So, I was playing around with the Offline Windows Password & Registry Changer earlier today (basically a stripped down version of Linux with the ntpasswd tool installed), and it got me thinking. Is there any way to prevent someone from using this tool against your workstation/laptop? I mean, to use the tool implies that you already have physical access, which (in my opinion) makes the attack 90% easier. The tool is able to change or just flat out remove passwords for any user accounts, has the ability to enable accounts that have been disabled, and elevate privileges for users that are not Administrators. It also has a registry editor, which has come in quite handy on more than one occasion.

The only thing I could come up with would be to remove USB/CD/floppy from the available boot drives, and set a BIOS password so it can't be changed. I know that on desktops, you can clear the CMOS pretty easily if you have physical access (which we're already implying is the case), and that usually clears a BIOS password. Not sure if you can do that on a laptop. Is there any way to harden Windows against this type of attack? Encrypt the partition?
I'd love to hear everyone's opinion on this.

I figured you would say that.

Since BIOS passwords can potentially be reset leaving the boot options open again, partition encryption sounds like the only reasonable approach. That being said, is there really any way to implement partition encryption across a corporate network?

Or the obvious answer, just install Linux. lol

Our company uses McAfee Endpoint Encryption. Seems to work pretty well.