Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2216
  • Last Modified:

How to Defend Against KOn-Boot on Windows 7 Systems

How do you defend against Kon-Boot when it bypasses the password and people can get to lcoal files.

Is there anyway to defend against it?

I assume this only works on local passwords and not domains correct?
0
ATL74
Asked:
ATL74
  • 4
  • 4
  • 4
  • +3
16 Solutions
 
joelsplaceCommented:
I just installed a program called USBLockRP.  It monitors usb ports and locks the screen when an unauthorized device is in a usb port.  It ignores keyboards and mice and you can authorize other devices as needed.  It's not free but it does work.  It wouldn't keep them from booting the machine and I'm not sure what it would do with a Kon-booted usb key but they have a free trial.  It would prevent anyone from stealing files with a usb device.
Tell them Joel sent you.  I just bought 100 seats from them last week.
0
 
Run5kCommented:
You can potentially disable your optical drive and your USB ports, but trom my perspective the only way to really protect yourself from either USB or CD-based utilities that reset/bypass the local Windows passwords is to encrypt the hard drive.  Otherwise, people can find a variety of utilities to gain local access... Linux Live CD, etc.
0
 
Stelian StanCommented:
Encryption is you KEY (TrueCrypt - http://www.truecrypt.org/downloads). It's free and it does what you need.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
joelsplaceCommented:
Is there some reason you have important files stored locally?
0
 
johnb6767Commented:
Technical question regarding Konboot..... (dont worry, not trying to gain information other than possibly how to defend against it).....

Having never used it, how does it pick a username to logon as?

Local Admin? If so, Windows 7 keeps it disabled by default, does it enable and skip the passwords regardless of strength?
Last User logged on? Perhaps setting policy to wipe that field in the registry?
Recurses the local SAM for local accounts?

@joelsplace

"I just installed a program called USBLockRP.  It monitors usb ports and locks the screen when an unauthorized device is in a usb port."

Does it work from a BIOS level or only via Windows?
0
 
joelsplaceCommented:
It's just Windows.  BIOS level would disable all USB devices.  It should work even when logging into Windows via bypassed password.  It won't help if booting another OS.  I set the BIOS to only boot from the hard drive so they can't boot from a USB device.  Password protect the BIOS obviously.
0
 
ATL74Author Commented:
Does Kon-Boot work on domain passwords logins?
0
 
johnb6767Commented:
I was under the impression that it didn't REMOVE passwords at all..... That's not the case?
0
 
David Johnson, CD, MVPOwnerCommented:
When you say “Kon-Boot just reboots Windows and sets an empty password for all accounts it finds” that is misleading. My understanding is that Kon-Boot does not change any passwords, it just patches the Windows kernel in memory, so any password you type passes the authentication test. Unless you change a s password or some other changes, Kon-Boot makes no changes to the hard drive, so when you reboot everything is the same as it was. At least that’s how it worked when I tested it a year ago. source

KonBoot will not work over domains as the local machine does not do the authentication
0
 
ATL74Author Commented:
So if I understand correctly anyone that could get physical access to your server and run kon boot could pretty much get to all the documents stored on the file server.

I guess the only way to defend against that is prevent physical access and / or disable all local accounts which could bite you.
0
 
Stelian StanCommented:
That's right.
0
 
Run5kCommented:
As I said before, unless you actually encrypt the hard drive gaining physical access to the machine will allow a rather computer literate person to gain access to the stored files & folders.
0
 
David Johnson, CD, MVPOwnerCommented:
That is why when you deal with security, you have to consider physical security as well as computer security. Crazy glue works well to disable usb ports and put the servers in a locked room..
0
 
ATL74Author Commented:
Most of my clients are small medical, Dental, and Lab offices. My fear for them is someone breaking in and stealing the server along with the desktops. The desktops are no issue becuase nothing is kept on them but the server has patient medical data SSN numbers and credit card and other financial info.
0
 
Run5kCommented:
If that's the case, as many of us have already said physical security is critical.  Normally there are multiple layers of physical security in place to avoid allowing an outsider to gain physical access to the servers themselves.
0
 
David Johnson, CD, MVPOwnerCommented:
The server must have the drives encrypted with bitlocker/truecrypt and have a password on boot. Just follow standard password rules i.e. minimum length and complexity.. btw DOg.................... is more secure than P&W@|\/vag^}  (capital D, zero, lower case g and a string of periods) and easy to remember, but hard to crack.
0
 
ATL74Author Commented:
Can someone using Kon-Boot make a local admin account for themselves for later use. Ie employees installing non licensed warez on their company machine and such?
0
 
Run5kCommented:
In the article that was posted previously (http://4sysops.com/archives/kon-boot-the-fastest-way-to-remove-a-windows-password/), the author states that "the tool doesn’t change the SAM database," so it seems that the short answer to your question would be no, it can't be used to create a local admin account.
0
 
David Johnson, CD, MVPOwnerCommented:
use bitlocker or other disk encryption on the client machines and kon-boot will be useless.

Have you considered an Acceptable Use Policy for the computers that all end users must adhere to with termination
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now