Windows 7 easily hacked by standard user!

[Kev1n]

OK maybe 'hacked' is too strong a word, but I have set my brother's account to a Standard User and he routinely manages to change his account back to an Admin, without even having to restart the computer. The password for my account remains unchanged too. I know there is a hidden admin account in Windows, and I've also set a password for that also, but it doesn't stop him. There could be a keylogger, but how do I search for it? Somehow I think he's doing it by using Command Prompt or Run. Under his Run, there is one entry "control userpasswords2", which allows the user to change rights and passwords, but since there is UAC, he would still need my password. Any ideas on how he is doing it?

I need him as a Standard User so that I can set up parental controls for him. Buggers plays games all day long.

[Guest xiphi]

You should probably change your password.

[Mockingbird]

Or maybe he just boot from a recovery CD/DVD and reset the password.

[NiallG]

Could it simply be that he has your password? If not then you could always try monitoring event monitor for suspicious activity.

[Sigmatic.Minor]

IIRC control userpasswords2 can easily be accessed even when UAC is in place.. I just did it on a work PC and I do not have admin access. If you really want to lock him down, put him on a domain and implement group policies by giving him a logon haha, a lot of work for a home network though...

Boot disk would be my guess also - I've used those a lot to change passwords. Put a BIOS password on ;) and hope he isnt savy enough to reset it lol

[Billus]

You should change the title. Your the problem.

[Kev1n]

I've changed my password, and I very much doubt he is using a boot disk.

I just tried running "control userpasswords2" from the Run program on a Standard user account and it does prompt for an Admin password. Are you sure it doesn't need one?

How do I set a BIOS password? I do not want to restrict him from accessing Windows, I just need to implement parental controls.

[Sigmatic.Minor]

If he's savy enough to change his account back (although its not overly hard), you're probably going to need more than windows parental controls to stop him playing games :p

You set a BIOS password by going into the BIOS on startup and selecting "Set supervisor/BIOS/CMOS password" (or something similar)

Change the boot order to disable botting from a disk anyway, to make sure. You can still boot from a disk with the password in the future if needed.

Be careful to set only the BIOS password and not a HDD password.. HDD password will stop him from booting into windows at all.

He's probably just disabling UAC before hand..? Standard users can sometimes do that depending how the account is setup.

[nub]

Ophcrack?

[Kev1n]

Ok thanks. What does a BIOS password accomplish? Will it ask for a password whenever the PC boots up? Because that would be too restrictive. I didn't know Windows 7 was this vulnerable. :laugh:

[Sigmatic.Minor]

Yeah, could've hacked the SAM file and gotten the admin password that way, if he's smart enough to think of doing that, I wouldn't bother trying to lock him out. Locking any PC down, especially one at home, is going to encourage it even further... How old is he? If he's young enough its a matter of discipline how long he should be playing games for anyway IMO...

If I see a locked down PC, I feel 10 times more motivated to try and get past it than if I have an 'unsecure' PC coupled rules from a person of authority. That's just me though - simply an opinion!

BIOS password will (once you change the boot order yourself) stop him booting from a CD/USB drive etc. It will not ask for the password on bootup unless he tries to access the BIOS to change something.

[Solid Knight]

Implement physical security. If he changes his account to admin punch him in the face.

[Sigmatic.Minor]

^ LOL.. I wasn't going to say it so directly, but yeah :p

[Marshall Veteran]

Implement physical security. If he changes his account to admin punch him in the face.

LMAO!

[Vandalsquad]

Why does he need a standard account? Just leave him with an admin, im sure if hes smart enough to keep getting around what ever your doing his smart enough not to damage the machine and old enough to be given some rights. If he has phyiscial access to the machine he will always find a way around it.

[Kev1n]

Haha I'm tempted. :laugh:

He's 15 years old. I'm not always home, and my parents don't know much regarding computers, so I thought parental controls would be enough. Microsoft beaten by a 15 year old. And believe me, he ain't savvy at all. He's most likely using Google + some of his online buddies.

[Sigmatic.Minor]

He's most likely using Google + some of his online buddies.

All gotta start somewhere, right? lol

[zhangm Supervisor]

Change your password using the on-screen keyboard to rule out a keylogger.

[boogerjones]

There are a number of ways to bypass UAC as a standard user. The easiest is to create a scheduled task that can run as an admin. The Windows Installer technologies provides another method. And there are several others that involve API calls.

Microsoft claimed, in response to people pointing out the above vulnerabilities, that UAC is not meant to be a security measure. :blink:

If I were you I'd turn on account auditing and see if he logs in using your credentials.

Finally, keep in mind that no matter what you do, anyone with physical access to a machine can bypass any security method. Even 2-factor whole-disk encryption can be bypassed trivially (especially if you've got a firewire port). It's a fundamental problem in computer security.

[Kev1n]

There are a number of ways to bypass UAC as a standard user. The easiest is to create a scheduled task that can run as an admin. The Windows Installer technologies provides another method. And there are several others that involve API calls.

Microsoft claimed, in response to people pointing out the above vulnerabilities, that UAC is not meant to be a security measure. :blink:

If I were you I'd turn on account auditing and see if he logs in using your credentials.

Finally, keep in mind that no matter what you do, anyone with physical access to a machine can bypass any security method. Even 2-factor whole-disk encryption can be bypassed trivially (especially if you've got a firewire port). It's a fundamental problem in computer security.

OK I turned on account auditing by running secpol.msc, going into audit policy, right-clicking both Audit account logon events and Audit logon events and ticking both Success and Failure. That's the correct procedure right?

Now that I have turned it on, how do I monitor for any suspicious activity?

[CrossCheck]

come on man...... he is freaking fifteen, not a freaking child. you need to lighten up. maybe if you would trust him a lil bit. He knows you don't trust him thats why he is going through these measures. its what all normal 15 year-olds do...rebel against an higher authority figure. my kids are 9 and under and i don't put this kind of restrictive measures on my kids. because i trust them. they know that if they do something inappropriate with my computer all computer use is cut off till i see fit. geez my kids even use my user account.

[Pam14160]

Not sure of what steps you have taken to keep your brother from accessing control of your computer so I will not attempt to explain what is happening. But, what I will direct you to is a book put out by Microsoft Press titled "Microsoft 7 Step by Step." In this publication under chapter 4 is a detailed explanation of how to setup a secure "User Account." It will also direct you to other chapters that show how to luck down your computer so that Quest users cannot take control of your System.

Also, setting the BIOS password in most cases locks down the computer so only you can start it up, albeit there is a simple way around that, and if your brother knows anything about computers he should be able to figure it out (it involves resetting a jumper on the MB.)

[Pam14160]

Here is a web site that may help you get the answer you are looking for; it is one of Microsoft's forum.

[Marshall Veteran]

Solved

[metheweirdo]

ok first.... to make sure theres no bad keyloggers or the like

i suggest you go into your account, end all process, and end all unnecessary services, : that way theres no chance of a keylogger, (also make sure theres no extra adapter attached to the keyboard cause there are hardware keyloggers)

THEN change your password,

after that recreate his user account just to make sure theres nothing autostarting with admin priveleges

after that restart and lock the bios setup with a password (this is different then a password to boot)

also try to use different paswords this time,

and make sure that "Boot from cd/dvd:" in bios is set to boot last, that way he cant use a cd/dvd to change his account

if that doesnt work... daymt his kid is good, or your missing something

:whistle: