school needs help stopping hackers

[liquidmonkey]

i work as a math teacher (90%) and computer guy (10%) at a school and on our computers we are using windows XP which is run from another company on a network. in order to access the computers you must login and your own password. i'm sure you know the login screen. without this you cannot access anything OR so i thought.
kids have been getting into the computers, reseting the BIOS passwords, putting in Power Up passwords and such, one kid even installed a totally different version of windows. this is a problem and i would like to know a technical solution on 1) how to stop the kids from doing this and 2) how are they able to do this?
i'm no hacker / cracker and only work on the computers at the school 2 hours a week so i don't have a lot of time to deal with these problems in depth.
can someone out there please help me?

 

[justin42279]

blasted kids! i'm so glad i've never worked in a school enviroment. It sounds like most of what is happening is occuring outside of windows xp when the computer is first turned on unless i'm wrong.

I guess you could start by going to all of the machines and setting your own access password into the bios. That way, when kids attempt to access the bios, they are prompted with a password.

Second, to prevent kids from sticking in boot cds or floppies and booting to a dos prompt or reloading a new operating system, you could go into the bios and set the first boot device to the harddrive. That way it won't search floppies or cd drives first. Again, if you have a password set, they won't be able to alter this settings.

Just a side note, bios passwords can be reset by taking off the cases and pulling the appropriate jumper. Hopefully you have some sort of supervision going on so someone would notice.

There are other steps you could take to secure windows but we would need to know more about your setup such as if your network is a domain or just a workgroup.

Hope these suggestions help.

Justin

 

[linney]

Here's a bit of information, a mountain of it is available via Google, and don't forget Help and Support.

http://www.sans.org/rr/paper.php?id=313

http://www.theeldergeek.com/group_policy_for_windows_xp_prof.htm

http://www.microsoft.com/windowsxp/pro/techinfo/planning/security/whatsnew/propart3.asp

Hack To School

http://www.findarticles.com/p/articles/mi_zdbln/is_200409/ai_n7184352#continue

http://groups.google.com/groups?sou...=school+computer+security+xp+hacking+students

 

[PalmTest]

To prevent students from installing software, remove the CD-ROM drive, physically disable the USB slots and install diskdrive locks.

http://www.secure-it.com/products/diskdrive.htm

Set the BIOS passwords and Boot sequence as Justin described.

Most PC cases have a hole for a padlock so you can physically prevent users to open the case.

 

[TheLad]

When I worked in a college, we even had to go as far as to glue the mice ball cover because student kept stealing the mice balls. Thank god for opitcal mice lol

-----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[BadBigBen]

Either that, or build the PC's into Cabinets (watch airflow) with padlocks attached... so that Junior cannot get at the Case...

at my last Job place, we had Terminals, which booted from a central Server, ergo no PC and no Installing of non-company software there...

cuz, as long as these kids have access to the USB Port, the CD-Rom drive, or Floppy, they will try to outsmart you and gain access via bootable devices and can delete or change the BIOS Pswd with ease...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[Jasen]

The most basic steps:

1. You'll need to block physical access to the internals of the PC. Most have latches that allow small locks to be put on. Without this, a kid can open the case and reset the BIOS, clearing the password.
2. Set the BIOS to prevent booting from anything other than the hard drive. Otherwise anyone can boot off of a Linux CD, erase the Windows SAM file and then log into windows as the default administrator account.
3. Password protect the BIOS.

I don't think removing the CD drives is completely necessary. If the kids user accounts are setup right, they can't install software, and if the BIOS is setup right they can't boot from an alternative disk. Disabling USB ports could be an option, but again, if user account permissions are done correctly they still can't install software from them, but it would prevent them from attaching USB storage devices and copying things off, if that's a concern.

 

[garebo]

One thing i have noticed is that people are suggesting you set the first boot device as the hard drive. I would go a step further. Depending on the bios, you can set all the boot devices as the hard drive, or ONLY the hard drive as a boot device, but no other boot devices. Just thought it should possibly be a bit clearer on that point.

Also, if you do have the capability to lock the pc case, and you are putting a password on the bios, then either disable the floppy in the bios or simply disconnect the floppy drive inside the case and leave it disconnected.
Same thing with the cdrom if you dont need it.

Notices around the school that this kind of behaviour is going on, that students should keep an eye on this as it leads to higher costs and less likely replacement or upgrades in the future. Let them know this can be costly beyond the scope of a mere prank and some of them may wake up. Kind of like when we grow up and realize we werent just having a bit of fun when teasing some kids, we were hurting their feelings, but, as kids, we didnt realize the scope of what we were doing. Some kids, when they realize the scope of their actions, will stop, some wont of course, but this issue you have will take many and several different methods to curtail.
Also, knowing Linneys advice is always good, there is likely a ton of info in the sites he posted!


Good advice + great people = tek-tips

 

[Zych]

I also recommend exactly what Justin has said. I also would not remove the CD-ROM, Floppy, etc. unless you don't have any use for them and have covers so you can block dust from coming in.

A quick explanation of how they are doing this. BIOS comes up before the Operating System is loaded. Therefore the kids are getting into that and setting the passwords, changing the time, etc.

As for the re-install of the OS, this is because the kid booted up on a CD (again before the OS was loaded) and removed the partition on the hard drive where your OS was installed. This is why Justin recommended changing the boot sequence. This way the hard drive boots up first and loads your OS that is password protected. Combined with your own BIOS password so the kids can not get into the BIOS to change any of these things you are pretty protected. If you can lock the cases, or even better prevent pysical access to the systems, then your problems should be solved.

The computer company covering these systems should have told you this. Apparently they want the extra cash they get when they need to come onsite to fix these problems, or make it look like their contract is needed so it will be renewed at a possibley higher price. I would complain and demand that they fix this with the steps that Justin told you to do. It makes you look more knowledgable and keeps them on their toes.

 

[Trevoke]

There are also many softwares available that will let you prevent users from doing things (like shutting down a computer?) However, I suggest you toy with the Users settings of the Windows boxes and see what rights users have. I think WinXP is getting pretty decent at limiting rights.

-Haben sie fosforos?
-No tiengo caballero, but I have un briquet.

 

[liquidmonkey]

WOW!!!
thank you for all the great replies everyone, very much appreciated!!
been talking to our network supplier and the way to go is BIOS passwords for all the schools in our group as well as HDD being the only boot device.
thanks again!!
this forum rocks!!!!!

 

[BadFrog]

Good idea, don't forget this lil nugget Jasen threw in:

"Just a side note, bios passwords can be reset by taking off the cases and pulling the appropriate jumper. Hopefully you have some sort of supervision going on so someone would notice."


"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy"
Albert Einstein

 

[liquidmonkey]

oh yeah, forgot to mention. all computer cases will have that little metal round bit on the back of the access panel so we can either put a lock on it or a industrial cable tie. so if someone really wants in, they have to at least have tools or a key.
plus, we have supervision as well, but this is not always 100%.
thanks again everyone!!

 

[Turkbear]

Hi,
You could also use what some of us, back in the day of hubcap stealing did, that is, file the edges of the case to a very sharp edge and, if anyone tries to open it without gloves, you will be able to folow the blood trail..


Just kidding of course, no lawsuits please....






To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[garebo]

I was doing some hard drive cleaning when i ran across this info about password protecting files in windows from 98 to xp. Here it is here:

http://www.pcworld.com/howto/article/0,aid,110663,00.asp

Below is a program that does the job of password protecting files, but i havent used it. Sourceforge is a reputable place.

http://axcrypt.sourceforge.net/

Good advice + great people = tek-tips

 

[porkchopexpress]

All great suggestions, i would just add a link that might help you lock down your PC's once they are booted as well.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx