Gaspar said:
I know several applications that can change admin password (eg: CIA
Commander). Having the computer with security policies for "normal" users
is useless because anyone canchange the admin password, login as
administrator, and change everything he wants.
Is there any way to prevent this?
Don't allow any physical access to the machine by unauthorized personnel and
make sure it can't be controlled remotely.
Any computer running any operating system can be accessed by someone with 1)
physical access; 2) time; 3) skill; 4) tools. There are a few things you
can do to make it a bit harder though:
1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup can't be entered without it.
2. From the BIOS, change the boot order to hard drive first.
3. Set strong passwords on all accounts, including the built-in
Administrator account in XP (it is disabled by default in Vista).
4. If you leave your own account logged in, use the Windows Key + L to lock
the computer (and/or set the screensaver/power saving) when you step away
from the computer and require a password to resume.
5. Make other users Limited accounts in XP Home, regular user accounts in XP
Pro. All users should be on a Standard account in Vista with an
Administrator account only used for elevation purposes.
6. Set user permissions/restrictions:
If you have XP/Vista Home, you don't have the built-in ability to create
fine-grained limitations, so use either MVP Doug Knox's Security Console or
the MS SteadyState program to set the restrictions the way you want.
SteadyState supports Vista now.
http://www.dougknox.com
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx
More on SteadyState:
http://aumha.net/viewtopic.php?t=27570
SteadyState support -
http://forums.microsoft.com/WindowsToolsandUtilities/ShowForum.aspx?ForumID=1660&SiteID=69
If you have XP Pro, Media Center, Vista Business or Vista Ultimate, you can
use Group Policy to set restrictions (gpedit.msc). Be very careful using
the Group Policy editor; it is completely possible to lock yourself out.
Questions about group policy should be posted here:
microsoft.public.windows.group_policy
Malke