Encrypting Administrator's profile

[Guest Kirsten]

Is there any way to encrypt (EFS or similar) the entire administrator's

profile folder (C:\Documents and Settings\Administrator) so as to prevent a

user from login in to the computer if he changes the password with a dos

utility? (CIA Commander for example).

 

There's no point in having domain policies if the user can login as the

administrator and do whetever he wants with the computer!

 

What else do you suggest? (please don't say "put a bios password" or "forbid

physical access to the computer")

 

Thanks a lot!

[Guest Shenan Stanley]

Kirsten wrote:<span style="color:blue">

> Is there any way to encrypt (EFS or similar) the entire

> administrator's profile folder (C:Documents and

> SettingsAdministrator) so as to prevent a user from login in to

> the computer if he changes the password with a dos utility? (CIA

> Commander for example).

> There's no point in having domain policies if the user can login as

> the administrator and do whetever he wants with the computer!

>

> What else do you suggest? (please don't say "put a bios password"

> or "forbid physical access to the computer")</span>

 

Why is this user able to logon as an administrative level account in the

first place?

 

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

[Guest Kirsten]

He's not, but there are several utilities that easily disable the

administrator account.

 

"Shenan Stanley" <newshelper@gmail.com> wrote in message

news:%23I7wn5mcJHA.2444@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Kirsten wrote:<span style="color:green">

>> Is there any way to encrypt (EFS or similar) the entire

>> administrator's profile folder (C:Documents and

>> SettingsAdministrator) so as to prevent a user from login in to

>> the computer if he changes the password with a dos utility? (CIA

>> Commander for example).

>> There's no point in having domain policies if the user can login as

>> the administrator and do whetever he wants with the computer!

>>

>> What else do you suggest? (please don't say "put a bios password"

>> or "forbid physical access to the computer")</span>

>

> Why is this user able to logon as an administrative level account in the

> first place?

>

> --

> Shenan Stanley

> MS-MVP

> --

> How To Ask Questions The Smart Way

> http://www.catb.org/~esr/faqs/smart-questions.html

> </span>

[Guest Gordon]

Kirsten wrote:<span style="color:blue">

> He's not, but there are several utilities that easily disable the

> administrator account.

> </span>

 

Sounds like some discipline is in order. If this is a workplace, make it

a sackable offence to install or use any software not authorised by the

company. If a home environment, just deny physically, access to the

machine until the user learns to respect computer security.

 

 

--

Asking a question?

Please tell us the version of the application you are asking about,

your OS, Service Pack level

and the FULL contents of any error message(s)

[Guest Shenan Stanley]

Kirsten wrote:<span style="color:blue">

> Is there any way to encrypt (EFS or similar) the entire

> administrator's profile folder (C:Documents and

> SettingsAdministrator) so as to prevent a user from login in to

> the computer if he changes the password with a dos utility? (CIA

> Commander for example).

> There's no point in having domain policies if the user can login as

> the administrator and do whetever he wants with the computer!

>

> What else do you suggest? (please don't say "put a bios password"

> or "forbid physical access to the computer")</span>

 

Shenan Stanley wrote:<span style="color:blue">

> Why is this user able to logon as an administrative level account

> in the first place?</span>

 

Kirsten wrote:<span style="color:blue">

> He's not, but there are several utilities that easily disable the

> administrator account.</span>

 

Did you mean 'disable' or 'allow them to use' the administrator account?

 

You didn't want to hear it because you know it's true... "Physical access,

time and a little knowledge means anyone who sits at the machine basically

can own it..."

 

Are you protecting what's in the administrator account (should be much of

nothing) or is it you just don't want them using the account?

 

If the latter - your battle is lost before it was started. Encrypt all you

want - physical access can give the user another/the same administrative

account with a little effort and a few tools and time. Maybe not so much

the data in the profile - but there should be nothing in (files, etc) the

actual built-in administrator's account of importance anyway, IMO.

 

I think you need to divulge what it is you hope to accomplish in order to

better narrow the possible answers. What is the actual problem and need?

 

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

[Guest Mel K.]

You can use a full disk encryption product to encrypt the entire hard drive.

FDE will prevent offline access to the hard drive, meaning you would not be

able to boot the computer into another OS and access the drive. Windows

Vista with BitLocker should do the trick. Vista SP1 made some improvements

to BitLocker.

 

--

Mel K.

MCSA: M

 

"Kirsten" <noreply@nospamplease.com> wrote in message

news:OHXGxdkcJHA.4660@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> Is there any way to encrypt (EFS or similar) the entire administrator's

> profile folder (C:Documents and SettingsAdministrator) so as to prevent

> a

> user from login in to the computer if he changes the password with a dos

> utility? (CIA Commander for example).

>

> There's no point in having domain policies if the user can login as the

> administrator and do whetever he wants with the computer!

>

> What else do you suggest? (please don't say "put a bios password" or

> "forbid

> physical access to the computer")

>

> Thanks a lot!

>

>

> </span>