?
Solved

How to prevent smart users from changing administrator password from outside?

Posted on 2003-03-09
16
Medium Priority
?
150 Views
Last Modified: 2010-04-13
Dir sir,
I have a computer lab that under my control, I'm using windows 2000 server, group policy and active directory to control the windows 2000 professional clients in the lab, but there is one student that he can boot from disk and changing the administrator password without logging to the window 2000 and he change the administrator password without know the original one ......
He learn this stuff from the internet and I want to prevent him.....how can I prevent him?
0
Comment
Question by:aabuodeh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +6
16 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8101087
Take the floppy drive out of the computer or get one that locks. Or use the BIOS to setup a password so a password is required to boot the system. Be warned though there are ways to defeat this as well.


The Crazy One
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8101100
There really isn't anything inside of Win2000 that can be use to prevent this since it is an backdoor exploit which means that this password can be hacked without Win2000 even being running.
0
 

Author Comment

by:aabuodeh
ID: 8101134
Thank you crazyone but I cant remove the floppy drive or even put bios password because its a lab, its open and students and stuff use it and they need to use floppy and I cant put a bios password because this will make a big problem....
If I cant prevent him then where is the security?, its a big threat)

Ali,
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 44

Expert Comment

by:CrazyOne
ID: 8101175
>>>If I cant prevent him then where is the security

There isn't. No matter what one does even the myth of about Unix and Linux being secure proof is that there are always backdoors and exploits that abound. The only true secure system is one that is watched and guarded 24/7. And even then there are ways around that. Banks probably have some of the most secure systems in the world yet they loose millions perhaps billions of dollars a year to people either breaking into their systems or breaking into other systems and stealing credit card numbers.
0
 
LVL 12

Expert Comment

by:pjknibbs
ID: 8101305
I agree with CrazyOne here. So long as somebody has physical access to a machine there is NO way to guarantee security on it--you can make it harder for the hackers by taking steps like removing the floppy drives or adding BIOS passwords, but the only guaranteed secure machine is one which is locked in a cupboard with no Internet access, which wouldn't be all that useful...
0
 
LVL 3

Accepted Solution

by:
Flash828 earned 90 total points
ID: 8101385
Change the boot order in the BIOS to be Hard Drive Only.  Then set a password to get into the BIOS.  That way BOOTING from a floppy is prevented.  I am also in charge of a computer lab, and this is what we have in place.  If they cannot boot into another OS, security (regarding this matter) is maintained.  Since this will prevent any access before Windows Loads, it now becomes a windows issue.  Select a secure password for the Administrator account, and make sure that users get assigned into the "users" group, and not any other group.  With this in place, I fail to see how this security is circumventable, short of the user opening the case and resetting the BIOS password, which is a very bold and hard to hide move.
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8101389
BTW the BIOS password Im talking about is in order to ACCESS the bios.. not to boot.  One would only need to enter this password if they want to change BIOS settings.  Should one just turn the power on for the machine it would boot straight into Windows (EG boot order is Hard Disk only).
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8101390
Oh, and sorry for the barrage of posts, but this would also allow for ANYONE to use the floppy drive at will... just not to boot from.
0
 

Author Comment

by:aabuodeh
ID: 8101424
Thank you flash828, its a good idea to make booting just from the hard disk, and I'm already put the users in the users group........but what i look for is protection from windows 2000 itself. Yes he cant just open the case and remove the jumper to disable the password, but the question is: there is no way to fix it from inside the windows?
Ali,
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8101521
Hi!

No, how would you be able to fix something from inside windows when this isn't an windows issue.

The reason he can change admin pass is that he boot's into another OS on floppy and hence windows isn't running and therefor you cannot prevent this by setting user righst or anything like that in windows.

This applies to any computer and OS, a computer that a intruder has physical access to can always get hacked no matter what you do, all you can do is make it a little harder to hack. It's easier to safeguard a computer which intruders only have remote access too, but you might still get hacked. There's not much to do really, if someone tries hard enough most computers and systems are hackable.

Regards
/Hans - Erik Skyttberg
0
 
LVL 2

Expert Comment

by:nomisp
ID: 8101565
I agree with Flash828, put this in place as a general measure then tell the student, or all of them for that matter that they will be banned if they deliberatly change or damage the computers.
0
 
LVL 22

Expert Comment

by:dan_blagut
ID: 8101631
Hi
Why you don't leave him with administrator named account...
Just rename the administrator account to guest or something and leave him alone. Do not share the new admin account name with the students....

0
 
LVL 3

Expert Comment

by:SimonL-UK
ID: 8102023
As everyone else is saying, the only way to change the computer is if you boot to another OS to gain access to the hard disk.

1) Change the boot order so that the computer only boots from the hard disk (So set it to boot from drive C and nothing else - inc. the CD-ROM, PXE, etc).

2) Put a password on the BIOS.  Change it to SETUP so that the computer can boot, but upon attempt to access the BIOS, you will be challenged for a password.

By doing this, students CANNOT boot to another operating system to gain access to the hard disk.  The only ways round this are:

1) Entering the BIOS password and changing the boot order
2) Physically removing the HD, placing it into another machine and accessing it
3) Some motherboards have BIOS recovery modes which enable you to reflash them/reset default setup.

The above would be a breach of a university/college/etc policy resulting in a ban, getting kicked off the course, etc.

0
 
LVL 6

Expert Comment

by:danich
ID: 8102953
The other posts have all covered what needs to be done for the machine. Bottom line is if you cannot secure physical access to the machine, you can't secure the machine.


A friend of mine once said there are no technological solutions for behavioral problems.

Make it a rule in the lab that doing this bypass procedure is grounds for expulsion from the class and being reported to the dean for misuse of campus resources.
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8106107
Also, we have one of those network cameras that nobody ever watches in our labs.  But of course, the students dont know that.  Also, we have a message come up that says that everything is logged.... blah blah blah.  Of course if this guy knows what hes doing thats not going to stop him.
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8109112
why'd I get a C for that?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Ready to get certified? Check out some courses that help you prepare for third-party exams.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month8 days, 18 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question