Click here to get back home

Local Administrator Account
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Local Administrator Account John 04-17-2007
Posted by John on April 17, 2007, 7:28 pm
Please log in for more thread options
 I have a Windows 2003 Active Directory environment. I have XP workstations
and member servers with the local administrator account password set the
same. I logged into the XP workstation as the local administrator. Then I
was able to access all the administrative shares of the other workstations
and member servers that have the same password. I would be able to unc path
to \server\c$ without a domain authenication prompt. I remember this was an
issue in the NT domain days when you could log on to other domains with if
the administrator account and passwords were the same. I checked another
Windows 2003 AD as well as a 2000 AD and it still happened. Any ideas why
and how to stop it?

Posted by Roger Abell [MVP] on April 17, 2007, 9:38 pm
Please log in for more thread options
>I have a Windows 2003 Active Directory environment. I have XP workstations
> and member servers with the local administrator account password set the
> same. I logged into the XP workstation as the local administrator. Then
> I
> was able to access all the administrative shares of the other workstations
> and member servers that have the same password. I would be able to unc
> path
> to \server\c$ without a domain authenication prompt. I remember this was
> an
> issue in the NT domain days when you could log on to other domains with if
> the administrator account and passwords were the same. I checked another
> Windows 2003 AD as well as a 2000 AD and it still happened. Any ideas why
> and how to stop it?

If I understand the "why" part of your question, I think the MS
answer would be that it is by design.
How to stop it?
Do not use the same password everywhere, or do not use the
same account everywhere, or preferable do neither.
As you outline, loss of the credentials on one machine could
spread like wildfire throughout your infrastructure with things
as you have them, so one obviously should not have them so.
Give the builtin Administrator account (however renamed if
renamed) a long, strong, complex passphrase that is not the
same as elsewhere. Use your domain accounts for uniform
access if/when/as required.

Roger



Posted by Joe Richards [MVP] on April 17, 2007, 11:14 pm
Please log in for more thread options
It isn't an issue, it is by design and it isn't going to change.

Use different passwords on the accounts if you don't want the admin on
one machine to access resources on another machine. It is bad security
practice to use identical passwords on multiple accounts anyway.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


John wrote:
> I have a Windows 2003 Active Directory environment. I have XP workstations
> and member servers with the local administrator account password set the
> same. I logged into the XP workstation as the local administrator. Then I
> was able to access all the administrative shares of the other workstations
> and member servers that have the same password. I would be able to unc path
> to \server\c$ without a domain authenication prompt. I remember this was an
> issue in the NT domain days when you could log on to other domains with if
> the administrator account and passwords were the same. I checked another
> Windows 2003 AD as well as a 2000 AD and it still happened. Any ideas why
> and how to stop it?

Posted by John on April 18, 2007, 1:40 am
Please log in for more thread options
Can you explain to me more about the fact that is is by design? Can you
point me to resouces that explains this? Thanks in advance.

"Joe Richards [MVP]" wrote:

> It isn't an issue, it is by design and it isn't going to change.
>
> Use different passwords on the accounts if you don't want the admin on
> one machine to access resources on another machine. It is bad security
> practice to use identical passwords on multiple accounts anyway.
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> John wrote:
> > I have a Windows 2003 Active Directory environment. I have XP workstations
> > and member servers with the local administrator account password set the
> > same. I logged into the XP workstation as the local administrator. Then I
> > was able to access all the administrative shares of the other workstations
> > and member servers that have the same password. I would be able to unc path
> > to \server\c$ without a domain authenication prompt. I remember this was
an
> > issue in the NT domain days when you could log on to other domains with if
> > the administrator account and passwords were the same. I checked another
> > Windows 2003 AD as well as a 2000 AD and it still happened. Any ideas why
> > and how to stop it?
>

Posted by DevilsPGD on April 18, 2007, 2:28 am
Please log in for more thread options

>Can you explain to me more about the fact that is is by design? Can you
>point me to resouces that explains this? Thanks in advance.

The long and short of it is that Windows attempts to authenticate using
your current credentials by default. This allows a lot of things to
"just work" (especially when domain and workgroup PCs are interacting,
or PCs of different domains)

Is it a security breech? In my opinion, yes, although defeatable with a
sufficiently strong password, rotated reasonably frequently.

At a minimum, it reveals a hashed version of your password, which is
sufficient to allow a brute-force attack (whereas a brute-force attack
that required login attempts would eventually get blocked by account
lockout policy, a hash brute force attack would never get locked out)

Is it configurable? As far as I know, no.

--
I'd give my right arm to be ambidextrous.

Similar ThreadsPosted
Local Administrator as service log on account January 11, 2006, 3:51 am
Main Administrator account doesn't have Administrator groups right March 1, 2006, 2:35 pm
Is local system account member of local Administrators group? June 21, 2005, 11:33 am
Administrator account July 6, 2007, 12:43 pm
Administrator account locking out April 1, 2006, 9:22 am
Returning Administrator Account to 'default' - how to? September 12, 2005, 10:30 am
GPO not implementing rename of Administrator Account April 27, 2006, 5:19 am
Disable or rename administrator account September 1, 2006, 3:32 pm
Changing the Administrator account username for security? June 15, 2005, 10:20 am
Local and Domain Administrator password best practice May 31, 2006, 7:05 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap