Penetration Testing mailing list archives
Re: Local Admin
From: "Steven" <steven () lovebug org>
Date: Thu, 1 Jun 2006 22:43:00 -0400
Hello,Let me try a response to your qustion and precursor it with my assumptions about your environment.
I am assuming that you are currently in an Active Directory (AD) environment and that your users are local administrators of their own machines once logged into their domain account. My next guess is that you have a local administrator account on each machine and this is the one you are interested in watching.
To the best of my knowledge there is no way to do this through AD. The local account on the machine is separate from your AD is resides only on the local installation. The only way that I know of that you could be notified of a change is if you have some kind of additional log monitor. This could alert you to password changes (event id 628) or attempted(failed) changes (event id 627). You might also want to look for account created/deleted events in your logs as well.
Depending on the size of your environment and number fo your staff I would not say it's unreasonable or impossible to set administrative BIOS passwords on all of the machines. This can go a decent way to protecting machines from being booted from a CD. It of course will not stop a determined attacker that's in front of the box.
Hope this helps.. just post back if you have more questions. Steven----- Original Message ----- From: "Mohamed Abdel Kader" <mak.pen () gmail com>
To: <pen-test () securityfocus com> Sent: Thursday, June 01, 2006 4:58 AM Subject: Local Admin
Hello List, I was wondering if their is a way to monitor if someone changed the localAdministrator, on his/her computer, through an active directory, and how canThis be prevented in large organizations. It is not practical to change theBios password on all of the computer and the boot order and lock the Machines; at least in this case. Thanks all... ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security?Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has themost comprehensive solutions to meet your application security penetrationtesting and vulnerability management needs. You have an option to go with amanaged service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Local Admin Mohamed Abdel Kader (Jun 01)
- Re: Local Admin Steven (Jun 01)
- RE: Local Admin Vladan Todorovic (Jun 02)
- Re: Local Admin Billy Beaudoin (Jun 02)
- Re: Local Admin Steven (Jun 01)