General

[Marauder_Pilot]

You'd be surprised how often that works. Nobody sets Admin passwords any more.

Of course, with the plethora of DOS-shell-based and Linux-based boot disks that can nuke passwords with MUCH ease, the fact that most people don't even know about network booting to run those, and so on, Windows passwords only keep out the very most computer illiterate. BIOS passwords are where its at, at least that necessitates you having to actually rip open the computer and reset it manually if you need to. But even those can be bypassed by software I'm sure, I just don't know how personally.

[Jefe]

Quote:

Originally Posted by Marauder_Pilot

You'd be surprised how often that works. Nobody sets Admin passwords any more.

Of course, with the plethora of DOS-shell-based and Linux-based boot disks that can nuke passwords with MUCH ease, the fact that most people don't even know about network booting to run those, and so on, Windows passwords only keep out the very most computer illiterate. BIOS passwords are where its at, at least that necessitates you having to actually rip open the computer and reset it manually if you need to. But even those can be bypassed by software I'm sure, I just don't know how personally.

Ah yes, and aren't those tools great?

That's why I went on a big campaign at work of actually renaming the local admin account and setting the password. Then I took floppy drives out, disabled booting from any source but the hard drive, and put a password in place for bios changes.

If you can't boot to a cd or disk, you're going to have a difficult time if you want to rip the admin password.

I guess you really wanted steal the password, you could take the case off, place the password clear jumper in the alternate position, restart, change the password, power off, place the jumper back in position, reboot, change the drive settings, then boot to your disk. But honestly, that's a lot of work just to steal a local admin password...

Much better to use social hacking techniques to steal data, which would be really easy...because the lady that does payroll LEAVES HER OFFICE UNLOCKED, ACCOUNTING PROGRAM RUNNING AND HER COMPUTER UNLOCKED FOR THE HOUR SHE GOES TO LUNCH! But as you can tell, the doesn't bug me one bit.

Really is it that hard to lock you computer screen? Or type your password?

[Marauder_Pilot]

That's just asking for a pay raise right there.

[BoBo]

I had the same issues when I worked with portfolio managers - might want to lock that screen when you walk away.

I ran a registry change remotely that enabled the screen saver to come on after 10mins and lock and then removed the screensaver tab :-)

I'll be doing the same thing shortly using GPOs and will be setting up a GPO so I can reset the local admin pswd every 3 months.

[Jefe]

Hmm...ethical issues aside, yes...that would be a good time for a pay raise...

I tried the force locking on the screen savers, but had issues with it. Something on my domain controller is a little wacked out, and causes that particular option to do bad things.

That comes from corruption on the DC after many power outages and not having a crummyUPS...despite my PLEAS for a good one. After that happened about 15 times (the city did a lot of power work during the middle of the night last year) and the accounting server lost some data, I finally got a good, big UPS for our servers. Funny how that happened after the business manager had to re-enter, by hand, about 2000 transactions.

Some day I'll have to fix that and the backup DC, then that will be an option!

[BoBo]

I had some really old DCs - I built some new virtual ones, had them assume roles then copied them.

I have virutal DCs running on a few different VM servers and a backup, waiting to be booted on a different server.

When you have no cash for new hardware, VMing some componets, can be useful.

I also pushed out a reg merge, not a GPO before.