So you want to lock down your computer but…
Sep0
then your computer is at work and your boss says you need to hook it up to the domain. Speaking of which, your boss can then use his domain administrator password to access your computer? But wait, how about your other IT Help Desk personnel, they can also unlock your computer with the domain administrator account or simply by using the local administrator account.
There aren’t any real solution to this dilema but simply by telling your boss and your co-workers not to access your computer. But then, what if you just have to go out of your way to secure your computer, here is my guide:
1) Pretend that you are ON the network but you are NOT on the network
- The trick is to create a virtual OS on your computer and then join that computer onto the domain under the same computer name like your physical computer.
- U-njoin your computer from the domain. Go to the server and delete your computer from the network.
- Buy VM-ware Workstation and install an OS on it. Start the new virtual OS and join it into the domain under the same name from the deleted physical computer name.
_ The entire procedure will make your network administrator think that you are on the network but really you are not on the network.
- Now on the physical computer, you still can access the Internet, but probably not email (if you use MS Exchange), or like administering Windows 2003 server through the Windows 2003 Administration Tool. On the virtual machine, you will be able to do everything like you use to do with your physical computer that used to be on the domain.
2) Remove administrator privilege on the local administrator account
- The local administrator account’s name is administrator and you cannot remove the administrator privileges from the local administrator account unless you create an additional administrator account. But then it’s not that straightforward like you think, keep reading.
- First rename the local administrator account to something exotic, like Bender. You will have to change that in group policy. Go to run -> gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Then double click on “Accounts: Rename the administrator account.” Now change it to something else.
Group Policy
- Now Right click on My Computer -> Manage. Now navigate to System Tools -> Local Users and Groups -> Groups -> Look on the right hand side, double click on Administrators -> Remove administrator from the window -> Click Apply, then Ok to set the permissions.
Remove local administrator account
Remove local administrator account
- Now go back out to Local Users and Groups -> double click on Users -> double click on administrator -> Now set a password for this local administrator account (usually every company as a pre-determined password for the local administrator account, set the password to this password to make your boss think that this is the “real” local administrator account).
- The local administrator account is now changed to Bender, which is something no one knows. The account name “administrator” now is no longer a local administrator of the computer. Your boss still can log onto your computer thinking he still has access to it but he doesn’t. I deny all read permission to all of my personal folders and files. The “administrator” account can log on and navigate to all folders but unable to view my files.
3) Increase mass security on your now-local computer
- The following method will not work if you are in a domain. Usually and most likely, all domain administrators disable local group policy or create a domain group policy that takes precedence of the local group policy.
- Go to run -> gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Double click on the following:
Do not display user info when session is locked
- When you lock your computer, Windows will not display the current user’s information.
Do not display last username
- Your computer will not show the last person who logged on. This is beneficial to you since your boss won’t know your “rea” local administrator account name but that also means you won’t know who accessed your computer last time.