prevent admin password crack disk

I recently worked on a computer issue for family we all know how that is.... where they purchased a laptop and they did not change the admin password. I did crack this and fixed it but realized how vulnerable my network at work was to this kind of attack. basically I used a linux type disk to do this I won't go into details so that I don't give any information or how to's.but I wanted to know how can I prevent people from doing this to my laptops or desktops. basically how do I prevent programs from taking the hash and deciphering the password . I don't want to prevent all boot disk as I may need them for recovery myself. I wasn't worried as much when these programs just reset the admin password because I would be able to tell but when nothing changes and they just learn the password that can be very dangerous. any advice on this is greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
It's a problem.  

You CANNOT be secure... you can only manage risk...

Disable booting from other media and put a BIOS password in place.   Then lock the cases with locks.  This will allow YOU to enter BIOS and alter the boot config if you have to, otherwise, the users cannot boot off such media.

Better still replace everything with thin clients.
Good advice leew.
I would add that the ultimate problem is bad guys having direct physical access to the PC.  There is still the opportunity to remove the disk.  In cases where the data on the drive must remain secure, we always recommend full disk encryption.
Lee W, MVPTechnology and Business Process AdvisorCommented:
A pen-tester I know told a story of one client from the pre-dot-com-bust era...

Their admins thought they were doing so well in security... so their CxO hired this guy to come in an audit their measures.  Their conference room had a large glass window into their in-house data center.  While the admins were at one end of the table, the pen-tester and CxOs were at the other.  The sys admins were bragging about how they thought they were so well secured... while the pen-tester was opening documents on his laptop for the CxOs that he shouldn't have been able to access... After a short time, he excused himself to go to the bathroom... and instead, went into the data center and pulled the power cord on their mail server.  He watched in amusement as the admins had all their pages going off simultaneously and they turned around to see him waving at them.  He plugged the server back in, and returned to the conference room, where he proceeded to explain what could be done to prevent things like that... of course, he LOCKED THE DOOR to the datacenter as he left.  

I'm not 100% certain I'm retelling it 100% accurately... but I know very well it's a 100% plausible story.  Physical security is at least as important as security policies and encryption... imagine if a competitor posed as a delivery person or something and came in and pulled the plugs/drives from a bunch of servers REALLY quickly because the door was STUPIDLY left unlocked... no data is stolen... but possible corruption and BAD PR as they have an outage that their competitors don't have...
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Toni UranjekConsultant/TrainerCommented:
If you are using Vista, enable BitLocker drive encryption, or use TrueCrypt on other operating systems to prevent offline password attacks.
whiteblue462Author Commented:
a follow up on this can I enable a bios password and boot sequence through group policy.. maybe a script out there or something along those lines. thanks for all the help in this matter.
Lee W, MVPTechnology and Business Process AdvisorCommented:
It depends on your clients - BIOS is NOT a Microsoft product, but there are SOME BIOS I've heard of (I think on Dell OptiPlex systems, for example), that you can control through a centralized management solution - not sure if it would be SPECIFICALLY Active Directory - but SOME kind of centralized management.

Really, that has to be supported by the computer manufacturer...
Rich RumbleSecurity SamuraiCommented:
Skip the bios pass, doesn't solve the issue and every MB maker has a way to reset to nothing, Dell it's a jumper, others is to remove the Cmos battery, and for me, it's removing the HD from the case because who wants to fiddle with looking up what jumper to move :)
As stated above, HD encryption, be it a managed solution like PointSec, a stand-alone suite like TrueCrypt, or a SeaGate FDE hardware encrypted drive[momentus] (dell sells these too for many LT's)
Again, booting off a CD or removing the hd and getting access to the SAM to BF the pass's via a Rainbow table or good ol JTR or LC5, a bios pass does nothing. You also don't even need to BF the pass, you can simply write a file to all users->startmenu->startup and it will install a rootkit/keylogger etc... as soon as you login.
If that seems out of the realm of possibility then you may also consider the option in syskey for a password to boot. Does not protect from the last scenerio, however it does add an password that is asked for before any password stored in the SAM database. Syskey is enabled in XP by default, however it presents no challenge for password tools, the only, again the only other syskey option that has any potential to thwart password cracking is to store the syskey files on a floppy. I'd advise against it, as there are easier and better solutions such as TrueCrypt.

If nothing else, make sure you have good backup's, this is a tool I can't recommend enough:
Works on IDE/SATA for LT hard-drives and 3.5" dirves, it's great!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:

That's why I said LOCK THE CASE.
Rich RumbleSecurity SamuraiCommented:
Can't lock a LT, nonetheless, I think there are better options available, that's all. I do lot's of recovery and bios passwords annoy me ;) And the case is never locked, but your right, it should be if your going to rely on that method, I didn't mean to imply otherwise, but I see that it looks that way. I'm jaded, that all that is
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.