| 152 |
| Every Windows 2000 Server stores local users and their passwords in a special part of |
| the registry commonly referred to as the Security Accounts Manager |
| Every Windows 2000 Server stores local users and their passwords in a special part of the registry |
| commonly referred to as the Security Accounts Manager (SAM). When you promote a Windows |
| 2000 server to a domain controller, SAM is no longer used. Instead, accounts are stored in Active |
| Domain controllers have a special offline SAM that stores the Administrator account used in the |
| Directory Services Restore mode. This mode is used to recover Windows 2000 domain controllers. |
| Since this account is very powerful, you must protect it. Here are some tips for protecting this |
| Use a different password for the offline SAM and the Active Directory Administrator account. |
| Use a strong password and change it regularly, in accordance with your password policy. |
| Enable auditing for the SAM file located in %systemroot%\System32\Config. |
| Physically secure the computer. Since the account isn't accessible when Active Directory is online, |
| physical security is important. |
| Protect backups and don't let them get into the wrong hands. |
| If you want to change the offline Administrator password but don't want to restart the domain |
| controller to boot to the Directory Services Restore mode, use the Setpwd.exe utility from Windows |
| If you used Server Wizard to set up your domain controller, make sure you read Microsoft |
| Knowledge Base article Q271641. This article discusses security issues related to using the Server |
| http://support.microsoft.com/default.aspx?scid=kb;en-us;Q271641 |
First Previous Next Last |