How to Defend Against KOn-Boot on Windows 7 Systems

How do you defend against Kon-Boot when it bypasses the password and people can get to lcoal files.

Is there anyway to defend against it?

I assume this only works on local passwords and not domains correct?
ATL74Asked:
Who is Participating?
 
joelsplaceConnect With a Mentor Commented:
I just installed a program called USBLockRP.  It monitors usb ports and locks the screen when an unauthorized device is in a usb port.  It ignores keyboards and mice and you can authorize other devices as needed.  It's not free but it does work.  It wouldn't keep them from booting the machine and I'm not sure what it would do with a Kon-booted usb key but they have a free trial.  It would prevent anyone from stealing files with a usb device.
Tell them Joel sent you.  I just bought 100 seats from them last week.
0
 
Run5kConnect With a Mentor Commented:
You can potentially disable your optical drive and your USB ports, but trom my perspective the only way to really protect yourself from either USB or CD-based utilities that reset/bypass the local Windows passwords is to encrypt the hard drive.  Otherwise, people can find a variety of utilities to gain local access... Linux Live CD, etc.
0
 
Stelian StanConnect With a Mentor Network AdministratorCommented:
Encryption is you KEY (TrueCrypt - http://www.truecrypt.org/downloads). It's free and it does what you need.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
joelsplaceConnect With a Mentor Commented:
Is there some reason you have important files stored locally?
0
 
johnb6767Connect With a Mentor Commented:
Technical question regarding Konboot..... (dont worry, not trying to gain information other than possibly how to defend against it).....

Having never used it, how does it pick a username to logon as?

Local Admin? If so, Windows 7 keeps it disabled by default, does it enable and skip the passwords regardless of strength?
Last User logged on? Perhaps setting policy to wipe that field in the registry?
Recurses the local SAM for local accounts?

@joelsplace

"I just installed a program called USBLockRP.  It monitors usb ports and locks the screen when an unauthorized device is in a usb port."

Does it work from a BIOS level or only via Windows?
0
 
joelsplaceConnect With a Mentor Commented:
It's just Windows.  BIOS level would disable all USB devices.  It should work even when logging into Windows via bypassed password.  It won't help if booting another OS.  I set the BIOS to only boot from the hard drive so they can't boot from a USB device.  Password protect the BIOS obviously.
0
 
ATL74Author Commented:
Does Kon-Boot work on domain passwords logins?
0
 
johnb6767Connect With a Mentor Commented:
I was under the impression that it didn't REMOVE passwords at all..... That's not the case?
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
When you say “Kon-Boot just reboots Windows and sets an empty password for all accounts it finds” that is misleading. My understanding is that Kon-Boot does not change any passwords, it just patches the Windows kernel in memory, so any password you type passes the authentication test. Unless you change a s password or some other changes, Kon-Boot makes no changes to the hard drive, so when you reboot everything is the same as it was. At least that’s how it worked when I tested it a year ago. source

KonBoot will not work over domains as the local machine does not do the authentication
0
 
ATL74Author Commented:
So if I understand correctly anyone that could get physical access to your server and run kon boot could pretty much get to all the documents stored on the file server.

I guess the only way to defend against that is prevent physical access and / or disable all local accounts which could bite you.
0
 
Stelian StanConnect With a Mentor Network AdministratorCommented:
That's right.
0
 
Run5kConnect With a Mentor Commented:
As I said before, unless you actually encrypt the hard drive gaining physical access to the machine will allow a rather computer literate person to gain access to the stored files & folders.
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
That is why when you deal with security, you have to consider physical security as well as computer security. Crazy glue works well to disable usb ports and put the servers in a locked room..
0
 
ATL74Author Commented:
Most of my clients are small medical, Dental, and Lab offices. My fear for them is someone breaking in and stealing the server along with the desktops. The desktops are no issue becuase nothing is kept on them but the server has patient medical data SSN numbers and credit card and other financial info.
0
 
Run5kConnect With a Mentor Commented:
If that's the case, as many of us have already said physical security is critical.  Normally there are multiple layers of physical security in place to avoid allowing an outsider to gain physical access to the servers themselves.
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
The server must have the drives encrypted with bitlocker/truecrypt and have a password on boot. Just follow standard password rules i.e. minimum length and complexity.. btw DOg.................... is more secure than P&W@|\/vag^}  (capital D, zero, lower case g and a string of periods) and easy to remember, but hard to crack.
0
 
ATL74Author Commented:
Can someone using Kon-Boot make a local admin account for themselves for later use. Ie employees installing non licensed warez on their company machine and such?
0
 
Run5kConnect With a Mentor Commented:
In the article that was posted previously (http://4sysops.com/archives/kon-boot-the-fastest-way-to-remove-a-windows-password/), the author states that "the tool doesn’t change the SAM database," so it seems that the short answer to your question would be no, it can't be used to create a local admin account.
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
use bitlocker or other disk encryption on the client machines and kon-boot will be useless.

Have you considered an Acceptable Use Policy for the computers that all end users must adhere to with termination
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.