Ok

someone has physical access to my computer right?

how would they go about creating them an admin user? how do they set it up (i'd love to know in case i get a freind who's forgot his friggin admin password.. or like many i've seen .. didn't know what an admin account was and know's even less what the pass is >:| )

ok with that... how do i make it so noone can create another admin account without specifically being in the admin account?

Just something that might help me help ppl fix their broken shit... you ppl might have an idea how frustrating it is to try and fix someone's XP machine and they are a "user" with no admin capabilities... and you ask them what the admin password is.. and they look at you with a blank stare......

Here is one option, it's a linux bootable CD or floppy that will reset your admin password for you:

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

There are a couple others floating around out there as well...

To protect your machine from this don't allow booting off of floppy or CD and lock your BIOS. Filesystem encryption will also prevent this.

But, in general most of us figure if you have physical access to a box you should be able to get into it. If you have sensitive data just encrypt that data and don't worry about local users hacking the box.

--P.G.

i've heard of filesystem encryption but i don't know what it is.
what is it, how to do it ect..

Kuun

Well, there are numerous forms of file system encryption. One method is to encypt certain folders such as you are able to do in windows2k and above on NTFS partitions (right click on a folder, click on the advanced button, select file system encryption). The problem with this type of encryption is that it is dependant on the AD username and if that account is deleted all of the data is lost. I've heard problems with this also when the passoword is changed it needs to be updated in the encrypted volume (but I haven't tested this out).

You can also use various software programs like PGP to create encrypted volumes which show up as a new drive letter but are actually a single file on your hard drive. These drives are a great way to encrypt data as they are easy to use and use X.509 certificates for encryption. This means you can have multiple people able to access the system and can create recovery keys for corporate environments.

The third major kind is total file system encryption, this is essentially a wrapper that goes around the entire hard drive. It requires a password to boot up into the operating system and while you are working in the file system everything is constantly encrypted. This has a lot of overhead but does give you the maximum security as far as your system goes. I don't believe that there is a recovery method if you lose your password. There are also ways to encrypt entire partitions so that the OS isn't encrypted but all your data is.

I haven't really included links to various vendors but you can do some searches on google to find quite a few companies doing all three types of file system encryption.

--P.G.

hey,

thanks for the info on file encryption, thats something else i've always wanted to know more about

but i was really wondering how someone goes about creating an admin account or "rooting" a windows box from like dos or whatnot

im going to look into those linux bootdisks thatyou suggested

Kuun

in dos you can just type these two lines

net user <username> <password> /ADD
net localgroup /ADD administrators <username>

the user would be created with admin and user rights

to delete it via dos

net user <username> /DELETE

hope it helps