markterry
asked on
Protect Against Password Reset
Hello,
I have recently realized that even in Windows 7, there are password reset tools still available. I have seen videos on youtube of them working, but have not tried myself.
My question is, how do I prevent these things from working on my system?
I have recently realized that even in Windows 7, there are password reset tools still available. I have seen videos on youtube of them working, but have not tried myself.
My question is, how do I prevent these things from working on my system?
Run5k
As I mentioned in your other question, if you encrypt the hard drive tools like the Offline NT Password Editor won't work.
ASKER
So encryption is the only protection against this? So like mass company networks, if their HDDs are not encrypted, cannot protect against these CDs?
Essentially, that's correct. Hard drive encryption is a deal-breaker, but keep in mind that the Systems Administrator needs to have physical access to the hard drive to utilize these tools.
If the local station can be accessed it can still be hacked. Defense is not just network or password protected you must have physical protection as well like key cards to access doors
ASKER
Well, I can think off the top of my head a couple ways to block it without encryption. Mainly in BIOS, could I not just set a password, and disable booting to USB or CD? Or is there a CD for cracking BIOS too?
ASKER
I also suppose that if the password is complex, this should protect you as well. Or is password reset always an option?
Yes, theoretically you could lock down and modify the BIOS to disable USB and optical boot options. Needless to say you would be losing some fucntionality, but that would get the job done, too.
When you are mention a complex password, are you referring to Windows? If so, it makes no difference. If you are referring to the BIOS, I actually don't know. That transcends my area of expertise.
When you are mention a complex password, are you referring to Windows? If so, it makes no difference. If you are referring to the BIOS, I actually don't know. That transcends my area of expertise.
ASKER
I was referring to windows. Why does it make no difference? I thought those password crackers relied on brute force or rainbow tables?
ASKER
Or is it that they can just reset it anyways?
ASKER
Also, we are talking domain credentials here correct? not just normal windows passwords?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
every system is vulnerable, what we can do is just add multiple level of security to make harder for the cracker to crack, so we can delay him/her to add our more one level of security to hinder them.
physical barrier should be taken care off. Even the bios password can be reset, bt adding bios password will definitely hinder anyone. The system can be encrypted to make inaccessible with the correct password. but one should not reset the users password from the administrator, otherwise the user may lose all the control on the files and folders making unusable to anyone.
physical barrier should be taken care off. Even the bios password can be reset, bt adding bios password will definitely hinder anyone. The system can be encrypted to make inaccessible with the correct password. but one should not reset the users password from the administrator, otherwise the user may lose all the control on the files and folders making unusable to anyone.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. I understand the mutiple layers, etc.
Most importantly I did want to know about password security.
I know that even for domain computers, like laptops, when disconnected from the domain have a cached credential store. I thought this could also be cracked by the password crackers. Can someone confirm this is not the case?
Most importantly I did want to know about password security.
I know that even for domain computers, like laptops, when disconnected from the domain have a cached credential store. I thought this could also be cracked by the password crackers. Can someone confirm this is not the case?
ASKER
To clarify, I mean specifically in new versions of windows.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I not 100% I am any better off than when I started. But I suppose for the purposes of this forum I will accept your answers.
dariusg, I would be interested to know what methods are used to access domain credentials as part of your solution.
ve3ofa, if someone can crack your password, if files are stored on the server it is not neccesscarily safer. it may be likely that person either has access to the network at that point, or possibly VPN.
dariusg, I would be interested to know what methods are used to access domain credentials as part of your solution.
ve3ofa, if someone can crack your password, if files are stored on the server it is not neccesscarily safer. it may be likely that person either has access to the network at that point, or possibly VPN.
as per group policy you can 'not store cached credentials To disable cached credentials, simply alter the appropriate GPOs so that every system in the environment has the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Number of previous logons to cache (in case domain controller is not available)" to 0 logons (from the default of 10). Local passwords ie. screen saver unlock passwords are stored in memory, to force the workstation to consult a domain controller when unlocking, set the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Require Domain Controller authentication to unlock workstation" to Enabled.
Just to restate, once one has physical access nothing stored on the physical machine is safe from being attacked.
Just to restate, once one has physical access nothing stored on the physical machine is safe from being attacked.
ASKER
Interesting point ve30fa, but that would definitely not work for road warriors, correct?
ASKER
thin clients would also probably really increase security on this point then too...
the road warriors would need internet connectivity and be able to vpn into the system/site to logon.. now that you have the users pc's to worrry about now how about the sysadmin's? We recently had a former sysadmin arrested when we found a lot of data on a public folder