,microsoft.public.windowsxp.security_admin
|
|||
|
|||
Encrypting Administrator's profile
Is there any way to encrypt (EFS or similar) the entire administrator's
profile folder (C:\Documents and Settings\Administrator) so as to prevent a user from login in to the computer if he changes the password with a dos utility? (CIA Commander for example). There's no point in having domain policies if the user can login as the administrator and do whetever he wants with the computer! What else do you suggest? (please don't say "put a bios password" or "forbid physical access to the computer") Thanks a lot! 
|
| Ads |
|
#2
January 9th 09, 03:24 PM
posted to microsoft.public.windows.server.security,microsoft.public.windows.vista.security,microsoft.public.windowsxp.security_admin
|
|||
|
|||
|
Encrypting Administrator's profile
Kirsten wrote:
Is there any way to encrypt (EFS or similar) the entire administrator's profile folder (C:\Documents and Settings\Administrator) so as to prevent a user from login in to the computer if he changes the password with a dos utility? (CIA Commander for example). There's no point in having domain policies if the user can login as the administrator and do whetever he wants with the computer! What else do you suggest? (please don't say "put a bios password" or "forbid physical access to the computer") Why is this user able to logon as an administrative level account in the first place? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html
|
|
#3
January 9th 09, 03:53 PM
posted to microsoft.public.windows.server.security,microsoft.public.windows.vista.security,microsoft.public.windowsxp.security_admin
|
|||
|
|||
|
Encrypting Administrator's profile
He's not, but there are several utilities that easily disable the
administrator account. "Shenan Stanley" wrote in message ... Kirsten wrote: Is there any way to encrypt (EFS or similar) the entire administrator's profile folder (C:\Documents and Settings\Administrator) so as to prevent a user from login in to the computer if he changes the password with a dos utility? (CIA Commander for example). There's no point in having domain policies if the user can login as the administrator and do whetever he wants with the computer! What else do you suggest? (please don't say "put a bios password" or "forbid physical access to the computer") Why is this user able to logon as an administrative level account in the first place? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html
|
|
#4
January 9th 09, 04:04 PM
posted to microsoft.public.windows.server.security,microsoft.public.windows.vista.security,microsoft.public.windowsxp.security_admin
|
|||
|
|||
|
Encrypting Administrator's profile
Kirsten wrote:
He's not, but there are several utilities that easily disable the administrator account. Sounds like some discipline is in order. If this is a workplace, make it a sackable offence to install or use any software not authorised by the company. If a home environment, just deny physically, access to the machine until the user learns to respect computer security. -- Asking a question? Please tell us the version of the application you are asking about, your OS, Service Pack level and the FULL contents of any error message(s)
|
|
#5
January 9th 09, 04:37 PM
posted to microsoft.public.windows.server.security,microsoft.public.windows.vista.security,microsoft.public.windowsxp.security_admin
|
|||
|
|||
|
Encrypting Administrator's profile
Kirsten wrote:
Is there any way to encrypt (EFS or similar) the entire administrator's profile folder (C:\Documents and Settings\Administrator) so as to prevent a user from login in to the computer if he changes the password with a dos utility? (CIA Commander for example). There's no point in having domain policies if the user can login as the administrator and do whetever he wants with the computer! What else do you suggest? (please don't say "put a bios password" or "forbid physical access to the computer") Shenan Stanley wrote: Why is this user able to logon as an administrative level account in the first place? Kirsten wrote: He's not, but there are several utilities that easily disable the administrator account. Did you mean 'disable' or 'allow them to use' the administrator account? You didn't want to hear it because you know it's true... "Physical access, time and a little knowledge means anyone who sits at the machine basically can own it..." Are you protecting what's in the administrator account (should be much of nothing) or is it you just don't want them using the account? If the latter - your battle is lost before it was started. Encrypt all you want - physical access can give the user another/the same administrative account with a little effort and a few tools and time. Maybe not so much the data in the profile - but there should be nothing in (files, etc) the actual built-in administrator's account of importance anyway, IMO. I think you need to divulge what it is you hope to accomplish in order to better narrow the possible answers. What is the actual problem and need? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html
|
|
#6
January 10th 09, 02:22 AM
posted to microsoft.public.windowsxp.security_admin
|
|||
|
|||
|
Encrypting Administrator's profile
Kirsten wrote:
Is there any way to encrypt (EFS or similar) the entire administrator's profile folder (C:\Documents and Settings\Administrator) so as to prevent a user from login in to the computer if he changes the password with a dos utility? (CIA Commander for example). There's no point in having domain policies if the user can login as the administrator and do whetever he wants with the computer! What else do you suggest? (please don't say "put a bios password" or "forbid physical access to the computer") Thanks a lot! NOTE: Kirsten chose to shotgun his post to unrelated newsgroups. Windows XP is not a server nor is it Vista. So the following newsgroups were removed from my reply: microsoft.public.windows.server.security microsoft.public.windows.vista.security If you physically allow others to share a host, they can eventually figure out how to steal or break your login passwords. Start looking into whole-disk or partition encryption products. I think TrueCrypt can encrypt a partition, like the one with the OS. Or you could just use a BIOS-enabled password and lock the case so they can't get inside to clear the CMOS data.
|
|
#7
January 14th 09, 02:38 AM
posted to microsoft.public.windows.server.security,microsoft.public.windows.vista.security,microsoft.public.windowsxp.security_admin
|
|||
|
|||
|
Encrypting Administrator's profile
You can use a full disk encryption product to encrypt the entire hard drive.
FDE will prevent offline access to the hard drive, meaning you would not be able to boot the computer into another OS and access the drive. Windows Vista with BitLocker should do the trick. Vista SP1 made some improvements to BitLocker. -- Mel K. MCSA: M "Kirsten" wrote in message ... Is there any way to encrypt (EFS or similar) the entire administrator's profile folder (C:\Documents and Settings\Administrator) so as to prevent a user from login in to the computer if he changes the password with a dos utility? (CIA Commander for example). There's no point in having domain policies if the user can login as the administrator and do whetever he wants with the computer! What else do you suggest? (please don't say "put a bios password" or "forbid physical access to the computer") Thanks a lot!
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
