• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

XP Administrator advice

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
IZON

IZON

Member
Joined
Mar 7, 2003
Location
London
I recently completed a fresh install of XP (SP2) on a friends Dell pc. His teenage kids had really screwed up the system, it was running very slow and collectively they were all clueless about anti-viruses, firewalls and the usual safety precautions that most seasoned OC'ers take for granted.

Anyway, I vacuumed out the rig, put in a new 80GB HD (with the old 40GB HD acting as backup with Acronis True Image 6), along with a ram upgrade to 512mb (from 128mb), partitioned the HD's with Partition Manager 8, Zone Alarm, Anti Vir; SpyBot SnD;Adaware; Firefox 2 etc; you get the picture. The rig was running sweet and the old guy was chuffed.

He then asked me if could set an administrator password for him and separate user account & password for his kids. 'No problem' I said.

The following day I paid him a visit only to find him fuming at the fact the his eldest son had managed to bypass the administrator password and reconfigure three new user accounts with the son set to administrator.

Where did I go wrong? I thought once the Administrator password was set that was that. Apparently not.

Either I overlooked something and the old guy wasn't set as Administrator as I thought (or the son genuinely bypassed the password or uncovered the password through a hack).

Thankfully I can use Acronis to reset the rig to it's original fresh install state.

Is there anyway I can stop this from happening again, or is this whole Administrator access thing a complete joke?

IZON
 
It honestly depends on how much the kid knows and how determined he is to hack in.

I myself keep a disk around at work that boots a tiny linux OS with NTFS capability that will change or delete any windows account password. (For when my wonderful bosses change their password right before vacation, during which they forget the new one)

It wasn't hard to find the iso for it online. So if the kid knows where to look:bang head

I don't know of a way to protect against it but hopefully someone else in our community does. And you might try posting this also in the 'Internet, Networking, and Security' section.

Sorry I couldn't be more help

DWolf
 
I assume the son has complete access to the pc. If so, then its possible to reset the password through alternate boot method, as well as through the command line.


In windows, the way I would go about doing things is through group policy. Disabling certain options completely, such as access to control panel or cmd prompt. (gpedit.msc) Along with this, the only way to prevent access to the disk short of removing it, is setting password in BIOS, and manually selecting Boot Disk.
 
Since you are saying that the password was "bypassed" and not changed then I would assume that the son made a correct educated guess as to the password, accessed the written password, or the admin account was left open.

You can enable security auditing: http://netsecurity.about.com/cs/tutorials/ht/ht040503.htm
For future use see when/where the new admin accounts came from. My guess is that dad left himself logged on.

True, there are freely available many programs that reset the admin password, granting admin access, but that locks out the prior admin and is obvious. There are ways to sniff out/dump the admin password but I doubt that is the case here.

BTW if you gave the secondary accounts only user access then they pretty much cannot do squat. Why not give them advanced access like "poweruser" or a tweaked advanced account and cut down the need to circumvent?

It is hard to lock down a physically accessed box because often one can open the side, pop the CMOS bat. for a min. or two, boot into the setup, and get a CD boot.
 
Did you also make sure to set the Safe Mode Administration account password? That account can easily be used to change passwords if it is not properly locked down. Really if you can load a floppy you can change the password. You could do a Bios password lock and lock the case shut with glue so that no one can take out the CMOS battery, though that would of course not work if the kid also needs to be able to use the PC.

So for starters I would suggest booting into Safe Mode with F8 and see which accounts are there, then lock them all down. Then if you can use a Bios Password lock.
 
Normally, you can't access the base Administrator account (passwordless by default) unless you boot in safe mode (if quick login is off, you can type in Administrator and log in that way, though). Make sure that one is password-protected as well, so they can't get access that way.

Since the kids obviously don't know alot (since they couldn't take care of their computer), I doubt they pulled something tricky. Safe-mode boot is as far as I would think they would go, but I think it's more likely the Admin account wasn't logged off. Try having the computer password protect on screensaver (although it just works better if you get him to remember to log-off).
 
noxqzs said:
In windows, the way I would go about doing things is through group policy. Disabling certain options completely, such as access to control panel or cmd prompt. (gpedit.msc) Along with this, the only way to prevent access to the disk short of removing it, is setting password in BIOS, and manually selecting Boot Disk.
Click to expand...

Agreed about the cmd prompt & gpedit.msc, although the BIOS password is vulnerable to CMOS resetting. The case can be padlocked though.

turd said:
Since you are saying that the password was "bypassed" and not changed then I would assume that the son made a correct educated guess as to the password, accessed the written password, or the admin account was left open.
Click to expand...

That's a real possibility, but I have my doubts when I recall the conversation I had with the old guy. I remember him saying "When I came to use the pc, it had changed..." At the time I didn't ask him whether it was his first or second use of the pc. But I see your point clearly.

turd said:
You can enable security auditing: http://netsecurity.about.com/cs/tuto...t/ht040503.htm
For future use see when/where the new admin accounts came from. My guess is that dad left himself logged on.

True, there are freely available many programs that reset the admin password, granting admin access, but that locks out the prior admin and is obvious. There are ways to sniff out/dump the admin password but I doubt that is the case here.
Click to expand...

I'll check out the link, thanks. Agreed, I don't think his is son is savvy in that respect, he's not geek-smart, just meddlesome & rebellious.

turd said:
BTW if you gave the secondary accounts only user access then they pretty much cannot do squat. Why not give them advanced access like "poweruser" or a tweaked advanced account and cut down the need to circumvent?
Click to expand...

I don't have a problem with this, I'm assuming all of this accessible through Admin.

tenchi86 said:
Did you also make sure to set the Safe Mode Administration account password? That account can easily be used to change passwords if it is not properly locked down. Really if you can load a floppy you can change the password. You could do a Bios password lock and lock the case shut with glue so that no one can take out the CMOS battery, though that would of course not work if the kid also needs to be able to use the PC.

So for starters I would suggest booting into Safe Mode with F8 and see which accounts are there, then lock them all down. Then if you can use a Bios Password lock.
Click to expand...

I wasn't aware of this Safe Mode Admin password, I'll change that too, I'll be surprised if that's the way he got in. The BIOS password as suggested by turd although a good idea is vulnerable to a CMOS reset, the other problem being that it's not a practical solution for a family pc that's in the dining room.

It's just occurred to me that it's one thing to protect a pc from external net threats, but protecting it from internal home threats is different game entirely, I'll confess it's tripped me up. It all boils down to passwords which seem painfully inadequate in comparison to a well configured firewall like Smoothwall :bang head.

Omision said:
Normally, you can't access the base Administrator account (passwordless by default) unless you boot in safe mode (if quick login is off, you can type in Administrator and log in that way, though). Make sure that one is password-protected as well, so they can't get access that way.
Click to expand...
Agreed,

Omision said:
Since the kids obviously don't know a lot (since they couldn't take care of their computer), I doubt they pulled something tricky. Safe-mode boot is as far as I would think they would go, but I think it's more likely the Admin account wasn't logged off. Try having the computer password protect on screensaver (although it just works better if you get him to remember to log-off).
Click to expand...

It's not that he doesn't want the kids getting pc access, he's out at work all day and the kids need to complete homework assignments. He just needs access when it's his time to access the pc; it's only fair that he should have Admin access regardless of what the others get up to. As you mentioned there's the possibility the old guy simply forgot to log off.
 
Sounds like the kid's Dad is a chump. He could always either ground the kid, forbid him from using the PC, or both. Surely he can't be around ALL the time. But, as an educated parent, he shouldn't need to be. There should at least be that "gut feeling" that the kid is doing something wrong and will constantly be looking over his shoulder to the point where it won't seem like it's worth it.

I mean it's the same thing with not wanting your kids to watch certain things on television, not wanting your kids to talk to the crack dealer down the street... etc.

We can talk about all the technical ways around this... but we're missing the basics.
 
IZON said:
It's not that he doesn't want the kids getting pc access, he's out at work all day and the kids need to complete homework assignments. He just needs access when it's his time to access the pc; it's only fair that he should have Admin access regardless of what the others get up to. As you mentioned there's the possibility the old guy simply forgot to log off.
Click to expand...
I believe if you have Fast User Switching on, the password protect on resume option in the screensaver menu kicks you back to the Welcome screen, where the kids can then logon with their account. This obviously isn't the most resource-efficient, but it should work.

turd said:
Note that the poweruser can do most everything but mess with admin, but that is all relative. They can still create accounts but the premise is they will not have the need. Another option would be to create a sort of super user group with a lot of allow privileges.
Click to expand...
If you do that, I would remove the ability to create new user accounts, since a power user (I believe) can create a new admin account, but not edit existing ones.
 
Anyone keep thinking of the command line?

net user Administrator *

Try it :)
 
I would lock them down using gpedit.msc. Lock out the run option and cmd prompt. You can take over an xp machine using the "at" command. You would then be running as the system account and freely change password or create accounts.
 
Build the kids their own cheap PIII computers or something. Can be done for like 50$. I built my brother and sister their own computers after countless reformats and loss of data on my mothers computer. This was also to keep her from blaming anyone but herself, if shes the only one that uses it then shes the one that broke it. Then when the kid eventually screws up his computer and starts to complain, tell him to fix it on his own. (also did that to my bro) handed him a pack of blank cds and a winxp cd. said "backup your data, reformat and install xp, need help furthermore use google" Ill tell ya, once they have to go through that trouble they'll try to keep it from getting screwed over.

My sister on the other hand has never had problems with her computer, so it was to my conclusion that it was my bro that kept screwing up my parents PC.

The machine I built my sister is a PIII 933Mhz, 384MB ram, cdburner, 10GB hdd, 16MB video card. It runs xp nicely and does what she needs. cost me $50 to put together, I built it for her for x-mas last year.
 
I am suprised no one mentioned the syskey. It gives another layer to the user accounts. Though a little draconian, does work. It halts the pesky boot fun to get inside the machine's UAC. There is two key storage options. I would do the floppy option. Local storage is just as easy, but if you take the floppy. They have to ask for it, after a restart. If you fail the syskey challenge, you get nothing but nothing.
http://support.microsoft.com/kb/310105


The rest is about working the gpe and not allowing the CP, prompts, limited start menu. Then move into what can and cannot be seen nor done. While your there, disallow the System Properties too.
http://support.microsoft.com/kb/310791/en-us

Set installing/running creation items for Admin only. That will stop alot of stuff. Allowing only a select group of programs will stop much of the hassles.

Xp can really be locked down and made to a tight config. If you need to go that far. You might as well not let the user on at all.
 
Last edited:
You must log in or register to reply here.

Similar threads

Nebulous
My kid's new build
Replies
1
Views
450
Nebulous
Nebulous
Nebulous
Upgrade for my son
Replies
14
Views
872
Nebulous
Nebulous
Nebulous
EVGA RTX 3080 FTW3 Hydro Copper final culprit?
2
Replies
23
Views
2K
Nebulous
Nebulous
don256us
Holy.... I mean..... Wait what?.... Holdolin.... HayseK..... give me a moment....
Replies
11
Views
1K
WhitehawkEQ
WhitehawkEQ
R
1998 Compaq Deskpro Help!
Replies
2
Views
657
Niku-Sama
Niku-Sama
Back