Recommended Posts

Security implementations are in many places - awful.

The random thing is good practise, heck you can do it easier - set all PC passwords the same then change them remotely using a script which saves the passwords (unique for each machine) to an encrypted USB and once done - remove the USB!

Also I like that you're trying to check out about the security but remember, the kid might be breaking the law but unless you've got it written into the agreement that the kid has with you and local laws allow, it's illegal for you to keylog him.

Oh and just a reminder for ANYONE involved in ANYTHING like this - decrypting or attempting to decrypt SSL data or capture data sent over SSL [including keystrokes] is illegal in the UK and EU, not sure about america - and you will get in serious trouble if you attempt to use that as evidence as anything because the data could be confidential such as the user's credit card details.

Friday afternoon was spent changing the local admin passwords on the labs that the students have access to. We also set the HDD as the only boot device and locked down the bios with a stong password. This can be reset very easily with the jumpers on the motherboard, so now we are looking at locks for the cases.

Luckily with the security that was already in place(I've been at this job since Thanksgiving), the user's 'hack' was isolated to the local machine. Sure, he knows a local admin password, but we caught him in another lab trying a series of passwords and none worked since each lab has a different local admin password. So that policy was effective as well.

Thanks for all the input.

where do they save their documents?

smartshield http://www.centurion...martshield.aspx

have fun with breaking things...reboot they revert back, the downside..don't save anything to the c drive or do installs/updates with the it enabled. You can set specific times for auto updates to execute so that it unlocks.

So why would his account have access to windows system32? Are you saying he booted the recovery tools that are installed on the disk or did he just have access to the folder in the first place?

A known way to access the windows system32 folder is via startup recover and then using the notepad file browser, etc..

Can you just disable those from booting with something like

bcdedit /set {default} recoveryenabled No

bcdedit /set {default} bootstatuspolicy ignoreallfailures

I thought there was a way to remove them completely or not install them in the first place. Its been awhile since I had to play with this sort of stuff.

Normal account should not be able to access the windows/system32 dir, and if you prevent boot from media remove the option to get to the recovery tools that might be installed on the disk you should be able to still allow for sticky keys ;) While preventing this sort of attack.

edit: So curious is this a OEM sort of installation, custom image your dept deploys? is there a recover folder with a winre.wim file? Having the recovery tools on the HDD that anyone with local access could boot is going to allow for all sorts of nasty things to be able to be done. I would completely remove those features. Admins should have to either reimage the machine or boot their tools after knowing the bios password so they can alter the boot menu, etc. Yeah it can be pain -- but if you want to prevent this sort of thing, then some pain has to be felt ;)

  On 25/01/2013 at 14:47, eXtermia said:

However if you enforece bitlocker with the key being backed (with hardware TPM) up to AD and only recoverable from AD admins there is no way they can use any off the street tool to add thierselves as Admin.

This is only true if it?s TPM 2.0. TPM 1.2 key security is defeated, as it has had known vulnerabilities for years that allow attackers to extract stored encryption keys. Also, motherboards that have the TPM as a removable card suffer from Man in the Middle attacks that allow you to observe the key in transit when released to the system assuming measured boot thinks no changes have occurred. TPM 1.2 keys are only secure when used in conjunction with +PIN, +USB, or +Network Unlock.

The primary reason to use TPM 1.2 without two-factor authentication is for a measured boot.

As of yet I haven't encountered any devices containing a TPM 2.0.

See the response in this article and see if it helps

1. Consider a BIOS boot password

2. Consider an FDE PIN based system

3. Consider 2FA for interactive logon

4. With Windows consider domain auth (no cached credentials) for interactive logons

5. With Windows consider do not store LANMAN Hash

6. With Windows consider protect the SAM DB using SYSKEY

7. Consider Require Smartcard for interactive logon.

8. Or a combination of the above.

http://www.infosecisland.com/blogview/15031-How-to-Log-In-to-Windows-Without-the-Password.html

BM - he used the driver signing option at boot and broke Windows so that it would launch its own repair, from there he used notepad to open a file browser. His student account did not have access to the system32 directory.

Yes, the techs image the labs and do mass rollouts of the computers. And yes, you're right- more security = more pain. But it's for the chillren, right? I'll start looking at ways to disable the recovery feature. Thanks for pointing me in that direction.

I have been reading this topic with a lot of interest...you have to give the kid some credit for his ingenuity. But I have a couple of observations:

1. Since he reset the password for the local admin and not for domain (which is a big headache I admit)...how much trouble can he cause. Since it is local he cannot access domain shares, accounts, etc...

2. I love budman's last post to edit the boot process and prevent access the recovery console. Between that and disabling boot options within the bios you should be able to prevent this in the future.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • If you use AdGuard on your PC, you can find the new "Disable Windows Recall" feature in Settings > Tracking Protection. The "Disable Windows Recall" feature in Adguard 7.21 in turned on by default. No need to do anything if you want to use the feature.
    • Saw this on Twitter/X. Can't imagine the emotional rollercoaster going on inside of her head.
    • It's telling how brainwashed  and triggered you are that you immediately think it's because he was MAGA.    There's tons of things he's done throughout his wrestling career alone that wrestling fans right wing/ or left wing have problems with.  Not to mention his personal life. 
    • UK enforces strict new online age checks today by Paul Hill As of today, July 25, 2025, new Ofcom regulations mandate that “highly effective” age checks are in place for online services. These new rules apply to any websites or platforms that host pornography, self-harm, suicide, or eating disorder content. Major platforms like Pornhub, Bluesky, Discord, Grindr, Reddit, and X have committed to implementing age-gating. These age checks are part of the broader Online Safety Act, which is designed to make the internet safer, particularly for kids. These measures move away from just confirming you’re 18 by clicking a button to having to actually verify your age with ID or a face scan, but this move is not without its critics. Starting today, Ofcom will actively check compliance with the new rules and start launching investigations into non-compliant services, starting next week. The current enforcement program that’s focused on studio porn services is extending to all platforms allowing user-shared pornographic material, not just those websites dedicated to that. Ofcom is also launching another enforcement program that will target websites specifically dedicated to harmful content like self-harm, suicide, eating disorders, and extreme violence/gore. Ofcom has strong enforcement powers under the Online Safety Act, it can dish out fines of up to 10% of qualifying worldwide revenue or £18 million. For the worst offenders, Ofcom can even get websites blocked in the UK. Ofcom is already investigating 11 companies that it doesn’t think are following the rules. Aside from age checks, Ofcom’s Codes also require websites to protect children from dangerous stunts, misogynistic, violent, hateful, or abusive material, and online bullying. Algorithms of social media will need to be configured to block harmful content in children’s feeds, for example. Ofcom will be launching an extensive monitoring program requiring risk assessments by August 7 and practical action disclosures by September 30. While some have criticized the Online Safety Act, research cited by Ofcom shows that 71% of UK parents think the changes will positively impact children’s online safety, with 77% being optimistic about the age checks specifically. With that said, a significant minority of parents (41%) are skeptical about whether tech firms will follow the rules. Source: Ofcom | Image via Depositphotos.com
    • Microsoft has known to toggle settings in Windows Updates.
  • Recent Achievements

    • Very Popular
      d4l3d earned a badge
      Very Popular
    • Dedicated
      Stephen Leibowitz earned a badge
      Dedicated
    • Dedicated
      Snake Doc earned a badge
      Dedicated
    • One Month Later
      Philsl earned a badge
      One Month Later
    • One Month Later
      armandointerior640 earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      624
    2. 2
      ATLien_0
      240
    3. 3
      Xenon
      163
    4. 4
      +FloatingFatMan
      124
    5. 5
      neufuse
      123
  • Tell a friend

    Love Neowin? Tell a friend!