cracking local admin account

I have an employee who apparently has a way of cracking local administrative
passwords. I just learned of this and he has thus far been using this trick
"for good" (e.g. to by-pass corporate buracracies that impede productivity.)
Regardless, I've asked him to cease this practice. However, I'd like to know
if there's a way to make sure he's no longer able. The problem is that I
don't know how he's done it except that I was told by a coworker that a
floppy disk of some sort was invovled. I realize that's scant information to
go on, but I was hoping that someone might be able to offer some guidance on
shoring up the security on my PCs.

thanks,
spence

Alun
Thu Nov 11 17:01:10 CST 2004

"spence" <spence@discussions.microsoft.com> wrote in message
news:1B76339A-7F76-4E36-8732-CA91C124582B@microsoft.com...
>I have an employee who apparently has a way of cracking local
>administrative
> passwords. I just learned of this and he has thus far been using this
> trick
> "for good" (e.g. to by-pass corporate buracracies that impede
> productivity.)
> Regardless, I've asked him to cease this practice. However, I'd like to
> know
> if there's a way to make sure he's no longer able. The problem is that I
> don't know how he's done it except that I was told by a coworker that a
> floppy disk of some sort was invovled. I realize that's scant information
> to
> go on, but I was hoping that someone might be able to offer some guidance
> on
> shoring up the security on my PCs.

I've heard of this trick - you go up to the system administrator and you say
"you know those pictures you hoped would never get out? Well, I've got a
copy of them on this floppy disk, so hand over the passwords".

Okay, seriously, there's a number of possibilities at play here, and it
depends on what you mean by "cracking local administrative passwords".

The floppy disk mention suggests a password reset disk -
http://support.microsoft.com/?id=305478 if you're not in a domain, and
http://support.microsoft.com/?id=306214 if you are.

There's also a possibility that the floppy is a boot floppy that he uses to
run some small program that loads up NTFSDOS or some other driver to allow
him access to the system, and he runs some super-duper cracking routine.
This would seem rather unlikely. I'm still going with my suggestion of the
password reset disk.

Or maybe he's installed a keylogger, and the floppy is where he keeps the
program that allows him to read the keylogger's data.

There are other suggestions, and some of them verge on the outlandish -
doubtless you'll read many of them here.

Want to make it so that he's no longer able to do this? Remove his floppy
drive. Of course, he could then attach a USB external floppy, so you should
also fill his USB ports with epoxy resin to prevent that. Note that I am
being serious - these suggestions sound very flippant, but really physical
barriers are the only antidote to physical access problems.

Essentially it boils down to the fact that you can do anything with a
computer if you can get into the same room as that computer, with your
tools, and spend however much time you need.

An article on physical security can be found at
http://www.microsoft.com/technet/community/columns/5min/5min-203.mspx, and
an article on the basic laws of security is at
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx -
particularly "Law #3: If a bad guy has unrestricted physical access to your
computer, it's not your computer anymore".

When you provide an employee with a machine, that machine becomes "theirs"
in the sense that they can do almost anything to it, up to and including
pounding it with a sledgehammer until every part can fit through a
letter-box - and the only guaranteed way to prevent that is to not provide
them with the machine in the first place. There is a dance of trust that
you must engage in with your employees - you must let them know what they
are allowed to do, and what they are not allowed to do, and if they
demonstrate that they are willing to go outside those ranges, you have to a)
observe those infractions, and b) enforce sanctions that are intended to
deter such infractions.

I have yet to see a convincing argument that software can ever be developed
that will prevent someone from using physical access to override security.

Alun.
~~~~

Miha
Thu Nov 11 17:03:50 CST 2004

Hi,

First off, if he is good with computer, you will have hard times keeping him
away from administrator account as long as this user has physical access to
computer.

Yes there is a "password reset" floppy disk. What you can do is edit BIOS
boot order to boot only from HDD (not from floppy and not from CD). Set the
BIOS password and hope that your BIOS doesn't have default password (most
BIOS have default password or some sort of bypass).

I hope this helps,

Mike

"spence" <spence@discussions.microsoft.com> wrote in message
news:1B76339A-7F76-4E36-8732-CA91C124582B@microsoft.com...
>I have an employee who apparently has a way of cracking local
>administrative
> passwords. I just learned of this and he has thus far been using this
> trick
> "for good" (e.g. to by-pass corporate buracracies that impede
> productivity.)
> Regardless, I've asked him to cease this practice. However, I'd like to
> know
> if there's a way to make sure he's no longer able. The problem is that I
> don't know how he's done it except that I was told by a coworker that a
> floppy disk of some sort was invovled. I realize that's scant information
> to
> go on, but I was hoping that someone might be able to offer some guidance
> on
> shoring up the security on my PCs.
>
> thanks,
> spence

Tom
Thu Nov 11 17:35:19 CST 2004

I'm sorry, but I have to say this:
If you have proof he is doing this, he should be fired. He can't be
trusted.

Tom
"spence" <spence@discussions.microsoft.com> wrote in message
news:1B76339A-7F76-4E36-8732-CA91C124582B@microsoft.com...
| I have an employee who apparently has a way of cracking local
administrative
| passwords. I just learned of this and he has thus far been using this
trick
| "for good" (e.g. to by-pass corporate buracracies that impede
productivity.)
| Regardless, I've asked him to cease this practice. However, I'd like to
know
| if there's a way to make sure he's no longer able. The problem is that I
| don't know how he's done it except that I was told by a coworker that a
| floppy disk of some sort was invovled. I realize that's scant information
to
| go on, but I was hoping that someone might be able to offer some guidance
on
| shoring up the security on my PCs.
|
| thanks,
| spence

Jupiter
Thu Nov 11 18:23:18 CST 2004

With unrestricted physical access,just about anything is possible.
It seems you have legitimized his activities perhaps to the point he
feels like a local hero.
If you want control, you MUST set up and enforce policies on computer
usage and abuse.
Any infractions need to be swiftly dealt with otherwise he owns the
computer and not you.

See:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/


"spence" <spence@discussions.microsoft.com> wrote in message
news:1B76339A-7F76-4E36-8732-CA91C124582B@microsoft.com...
>I have an employee who apparently has a way of cracking local
>administrative
> passwords. I just learned of this and he has thus far been using
> this trick
> "for good" (e.g. to by-pass corporate buracracies that impede
> productivity.)
> Regardless, I've asked him to cease this practice. However, I'd like
> to know
> if there's a way to make sure he's no longer able. The problem is
> that I
> don't know how he's done it except that I was told by a coworker
> that a
> floppy disk of some sort was invovled. I realize that's scant
> information to
> go on, but I was hoping that someone might be able to offer some
> guidance on
> shoring up the security on my PCs.
>
> thanks,
> spence

Leon
Fri Nov 12 06:04:43 CST 2004

Miha Pihler wrote:
> Yes there is a "password reset" floppy disk. What you can do is edit
> BIOS boot order to boot only from HDD (not from floppy and not from
> CD). Set the BIOS password and hope that your BIOS doesn't have
> default password (most BIOS have default password or some sort of
> bypass).

This is the best option. I've come across floppy disks which mount the NTFS
hard drive and can then copy files across (such as the SAM file) or open the
registry hives with full access and change the password hashes to whatever
you want. The only way round this is to stop them from booting from anything
other than the hard drive. Once the operating system has been booted the
NTFS security is in place and they can't get at the password files. As Miha
mentioned, you'll also have to set a BIOS password to make sure they can't
just change the boot order back.

At the end of the day, you should just give them an official warning and
tell them they'll be fired if they do it again.

S
Sat Nov 13 22:36:41 CST 2004

Some ideas on how to enforce the policies:

* Create a script that periodically logs on to all domain/network
workstations as a local administrator. Alert on every failed login attempt.
* You need to start with the same password on all workstations - can use
domain admin login to change the passwords. Alert on any computers on the
network that don't allow domain admin to log on - they can be rogue systems.
* Additional functionality for the script: check non-standard memebers of
local Administrators group. Alert on any additional user or domain acounts
* The next step is real-time but much more effort and Microsoft of little
help: monitor security logs for admin login and account management events on
local workstations. Alert on any
* Make the local admin access a sackable offence in the policy (but make
sure that corporate IT support allows users to do what they have to do
business-wise)

All of the above is possible. Extensive testing required.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Jupiter Jones [MVP]" <jones_jupiter@hotnomail.com> wrote in message
news:#pJIV3EyEHA.1956@TK2MSFTNGP14.phx.gbl...
> With unrestricted physical access,just about anything is possible.
> It seems you have legitimized his activities perhaps to the point he
> feels like a local hero.
> If you want control, you MUST set up and enforce policies on computer
> usage and abuse.
> Any infractions need to be swiftly dealt with otherwise he owns the
> computer and not you.
>
> See:
>
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
>
> --
> Jupiter Jones [MVP]
> http://www3.telus.net/dandemar/
>
>
> "spence" <spence@discussions.microsoft.com> wrote in message
> news:1B76339A-7F76-4E36-8732-CA91C124582B@microsoft.com...
> >I have an employee who apparently has a way of cracking local
> >administrative
> > passwords. I just learned of this and he has thus far been using
> > this trick
> > "for good" (e.g. to by-pass corporate buracracies that impede
> > productivity.)
> > Regardless, I've asked him to cease this practice. However, I'd like
> > to know
> > if there's a way to make sure he's no longer able. The problem is
> > that I
> > don't know how he's done it except that I was told by a coworker
> > that a
> > floppy disk of some sort was invovled. I realize that's scant
> > information to
> > go on, but I was hoping that someone might be able to offer some
> > guidance on
> > shoring up the security on my PCs.
> >
> > thanks,
> > spence
>
>

Patrick
Sun Nov 14 09:48:54 CST 2004

Sorry I am late to this discussion.

As others have mentioned, if he can boot from media of his choosing,
he can reset the local admin password and do many other things. To
defend against this, configure the boot order in the BIOS, set a BIOS
password, and put a padlock on the case (to prevent manual BIOS
reset).

But a better idea might be to ask yourself why you care if he has
local admin rights to the machine? Unless your network is horribly
misconfigured, in which case you have bigger problems, his admin
access is "local" and thus cannot bother anybody else.

If you are worried about supporting such systems, then don't. In my
I.T. group, we make a simple deal with each user: They can have
non-admin access and let us support the machine; or they can have
local admin access and support it themselves. In the latter case, our
assistance is limited to wiping the machine and rebuilding it from
scratch, which amounts to two minutes of our time. This works for us
and keeps the "power users" happy.

The best I.T. people know that enforcing policy is always secondary to
providing good service.

- Pat


spence <spence@discussions.microsoft.com> writes:

> I have an employee who apparently has a way of cracking local administrative
> passwords. I just learned of this and he has thus far been using this trick
> "for good" (e.g. to by-pass corporate buracracies that impede productivity.)
> Regardless, I've asked him to cease this practice. However, I'd like to know
> if there's a way to make sure he's no longer able. The problem is that I
> don't know how he's done it except that I was told by a coworker that a
> floppy disk of some sort was invovled. I realize that's scant information to
> go on, but I was hoping that someone might be able to offer some guidance on
> shoring up the security on my PCs.
>
> thanks,
> spence

faf1967
Sun Sep 04 10:56:04 CDT 2005

Patrick I agree with some of the things you say about passwords. The only
problem is if gains access to the local admin passwords and every computer
uses the same local admin password you can map a drive to almost any
computer. This has been my experience. I think the best bet is to change th
eboot disk order but don't forget to password protect access to the BIOS.

If the user is logging into the computer as the local administrator there is
one way to catch him/her in the act. Use the net send command to send a pop
up message to your computer when someone logs on as the local administrator.
[net send {your computer name} {your message} save it as a .cmd file to
C:\Documents and Settings\All Users\Start Menu\Programs\Startup. Now every
time some one logs on as the local administrator your computer will receive a
pop up. (of course you will have to work with the rest of your IT team) I
have used this method before and caught individual red handed. They never
figured out how I caught them.

"Patrick J. LoPresti" wrote:

> Sorry I am late to this discussion.
>
> As others have mentioned, if he can boot from media of his choosing,
> he can reset the local admin password and do many other things. To
> defend against this, configure the boot order in the BIOS, set a BIOS
> password, and put a padlock on the case (to prevent manual BIOS
> reset).
>
> But a better idea might be to ask yourself why you care if he has
> local admin rights to the machine? Unless your network is horribly
> misconfigured, in which case you have bigger problems, his admin
> access is "local" and thus cannot bother anybody else.
>
> If you are worried about supporting such systems, then don't. In my
> I.T. group, we make a simple deal with each user: They can have
> non-admin access and let us support the machine; or they can have
> local admin access and support it themselves. In the latter case, our
> assistance is limited to wiping the machine and rebuilding it from
> scratch, which amounts to two minutes of our time. This works for us
> and keeps the "power users" happy.
>
> The best I.T. people know that enforcing policy is always secondary to
> providing good service.
>
> - Pat
>
>
> spence <spence@discussions.microsoft.com> writes:
>
> > I have an employee who apparently has a way of cracking local administrative
> > passwords. I just learned of this and he has thus far been using this trick
> > "for good" (e.g. to by-pass corporate buracracies that impede productivity.)
> > Regardless, I've asked him to cease this practice. However, I'd like to know
> > if there's a way to make sure he's no longer able. The problem is that I
> > don't know how he's done it except that I was told by a coworker that a
> > floppy disk of some sort was invovled. I realize that's scant information to
> > go on, but I was hoping that someone might be able to offer some guidance on
> > shoring up the security on my PCs.
> >
> > thanks,
> > spence
>

bradm
Sat Sep 15 19:36:02 PDT 2007

There are plenty of "bootable" CD's and floopies allowing a local user to
reset the password.

If the 'admin' password has been changed, then you know it has been messed
with. Since the actual machine is not his property, the company should
establish a policy prohibiting any means or method of gaining access by any
means where they are not authorized.

What you must first realize, is not only his disregard to authority, but how
much danger he is putting your network in danger. Once a policy is in place,
ensure everyone knows about them by signing a statement of awareness in order
to gain computer privileges. It's one of the first thing we do with new
hires.

Then if anyone goes against policy, have management establish punishments.
Anything from counseling to termination. Because of the hazards and
vulnerabilities someone can unknowingly cause by bypassing network security,
where I work it is grounds for immediate termination.

Good luck
Brad




"spence" wrote:

> I have an employee who apparently has a way of cracking local administrative
> passwords. I just learned of this and he has thus far been using this trick
> "for good" (e.g. to by-pass corporate buracracies that impede productivity.)
> Regardless, I've asked him to cease this practice. However, I'd like to know
> if there's a way to make sure he's no longer able. The problem is that I
> don't know how he's done it except that I was told by a coworker that a
> floppy disk of some sort was invovled. I realize that's scant information to
> go on, but I was hoping that someone might be able to offer some guidance on
> shoring up the security on my PCs.
>
> thanks,
> spence