Recommended Posts

Security implementations are in many places - awful.

The random thing is good practise, heck you can do it easier - set all PC passwords the same then change them remotely using a script which saves the passwords (unique for each machine) to an encrypted USB and once done - remove the USB!

Also I like that you're trying to check out about the security but remember, the kid might be breaking the law but unless you've got it written into the agreement that the kid has with you and local laws allow, it's illegal for you to keylog him.

Oh and just a reminder for ANYONE involved in ANYTHING like this - decrypting or attempting to decrypt SSL data or capture data sent over SSL [including keystrokes] is illegal in the UK and EU, not sure about america - and you will get in serious trouble if you attempt to use that as evidence as anything because the data could be confidential such as the user's credit card details.

Friday afternoon was spent changing the local admin passwords on the labs that the students have access to. We also set the HDD as the only boot device and locked down the bios with a stong password. This can be reset very easily with the jumpers on the motherboard, so now we are looking at locks for the cases.

Luckily with the security that was already in place(I've been at this job since Thanksgiving), the user's 'hack' was isolated to the local machine. Sure, he knows a local admin password, but we caught him in another lab trying a series of passwords and none worked since each lab has a different local admin password. So that policy was effective as well.

Thanks for all the input.

where do they save their documents?

smartshield http://www.centurion...martshield.aspx

have fun with breaking things...reboot they revert back, the downside..don't save anything to the c drive or do installs/updates with the it enabled. You can set specific times for auto updates to execute so that it unlocks.

So why would his account have access to windows system32? Are you saying he booted the recovery tools that are installed on the disk or did he just have access to the folder in the first place?

A known way to access the windows system32 folder is via startup recover and then using the notepad file browser, etc..

Can you just disable those from booting with something like

bcdedit /set {default} recoveryenabled No

bcdedit /set {default} bootstatuspolicy ignoreallfailures

I thought there was a way to remove them completely or not install them in the first place. Its been awhile since I had to play with this sort of stuff.

Normal account should not be able to access the windows/system32 dir, and if you prevent boot from media remove the option to get to the recovery tools that might be installed on the disk you should be able to still allow for sticky keys ;) While preventing this sort of attack.

edit: So curious is this a OEM sort of installation, custom image your dept deploys? is there a recover folder with a winre.wim file? Having the recovery tools on the HDD that anyone with local access could boot is going to allow for all sorts of nasty things to be able to be done. I would completely remove those features. Admins should have to either reimage the machine or boot their tools after knowing the bios password so they can alter the boot menu, etc. Yeah it can be pain -- but if you want to prevent this sort of thing, then some pain has to be felt ;)

  On 25/01/2013 at 14:47, eXtermia said:

However if you enforece bitlocker with the key being backed (with hardware TPM) up to AD and only recoverable from AD admins there is no way they can use any off the street tool to add thierselves as Admin.

This is only true if it?s TPM 2.0. TPM 1.2 key security is defeated, as it has had known vulnerabilities for years that allow attackers to extract stored encryption keys. Also, motherboards that have the TPM as a removable card suffer from Man in the Middle attacks that allow you to observe the key in transit when released to the system assuming measured boot thinks no changes have occurred. TPM 1.2 keys are only secure when used in conjunction with +PIN, +USB, or +Network Unlock.

The primary reason to use TPM 1.2 without two-factor authentication is for a measured boot.

As of yet I haven't encountered any devices containing a TPM 2.0.

See the response in this article and see if it helps

1. Consider a BIOS boot password

2. Consider an FDE PIN based system

3. Consider 2FA for interactive logon

4. With Windows consider domain auth (no cached credentials) for interactive logons

5. With Windows consider do not store LANMAN Hash

6. With Windows consider protect the SAM DB using SYSKEY

7. Consider Require Smartcard for interactive logon.

8. Or a combination of the above.

http://www.infosecisland.com/blogview/15031-How-to-Log-In-to-Windows-Without-the-Password.html

BM - he used the driver signing option at boot and broke Windows so that it would launch its own repair, from there he used notepad to open a file browser. His student account did not have access to the system32 directory.

Yes, the techs image the labs and do mass rollouts of the computers. And yes, you're right- more security = more pain. But it's for the chillren, right? I'll start looking at ways to disable the recovery feature. Thanks for pointing me in that direction.

I have been reading this topic with a lot of interest...you have to give the kid some credit for his ingenuity. But I have a couple of observations:

1. Since he reset the password for the local admin and not for domain (which is a big headache I admit)...how much trouble can he cause. Since it is local he cannot access domain shares, accounts, etc...

2. I love budman's last post to edit the boot process and prevent access the recovery console. Between that and disabling boot options within the bios you should be able to prevent this in the future.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • EMDB 5.38 by Razvan Serea EMDB is an application to keep track of your movie and TV Series collection. Both physical discs and media files are fully supported. With an automatic import from the database of IMDB, export to csv, text or HTML, thumbnail cover preview, a loan tracker, advances search and filter functions and multi-language user interface. EMDB doesn't need a .NET framework or any other external libraries and is therefore fully portable. And best of all... it's free!. EMDB 5.38 changelog: User interface: fix initial sort order was not always correct." Batch Update: fix updating TV Series from TheMovieDb cleared the title." Database: fixed possible invalid aspect ratio or codec could crash sorting." Search: added search on UPC / EAN." HTML Export: fixed favorites." Media files: delete / move thumbnails and subtitles too along with the media file." Image Import: added option to set resolution of saved images (when you use a zoomed bookshelf or display html on a 4K screen)." Batch update: movies in Collections were not always updated." Batch update: added an option to remove drive labels from media paths as they are not supported anymore and will break playing." HTML Export: fixed crash during export." Translations: updated the Arabic, Czech, French, German, Hebrew, Portuguese, Slovenian and Dutch translations." Download: EMDB 5.38 | 6.2 MB (Freeware) Link: EMDB Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • AMD brings datacenter-level AI to Windows PCs, runs Meta's 109B Llama lodel locally by Pradeep Viswanathan Earlier this year, during CES 2025, AMD announced the world's first AI PC processor that can run Meta's Llama 70B model locally. Today, AMD announced that the Ryzen AI MAX+ 395 processor, when paired with 128 GB of RAM on Windows, can now run Meta’s Llama 4 Scout 109B (17B active) with full vision and MCP support. This capability is enabled for the AMD Ryzen AI Max+ 395 processor with the new AMD Software: Adrenalin Edition 25.8.1 WHQL driver update. AMD claims that this processor can not only run Meta’s Llama 4 Scout but also supports a context length of 256,000 (Flash Attention ON, KV Cache Q8), which is useful for agentic workflows. AMD claims that the Llama 4 Scout 109B model was previously only possible on datacenter-grade hardware but is now available in thin and light PCs, thanks to its Variable Graphics Memory feature. Variable Graphics Memory is AMD's BIOS-level feature, introduced with the latest Ryzen AI 300 series processors, that enables users to reallocate a percentage of the system RAM to the integrated graphics. This unified memory architecture allows users to allocate unused system RAM as dedicated graphics memory. The AMD Ryzen AI Max+ processor is now available as an option for the following Windows PCs: ASUS ROG Flow Z13 Corsair AI Workstation 300 Framework Desktop HP ZBook Ultra G1a HP Z2 Mini G1a By enabling massive AI models to run locally, AMD is paving the way for more responsive, private, and capable AI applications on Windows PCs. As an Amazon Associate we earn from qualifying purchases.
    • You ARE old. Its not just a feeling.
    • Higher "Social Charges". I think that is a feel good phrase for 'Employee Deferred Compensation Charges". Then again, they use different wording in the "Old World." More precisely in American Accounting Lingo: "Mark to the Market Employee Differed Compensation Charges."
    • TikTok's "Add to Music App" feature gets support for another music streaming service by David Uzondu Image via Depositphotos.com TikTok's "Add to Music App" feature is getting support for another streaming service: YouTube Music. This comes a few months after the short-form video giant brought the feature to SoundCloud. "Add to Music App", if you have not heard of it, is a feature launched back in November 2023, initially for US and UK users, that makes saving music a lot easier. With this feature, users get an "Add Song" button next to the track name at the bottom of a TikTok video. When a customer first uses the feature, they can select their preferred streaming service from the available options, and this choice then becomes the default for all future one-tap saves (this can be changed anytime in the app's settings). The new YouTube Music integration means you can directly save the track to the streaming service with a single press. Users can also add a track from an artist's Sound Detail Page. When "Add to Music App" first appeared, the options were limited to Spotify and Amazon Music. Since then, TikTok has added Apple Music and Deezer. Each service gets a designated spot for the saved tracks, like Spotify's "Liked Songs" playlist. In YouTube Music's case, the song will land in a dedicated "TikTok Songs" playlist, so you do not have to go hunting for it later. TikTok claims that its "Add to Music App" function has resulted in over 1 billion saves globally since its wider rollout in 2024. On a related note, you probably are already aware of the current divest-or-ban issue TikTok's facing in the US. Howard Lutnick, the US Commerce secretary, recently stated in an interview with Fox News Sunday that President Trump loves the platform and sees it as "a good way to communicate with young people," but the platform's US operations must be handled by an American company, not Chinese.
  • Recent Achievements

    • Week One Done
      andeyhawk65 earned a badge
      Week One Done
    • First Post
      Jake2530 earned a badge
      First Post
    • Explorer
      Deranox went up a rank
      Explorer
    • Week One Done
      John Volks earned a badge
      Week One Done
    • One Month Later
      enric earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      675
    2. 2
      ATLien_0
      253
    3. 3
      Xenon
      177
    4. 4
      neufuse
      138
    5. 5
      +FloatingFatMan
      100
  • Tell a friend

    Love Neowin? Tell a friend!