Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
shoe1

Lost Administrator Password

By shoe1, in Security

Recommended Posts

shoe1    0

shoe1
Posted

I have a job site where one employee has seemed to changed my Administrator Password on a Win2000 machine. Does anybody know how he might have pulled it off and what I need to do the same so I can see if he does it again.

 

Thanks

Shoe1 frown

Share this post

Link to post

Davros    0

Davros
Posted

Either he got your admin password somehow, or he used a hack proggie. There's several little programs that allow you to change the admin password. One is called Locksmith from Winternals and allows you to change the password to anything you want, but you need to mount the system drive from another OS session to do it. Search the workstations to see if Locksmith was installed in any of them. Another is a linux floppy disk, where you boot with your W2K cd, and press F6 to load other drivers, and put the floppy in. It changes the password to 1234.

 

I suggest you change the boot order to hard drive first, lock the case, password the CMOS, and set GPO's to restrict network access as tight as you can. Also set a GPO to prevent access to the CD or floppy by anyone but admins on that machine. And make sure you check to see who is watching when entering your password, and keep the server consoles locked when you are away from it.

 

Another thing you may consider is adding a syskey password. Only problem is that attempts to change the password can corrupt AD, so you will not be able to boot at all, and will have to restore AD from backup. Better would be to add a power on password in CMSO.

 

You can audit account management and filter the audit logs for changes to the admin account. This would catch him if he stole your admin password somehow, but won't work if he's using one of those hacks.

Share this post

Link to post

pbuckne    0

pbuckne
Posted

I agree with the watching your back part, corp I used to work for had great security, or so we thought. I found a week old network level admin password lying on a slip of paper in the floor... Needless to say the password was changed... again.

Share this post

Link to post

shoe1    0

shoe1
Posted

Thats great advise and I will put it to good use. I have to admit I don't have experience with linux and that answer is definitly a new one to me. Thanks all for replying. Always look here first for professional help when needed.

Shoe

Share this post

Link to post

Igor    0

Igor
Posted

You can also get a bick stick and beat the password out of they guy who changed it.

Or just ask him to tell it to you and then get the stick out so he never attempts to steal it again.

Share this post

Link to post

Xelerated    0

Xelerated
Posted

There are several Linux boot disks out there for download that will change any NT password on the local machine (local being the one they can get to physically and boot with the floppy)

Change the BIOS's to have an admin password, make the floppy not bootable via the bios, sure its not going to STOP anyone, but may make it not worth their while, especially if they have a chance of getting walked in on with the case open. (i think ntbootdisk.com has this disk too, the linux disk that is)

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Security
×