Jump to content



Photo

Stop users from adding local admins


  • Please log in to reply
36 replies to this topic

#16 OP bowl443

bowl443

    Neowinian

  • Joined: 17-July 07
  • Location: Tx

Posted 25 January 2013 - 17:33

A little more detail;

This is at a school district and the kid in quesiton is a seventh grader. He renamed the local admin account and changed its password. Those student accounts are not local admins on the computers. After testing it with an account that we copied from his account, the only way he could have done this is with a bootable device, be it a cd, dvd, or usb drive. Thankfully with the security in place, being a local admin doesn't give him any rights on the network or domain. About the only thing he can do differently is install software locally. After going through his internet search history, he is looking for remote viewing software, specifically TeamViewer. He did not install any software though - maybe the bell rang and he ran out of time?

We're hatching a plan to catch him doing it so that we can nail down his process and figure out how much he knows. Maybe a key logger, or remote viewing software - like VNC. He could have used a product like Ophcrack and now he knows the local admin password on all the campus computers.

In the future we'll set the bios to only boot to the SATA drive and set a password on the bios to prevent changes being made to the boot order.

Any other thoughts/recommendations?


#17 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 25 January 2013 - 17:57

to catch a thief...

http://www.spectorsoft.com


Edit: also on some bios's you can set what devices are allowed to boot from not just boot priority...hitting the option to boot of a different device will yield only what devices you choose (ie, the hard drive).

The other issue is that it is pretty easy to reset this if you can pull the cover off when no one is looking, so putting in a security screw to prevent cover removal without special tools may also help.

#18 OP bowl443

bowl443

    Neowinian

  • Joined: 17-July 07
  • Location: Tx

Posted 25 January 2013 - 18:52

Ya, the SATA drive is now the only boot device 'checked.'

We're checking into securing the cases now.

Thanks

#19 +Karl L.

Karl L.

    xorangekiller

  • Tech Issues Solved: 15
  • Joined: 24-January 09
  • Location: Virginia, USA
  • OS: Debian Testing

Posted 25 January 2013 - 19:13

If your admin password is simple enough to be cracked locally by Ophcrack in a reasonable amount of time, that's a huge problem. Presumably you have a descent password policy and that is not the case, so I would rule out the student having access to the local admin password for all the machines.

Also, have you heard of Kon-Boot before? Its an extremely simple (and effective) method for gaining access to virtually any local Windows account, including the admin account. It would allow someone to boot from a disc, login as admin, then change the admin password. One could also login to any domain account that has been established on the local computer (i.e. a domain admin, teacher, or other student who logged in and created a profile on that computer), but since Kon-Boot bypasses the password instead of cracking it, the user won't have access to any domain resources.

#20 majortom1981

majortom1981

    The crazy one

  • Tech Issues Solved: 1
  • Joined: 30-November 01

Posted 25 January 2013 - 19:23

Depends what the actual story is, which the OP barely gave details on. What I described helps mitigate. (BTW, you responded to my original message prior to a bit of editing)

To prevent offline attacks, the only real "solution" is to manage the machines with BitLocker, a TPM, and Network Unlock.

A BIOS System password is only effect against "some" computers with properly designed firmware. A large majority that I've encountered do not block the F12 (or equivalent) firmware/BIOS boot menus even if a System password is present, including some of Dell's business line machines. Only some actually require authentication if a system password is present. I have some Precision workstations that do intrusion detection great, but only a BIOS user password will prevent a user from calling on the boot menu (and of course block them from using the computer at all without support). I don't believe any vendor is 100% consistent across their motherboard models when it comes to securing its BIOS/Firmware boot menu.

Also, when properly managed, "BitLocker+TPM+Network Unlock" is the better solution than any firmware block or physical lockdown because it requires the end user actually have technical skills. They need to have successful online attacks before an offline attack becomes possible. At this point most failures will be the result of desktop mismanagement.

Obviously it’s a bit trickier on mobile systems, as Network Unlock likely becomes impossible and you have to replace it with +PIN/+USB.


A firmware password would be used to stop the booting off of cd/dvd so they cant boot up a password change dvd

#21 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 92
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 25 January 2013 - 19:26

"he knows the local admin password on all the campus computers."

While I agree the password should be of significant strength to prevent bruteforce/rainbow tables, etc. You should also not have the same password on every device. They should all be different.

I use to just run a script to change the local admin password on every single machine in the domain. It was a random 20 digit that just dumped out from online password creator - http://www.pctools.c...uides/password/ I just pop these into my script and store in our password log.. Rare that was ever needed, you normally just used your own account that had local rights on all the machines, etc. Only in the case that boxes trust got messed up with the domain or something would you have to use local admin.

This also allowed us to give out local admin in the worse case scenario user was offline and something when wrong where you had to walk him through something with admin rights.. All you gave him was his box, and next time he his box was on the domain you would change it, etc.

#22 +Karl L.

Karl L.

    xorangekiller

  • Tech Issues Solved: 15
  • Joined: 24-January 09
  • Location: Virginia, USA
  • OS: Debian Testing

Posted 25 January 2013 - 19:41

BudMan, that's a really cool idea! None of the companies I have worked for have done that, but they probably should have. That seems like a much better method than generating a strong local admin password that must be changed once every three months. Everyone in IT basically uses their domain admin privileges anyway.

#23 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 92
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 25 January 2013 - 19:48

we had to change them every 3 months as well ;) Which is why the script!! It unrealistic to think you could change password if you had to touch every machine.. And your going to typo it for sure as well ;)

Might not have been that bad on the 50 some local servers, but not going to do it on the 900 plus user boxes.. And what about laptops that rarely come into the office etc.. Just needed to catch them while they are online via the vpn and 2 seconds there you go their local admin is changed.

Oh they were secure as well -- other guys use to bitch if they ever had to use them, or even the domain admin account which again used random 20.. As you said everyone normally used their personal accounts that had the permissions they needed. But every now and then you would have to break out the domain admin account password from the safe. and **** like this can be a pain to type in #luc&ouk?aqL6#iEwr+e

which is why the phonetics come in real handy ;)
(Hash - lima - uniform - charlie - Ampersand - oscar - uniform - kilo - Question - alpha - quebec - LIMA - Six - Hash - india - ECHO - whiskey - romeo - Plus - echo)

#24 ITFiend

ITFiend

    ハッピー

  • Joined: 13-October 09
  • Location: Galactic Sector ZZ9 Plural Z Alpha
  • OS: Windows Server 2012 R2, Windows 8.1
  • Phone: Windows Phone 8.1

Posted 25 January 2013 - 20:46

A firmware password would be used to stop the booting off of cd/dvd so they cant boot up a password change dvd


As I said, there is no guarantee a motherboard actually secures the boot menu just because you set a firmware password. There is no consistent behavior across motherboards even from Dell. If you have 6+ generations worth of different computers, I’m sure that less than half of them will actually behave the same way. Some will ask for authentication, and some won’t care that there is a password and will simply always allow the boot menu to function.

#25 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 92
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 25 January 2013 - 22:18

Give an example of something that allows you set a firmware password but does not allow you to lock down the boot, or still allows access to the boot menu.

Remove everything but the hdd from boot option, turn off feature to access boot menu, set password.

Even if the boot menu is available, if you alter the boot options then set a password on the firmware you should be good. I don't recall ever in the 30+ years in working/playing with a computers -- once they starting adding bios passwords ;) Not having the ability to lock out what the computer could boot from.

Shoot most users can not figure out how to change the boot order when firmware is NOT locked ;) Or for that matter press F# the system even flashes on the screen that says to change boot order.. So just the fact of changing the boot order to not boot cd/dvd/usb/pxe before the hard should keep most users from being able to run the boot tools.

#26 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 25 January 2013 - 23:29

Security implementations are in many places - awful.
The random thing is good practise, heck you can do it easier - set all PC passwords the same then change them remotely using a script which saves the passwords (unique for each machine) to an encrypted USB and once done - remove the USB!

Also I like that you're trying to check out about the security but remember, the kid might be breaking the law but unless you've got it written into the agreement that the kid has with you and local laws allow, it's illegal for you to keylog him.

Oh and just a reminder for ANYONE involved in ANYTHING like this - decrypting or attempting to decrypt SSL data or capture data sent over SSL [including keystrokes] is illegal in the UK and EU, not sure about america - and you will get in serious trouble if you attempt to use that as evidence as anything because the data could be confidential such as the user's credit card details.

#27 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 26 January 2013 - 00:01

What is in the UK is not in the US, when it comes to this topic at least.

#28 OP bowl443

bowl443

    Neowinian

  • Joined: 17-July 07
  • Location: Tx

Posted 28 January 2013 - 14:44

Friday afternoon was spent changing the local admin passwords on the labs that the students have access to. We also set the HDD as the only boot device and locked down the bios with a stong password. This can be reset very easily with the jumpers on the motherboard, so now we are looking at locks for the cases.

Luckily with the security that was already in place(I've been at this job since Thanksgiving), the user's 'hack' was isolated to the local machine. Sure, he knows a local admin password, but we caught him in another lab trying a series of passwords and none worked since each lab has a different local admin password. So that policy was effective as well.

Thanks for all the input.

#29 OP bowl443

bowl443

    Neowinian

  • Joined: 17-July 07
  • Location: Tx

Posted 29 January 2013 - 21:50

We interviewed the kid this morning and now we know how he did it.



This is a big problem... short of disabling sticky keys with a registry entry, there is no way to stop this.

Thoughts?

#30 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 29 January 2013 - 22:09

where do they save their documents?
smartshield http://www.centurion...martshield.aspx
have fun with breaking things...reboot they revert back, the downside..don't save anything to the c drive or do installs/updates with the it enabled. You can set specific times for auto updates to execute so that it unlocks.