Login xp

[richrich]

I have one pc at home with xp pro and another with xp Home.
Both security was fine. But the xp home (not now networked) is accessed by my son. The problem is that I retain the administator right and give him and others the limited account - with or without password.

He can login and changes admin rights and allsorts of other things as a administrator. I keep changing his rights and password and even set a password on the PC bootup. This is to no avail as he can still get in and change what he likes. Its not the password disk being used as this can not give you admin rights. I have changed my password etc and it makes no difference.

Any ideas how he does this as it getting very annoying and I have concerns he will be into my XP Pro PC that I use for work, very soon.

I don't need to know how he gets in (although its interesting) I need to how to stop him.

Don't say cut his hands off - I'v thought of that

Richrich

 

[smah]

My guess is that he boots into safe mode and logs in as Administrator. Set a password on the "Administrator" account - this is not the same as your account with administrative priveledges- there is an account named Administrator. Press the F8 key at boot to start in Safe Mode.

 

[BuckeyeComputers]

you have a bios password set and he gets around that?

 

[BuckeyeComputers]

or at the log on screen hit ctrl+alt+del twice and it will give you access to the administrator account....
still cant get over bypassing the bios password yet though...lol

 

[smah]

BuckeyeComputers - CADx2 works with Pro, but I don't think it works Home, does it?

 

[BuckeyeComputers]

yes it does, have a xp home on the bench right now and it works

 

[smah]

Hmm...for some reason I had in my head that that didn't work with Home. Thanks for the info.

 

[richrich]

Thanks a lot guys, when I get home I'll try these tips

It may take a few days to see if he get in or not but I'll let you know.

What is the cadx2 bit?

And yes he gets through the bios. Driving me nuts!!

Richrich

 

[smah]

Control+Alt+Delete, twice - sorry, my abbreviation.

 

[vickero007]

Getting around the BIOS password without actually disabling it (destructively then re-creating) is close to impossible.

If you are sure he can't guess/find your password he may have installed a key-logging program that records all keystrokes to a text file. Those programs typically won't work on BIOS passwords though. You could always install one yourself and find out what he is doing

-Volkoff007

 

[richrich]

Thanks SMAH the administrator password has seemed to work at the moment. Although I thought I had set the password at re- installation - I just reset it again.

He says he can not log-on as I have now change his password again- did not stop him before!

On the BIOS bit he did not reset it just removed it.

Anyway seems to have done something - thats if he not messing me about.

I have had a look at the possibilities of other software recording key strokes but this surley would only be viewed after log-on.

I know he has used Spyware 123 recovery from IOPUS but I thought this only worked with **** or same as?

Thanks again to all you helpful guys.

Richrich

 

[vickero007]

Disabling the BIOS is as simple as removing the CMOS battery for a short while, that's probably what he did for that.

 

[richrich]

Hi there guys,
Well I'm back from Holiday and he's back on the PC as administrator.

I moved his files to behind my folder and deleted his account.

But no, he has reinstalled his account and as administrator loaded back some files. I have now deleted all this new account and files.

An odd thing I noticed the other day was when I booted up the blue bios setup screen appeared.

Could he be plugging something in the back of the PC to logon with as the cpu seems to move at times (could just be my daughter with her mini disk lead though)

Volkoff007 - Thanks for your comments on the logging. How could I find any key stroke software on the system or have you any sites you recomend for download for me to install. Can I do this without anyone seeing it?

Richrich :-(

 

[richrich]

I have just installed some spy key log software and will see if that works.

Just to note he has come to work for me today and has just logged on with someones password that he is working with and thats on an NT system terminal server.

Maybe I should cut his hands off

Rich

 

[bcastner]

He is using a boot diskette to examine, and change, the Administor password.

Short of cutting his hands off, remove the floppy drive, or just pull the power connector.

I have a hacker son (12 years-old) and he constantly tries to break into my machines. I every once in a while make it a little harder each time. When he is defeated at a certain level of protection, I explain to him what stopped him and how it could be circumvented. He has no malicious intent, so I use him as my "free" security scanner. And he learns a lot.

But if someone has access to the local console, box or whatever you want to call it, then it is a trivial exercise to access the machine through the floppy drive, or increasingly through a USB keychain device and obtain Administrator rights. Do a search on this Forum for "lost password" and you will find multiple links to freeware software to do what exactly what your son has been doing at home, and shudder, at the office.

The only way to stop a console-based attack on security is to prevent access to the console. Someone earlier suggested that the ultimate defense is a large and angry dog.

 

[Loknar]

i have the same kind of problem with boot disks getting my xp password at lan parties but i found a solution to this: a removable hard drive rack just take your hard drive with you and see if he get into your system!

 

[BoulderBum]

I've heard that a Win 2000 disk will get you into an XP machine with administrator privileges. He sounds sophisticated, but the above tid-bit is interesting if nothing else.

 

[Loknar]

BoulderBum: The windows 2000 disk can only grant you access to the recovery console, and then only if you have the "Recovery console: Allow automatic administrative login" option in in the group policy editor (start>run gpedit.msc) to enabled

 

[BoulderBum]

Oh.

Not to highjack the thread, but doesn't the fact that most people don't know about the passwordless administrator account create a HUGE vulnerability? Can't someone just log-in remotely as "administrator"?

I didn't know until a month or so ago that I HAD an "administrator" account since it wasn't on the logon screen (but then I don't know a whole heck of a lot about Windows security). I was floored when I discovered that I had such a big back door into my "password protected" system.

It seems as bad as the whole .NET Passport password reset vulnerability that Microsoft just corrected.

 

[richrich]

Well, he is in again. I installed a key logger but it only seemed to work when windows started.

I need to get him before that stage.

I'll try a search as per bcasner suggested and see what I get.

he has logged in as his own and not on others log on because I can see the the desk top background is the basic one.

although the other time I have seen him with my background screen.

He just turns off in anger and I can not see where his been.

keep on trying thats all I can do - the little sod has not beaten me yet.

Rich