Link to home
Start Free TrialLog in
Avatar of devryguy81
devryguy81

asked on

How would someone do this?

I work in a K-12 organization and have had a teacher come to me with an issue.  It seems that a student has found some way to uninstall/delete/remove a large application suite from a computer without having any administrative access.  I have verified that this software does in fact require administrative access, and I cannot find any evidence in the Event Logs that anything was uninstalled, however I can see that the application folders left in Program Files are only remnants of the original structure and they no longer appear in Programs and Features.  This is a Windows 7 fully updated PC.  

The "Administrator" and "guest" accounts are disabled and password protected.  As a tech employee I have an administrative login, as does the teacher and one administrative staff member, however the student login is just a standard user.

I need ideas on how I can find any breadcrumbs to follow or begin logging/monitoring to catch it in the future.

The teacher moved this person from one computer to another and today the teacher found the software removed from the new computer.
Avatar of Scott C
Scott C
Flag of United States of America image

What is the software that was removed?  If we knew that we might be able to give you some suggestions as to how it was unistalled.

If you don't want to or can't give this information I would google on "uninstalling xxx without admin rights"  or "unistalling xxx manually" and see what you get.

This would at least give you some idea how it was done and possibly how to prevent it in the future.
Look at the event logs to check for system being restarted during the time the individual was supposed to be working at it. If you find indications of that it is a good possibility that the individual is circumventing the security on the system. You may want to lock down the USB and CD/DVD drives if you can.
ASKER CERTIFIED SOLUTION
Avatar of Ugo Mena
Ugo Mena
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If I was to do that, I would use a Linux Live CD that totally ignores Windows permissions and lets me do what ever I want to the files on the disk.  I often do this to get rid of viruses on clients computers and it does not leave any trace in the Windows logs.  If those computers will boot from a USB flash drive, you can do it from there also.
Avatar of devryguy81
devryguy81

ASKER

These are all great suggestions.  The software is Autodesk Design Academy 2013.  The entire suite is not installed, just what they use.

I found absolutely nothing in the event logs.  It was dissapointing, really.  I think the use of a LiveCD could very well be a viable method in this case.  I will lock down the BIOS options and see if that gets me anywhere.  In the meantime, any other suggestions for checking how this might have been achieved?
If they did in fact use a Live OS disk or USB drive to remove the AutoDesk apps in question, it would be a trivial task to also remove the event logs in the process.
Password protecting the BIOS will eliminate the ability to do it by that method.
Sounds like you are going to be busy. :)
Actually, the event log is always a good front line indicator. If the system is restarted it will reflect several services starting when it comes back up. If it is down for any period of time it will have some gaps in it. If it is cleared it will be obvious.

In any case, setting the system boot order to HD first would help a little but as far as I know  even password protecting the BIOS would not prevent them from pressing F8 during the boot to get the selection menu.

You could set the permissions on the folder to read only for everyone except a specific user and also remove Administrator rights however I am not sure that would prevent this from happening with a live OS disk or USB drive.
You could always disconnect the optical drive and fill the USB ports with epoxy.  This would be a drastic and irreversible step though.

I have heard of it being done in extreme cases.
Edit your BIOS boot order to use only the HD (IDE) and remove other entries.

@pny10us: by Setting a password on the BIOS. Any subsequent attempts to reset the boot order will need to enter the password.

Pressing F8 after restart will then only get you to the BIOS password screen.

And the Windows Selection menu is not going to allow you to startup a live OS. Only Repair Windows, or restart in safe mode.
A Linux Live disk ignores Windows permissions and does not leave anything in any Windows log files.  To block it, you can disable the CD-ROM and the USB or use drive encryption that it can't read.  I think I would recommend kicking the kid out of school for being willfully and intentionally destructive.
All good suggestions.  The teacher has not reported any further problems, but I still need to implement the BIOS password and HD-only boot options on all his machines.

I am not accepting solutions as yet, as my original question technically speaking hasn't been addressed.  I would still like to know if there might be any other forensic data to help me find out how they achieved this.

Please don't misunderstand, however, as the boot option suggestions are great and will be implemented ASAP.

Thanks again.
If they used a "Live CD" that they booted from the only "forensic" possible would be security cameras, a confession, or a witness.

You may never know exactly how this was done.
It sounds like there may be an issue with the UAC or the student has been able to obtain credentials for an administrative account.  See:  http://www.sevenforums.com/tutorials/11841-run-administrator.html
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I will accept the first mention of disabling the alternative boot options in BIOS (as a preventative measure) and the network logging from the DNS/DHCP server side as I was unable to find any evidence of tampering on the local system.

Thanks to all for your suggestions!