Lost Administrator Password
I have a job site where one employee has seemed to changed my Administrator Password on a Win2000 machine. Does anybody know how he might have pulled it off and what I need to do the same so I can see if he does it again.
I have a job site where one employee has seemed to changed my Administrator Password on a Win2000 machine. Does anybody know how he might have pulled it off and what I need to do the same so I can see if he does it again.
Thanks
Shoe1
Thanks
Shoe1
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Either he got your admin password somehow, or he used a hack proggie. There's several little programs that allow you to change the admin password. One is called Locksmith from Winternals and allows you to change the password to anything you want, but you need to mount the system drive from another OS session to do it. Search the workstations to see if Locksmith was installed in any of them. Another is a linux floppy disk, where you boot with your W2K cd, and press F6 to load other drivers, and put the floppy in. It changes the password to 1234.
I suggest you change the boot order to hard drive first, lock the case, password the CMOS, and set GPO's to restrict network access as tight as you can. Also set a GPO to prevent access to the CD or floppy by anyone but admins on that machine. And make sure you check to see who is watching when entering your password, and keep the server consoles locked when you are away from it.
Another thing you may consider is adding a syskey password. Only problem is that attempts to change the password can corrupt AD, so you will not be able to boot at all, and will have to restore AD from backup. Better would be to add a power on password in CMSO.
You can audit account management and filter the audit logs for changes to the admin account. This would catch him if he stole your admin password somehow, but won't work if he's using one of those hacks.
I suggest you change the boot order to hard drive first, lock the case, password the CMOS, and set GPO's to restrict network access as tight as you can. Also set a GPO to prevent access to the CD or floppy by anyone but admins on that machine. And make sure you check to see who is watching when entering your password, and keep the server consoles locked when you are away from it.
Another thing you may consider is adding a syskey password. Only problem is that attempts to change the password can corrupt AD, so you will not be able to boot at all, and will have to restore AD from backup. Better would be to add a power on password in CMSO.
You can audit account management and filter the audit logs for changes to the admin account. This would catch him if he stole your admin password somehow, but won't work if he's using one of those hacks.
There are several Linux boot disks out there for download that will change any NT password on the local machine (local being the one they can get to physically and boot with the floppy)
Change the BIOS's to have an admin password, make the floppy not bootable via the bios, sure its not going to STOP anyone, but may make it not worth their while, especially if they have a chance of getting walked in on with the case open. (i think ntbootdisk.com has this disk too, the linux disk that is)
Change the BIOS's to have an admin password, make the floppy not bootable via the bios, sure its not going to STOP anyone, but may make it not worth their while, especially if they have a chance of getting walked in on with the case open. (i think ntbootdisk.com has this disk too, the linux disk that is)
