Securing your school's (or your own) Windows computers - Ajarn Forum

theanimaster · 8th October 2005, 22:09

I've been longing for the chance to manage a computer lab of "my own" in the school I work at. For the first semester I had been given the general computing labs that both "normal program" and "English Program" students share. While I try as humanly possible not to despise the "normal" kids as intellectually challenged as they are, I do have some real concerns about my EP students - some of who suffer from the "normal" class kids happily deleting the EP students' hard work from their workstations. Being the general computing lab - I have little authority over securing each workstation so that these "accidents" don't happen, but now that the school has purchased a good number of new computer units for the new EP Computer Lab, I have been given the chance to handle how these newworkstations are treated - it's now on my turf.

The first thing I did when the new units arrived was to create two user accounts for each workstation:

- A password-protected administrator account for staff and teachers to use (to manage everything on the computer or to use the computer without restrictions)

- A "limited" user account for students. A limited user account allows the students to use the computer as normal - but they can't intall anything on it (ie. games) - or at least I didn't think they could... I'll discuss this in a while.

With two user accounts on each workstation - everything else was pretty straightforward - teachers would log-in with the "Staff" account, while students logged into the "Student" account (without a password).

Everything was going alright until I noticed some of my students were playing games on the machines - INSTALLED games. There was only one way they could have logged in with "administrator" priviledges without knowing the password to the "Staff" account:

SAFEMODE LOG-ON

By default Windows already has an "Administrator" account... one that has God-like powers and access to all other accounts. Also by default, though this account is hidden during normal start-up, this account is NOT password-protected, and if you log on using "safe-mode" by holding down F10 while the computer restarts, you can access this Administrator account. I have used this technique myself to reset the passwords on old accounts that some of my fellow teachers have forgotten. I didn't think some smart-aleck student would have known this. Apparently I give them too little credit.

So I had to "password-protect" each of these "invisible" Administrator accounts. To do this, I had to log-on to each workstation using "safe-mode". Note that holding down F10 doesn't work straight-off as Windows boots. You have to make Windows "aware" that you are trying to fix something (remember - Windowz is stupid), so you'll have to do a hard reset (press the reset button on the unit) as you see the Windows logo during start-up, and THEN press and hold F10 until you come to a screen that gives you the safe-mode boot options.

Boot in Safemode.

Shortly, provided you're using a newer version of Windows, you'll be presented with the Super-User accounts: every Administrator account on the machine - and one of these is the ingenious unprotected Administrator account. Click on this one to log-in and change it's settings.

Everything else is straightforward. You go to USERS in the Control Panels and set up a password for the account. When you logoff, your students will no longer be able to do the good ol' F10-boot-trick to install those nasty games (unless they've figured out your password)!

Right. Now if anybody has any ideas on creating a "Drop-Box" so that my students can submit assignments onto a central location that only I have access to - I'd love to hear from you. On a mac this is easy-peasy.. on Windows.. well.. Windows is windows.

PS. Since we're all adults here I take it that no one will use the "F10-boot-trick" to hack into their respective school accounts. Thank you.

youngyoda · 8th October 2005, 22:39

You will need either windows 2000 or Win XP and NTFS on your main teacher PC.

You have two options.

1.Use a Windows Server to set up a domain witch is not an easy thing to do and requires a short piece of work. This includes setting up a Group policy and default User password to log into the domain.
This method will allow you to keep the user profile on the main server. Lessening the security threat of the access to the local administrator account

2. You can keep your current set up and Set permissions based on the student default login username on the main teachers PC. Which is probably the way you will want to go.

After that you will want to set up a share on your main PC. Add the username to the list and permission it per the instructions below.

Share permissions set to full control(you will micro manage this share via NTFS permissions).

NTFS permissions are as follows(you can access this list via the EDIT permissions button on the Security section of the ADVANCED folder properties).

*Since you might not want them to read eachothers files you can deny reading of the files. So that others student work cannot be viewed.

Traverse Folder = allow
List folder = allow
Read attributes = optional allow
Read extended attributes = optional allow
Create files = allow
write attributes = allow
write extended attributes = allow
Delete = deny
Delete sub folders = deny
Take ownership = deny
Read permisions = option allow

Next you will want to mount the share to lets say Z: drive from there create a folder for each class and instruct each class to share there assignments on the Z drive in the respective class folder.

On the main teacher PC you can run “Gpedit.msc”. to create a local group policy to further lock that PC down. You can also use a tool called “secedit.exe” to export that new policy and redistribute that policy on the other computers to lock them down further as well..

EDIT:Had to edit a few times. Been a while since I had to lock down a PC.

Since I wanted to help you protect your teacher PC I will tell you how they can hack your main computer. Lol

1. boot up PC with small CD or floppy based distribution of linux
2. Aquire program to hack windows password file
(this program analyses the administrator account for its password and changes it to the users specifications or the original password can be displayed.)
3. Use changed password or enter password into the login dialog box.

OUCH! Admin access w/o entering safe mode

The way you can get around this is make the teacher PC not able to boot from floppy discs & CD-roms. And also set a bios password..

Ok now how thay can hack that…..
1. pull battery from motherboard or mess with the reset jumper on your teachers PC.

OUCH Bios password gone..

In any case these kids are going to be able to hack in one way or another but you can do your best and know your enemy’s battle plan at least fend of some of there attacks.

theanimaster · 8th October 2005, 23:31

Whoa! I always knew there would be a downside to being able to boot from CD... there was one computer in the old labs that had TWO versions of Windows installed (I can imagine how). In anycase, I won't be securing the BIOS just yet until I suspect someone's figured it out. If they are "smart" enough to boot from CD, then definitely they know their way around the BIOS.

Well hey - thanks for the tips! A very interesting read indeed!

LDMA · 9th October 2005, 00:02

Good thread and an issue that I myself am dealing with as our EP's computer teacher.

The idiot that set up our computers admin account set it with identical passwords, so once the kids found it out, some little sod changed it on every bloody computer in the EP section. Result all computers need re-installing.

The kids at our school want shooting for what they've also done to the computers.
RAM has been stolen, nearly every set of headphones has been damaged, kids delete other kids course work form the HDDs, they've installed every bloody game/spyware app under the sun, used the computer boxes as footrests, and some little sod has even changed the name of every desktop icon to "fffffff" on some computers so My Documents and Recycle Bin have to be known by ALL students on sight as icons, and some kids aren't that computer literate.

As I hinted before though, the school is partly to blame, and I've drawn up a number of proposals. Firstly there's a culture amongst the secretarial staff of giving the keys to the computer room to kids on request, and despite there being a staffmember who's job it is to supervise he just walks off mostly.

When this has been allowed the students make sure that the window is left unlocked so they can sneak back in after hours and surf porn. Kids even try to hang back at the end of my classes so they can unlock the window...caught onto that one fairly quickly. The school has not hired any specialist technicians to the extent that now 11/26 computers are now unusable, and no-one can do anything about it. The network/workgroup file sharing doesn't work properly, and the entire school of some 100 computers runs off a single 512kps line. Hardly ideal teaching conditions.

I've tried explaining to the server guy that the slowness might just be down to kids streaming music off Kapook.com all day, but he doesn't know how to configure the squid web cache system to block sites and won't let me onto the server to figure it out myself. I've confiscated all headphones as all they ever get used for is for playing mp3s instead of working.

The other problem is the room layouts...it's blindspot central and all the bad boys know which computers can't be monitored by the teacher...sure you just move them, but why not make life easier.

*sigh*

dirty dog · 10th October 2005, 23:02

There are forums for kids to hack into the schools pcs, yep whole forums devoted to this, the f10 one is years old, your way behind them if your worrying about that one

hell all they got to do is run cain on any pc and they got all the passwords ever used on it...

swamp · 11th October 2005, 08:54

Thanks for mentioning cain. That might have been the one last thing my students didn't know.

I don't know what the requirements are to become a school admin in LOS. They drive me nuts. Life would be easier without them. Keeping everything top secret, locking everything with passwords but telling one 'very special student' the admin password. Well, in LOS when one knows...

I've tried hard to be a 'good boy' but finally had to 'modify' the settings on one machine simply cos I couldn't do my job.

Admin is very angry at me but hasn't got the knowledge to 'tinker back'.

What's the point of creating a partition on a hdd and using it as backup?

Reg Young · 13th October 2005, 12:33

Simple rule when dealing with computer labs: if you know how to do it, they know how to do it. Unless you're a fairly high level code monkey, the knowledge most of us possess about computers is out on the internet to be had for a google.
- Reg

champagne charlie · 13th October 2005, 23:01

At my school the staff computer room is a catastrophe. The Thai teachers have managed to install every virus, spyware, brower-hijacker, etc known to man.
They have no concept...

Unfortunately, they won't allow farang hands to touch the network. And if you're Thai and you can sort out network setup and security, chances are you wouldn't work at a school ($$$$$).

Good luck to ya...

friscofrankie · 14th October 2005, 20:03

Set up a server within a domain. add all your workstations to it. Require each student to have an ID and password. limit access of these ids to specific hours. REMOVE CDs and floppy drives, if you can, if not at least disable boot from them.
Create user directories on your server. create an assignment directory under each one. Setup user profiles to map drives to these directories. Setup roaming profiles, disable locally stored profiles (I don't recommend this on medium to large networks but in a small comp lab environment it'll be Ok) computer labs are notorious administration nightmares. Stringent configurations are required. Lock down all write access to all but the the user home directories. Maybe one public area for group work. Assignments should be secured from all but the admin/teacher and the student submitting the work. one user=one directory
Require user to authenticate to the network to access workstations. With no local ids they can't circumvent this by unplugging the network. Give user read-only access to the local machines or limit them to one directory if you must. Loack down write access the C drive and open ony what you absolutely need to. Repeat, there should be NO local ids. give the domain admin admn rights to all machines (put that id in the local administrators group). RENAME the local administrator account, disable guest. Lock down the machine by placing password on the CMOS setup. lock the server up. in a closet or private room.
As long as someone can get to the machine you are at risk. but if you deny them access to boot devices without opening the machine you are way ahead of 'em.
Anybody that has been "longing" to administer a school computer lab has go to be a masochist, or enjoy a hefty challenge, daily. I suggest if you really want to stay ahead of this game you get a couple of books on Windoze security and administration. There are some good tutorials on the net. start with MS's websites. There have been more words written about windows administration and security, or lack thereof, in the past few years, than just about any other subject on the planet so there is plenty out there. there is no way this subject can be covered even mildy in a forum such as this.
If you read the bastard at least get you'll be able to develop the right mnd set.

LDMA · 14th October 2005, 23:33

Good food for thought everyone...

dirty dog · 15th October 2005, 21:01

here you go, your students will love this, bios passwords

Award BIOS backdoor passwords:

ALFAROME
ALLy
aLLy
aLLY
ALLY
aPAf
_award
AWARD_SW
AWARD?SW
AWARD SW
AWARD PW
AWKWARD
awkward BIOSTAR
CONCAT
CONDO
Condo
d8on
djonet
HLT
J64
J256
J262
j332
j322 KDD
Lkwpeter
LKWPETER
PINT
pint
SER
SKY_FOX
SYXZ
syxz
shift + syxz
TTPTHA
ZAAADA
ZBAAACA
ZJAAADC
01322222
589589
589721
595595
598598

AMI BIOS backdoor passwords:

AMI
AAAMMMIII
BIOS
PASSWORD
HEWITT RAND
AMI?SW
AMI_SW
LKWPETER
A.M.I.
CONDO

PHOENIX BIOS backdoor passwords:

phoenix, PHOENIX, CMOS, BIOS

MISC. COMMON PASSWORDS

ALFAROME
BIOSTAR
biostar
biosstar
CMOS
cmos LKWPETER
lkwpeter
setup
SETUP
Syxz
Wodj

OTHER BIOS PASSWORDS BY MANUFACTURER

Manufacturer Password
VOBIS & IBM merlin
Dell Dell
Biostar Biostar
Compaq Compaq
Enox xo11nE
Epox central
Freetech Posterie
IWill iwill
Jetway spooml
Packard Bell bell9
QDI QDI
Siemens SKY_FOX
TMC BIGO
Toshiba Toshiba

TOSHIBA BIOS

Most Toshiba laptops and some desktop systems will bypass the BIOS password if the left shift key is held down during boot

IBM APTIVA BIOS

Press both mouse buttons repeatedly during the boot

friscofrankie · 15th October 2005, 23:33

Are those verified BIOS setup passwords or is that a general dictionary file?
boot passwords are not the same as BIOS setup passwords.

Quote:

Originally Posted by phoenix(award)

The following suggestion will work only for passwords used before the operating system boots. If you set up a password only for booting the PC, in most instances you can enter the BIOS Setup to disable the password.

If you also placed a password on Setup itself, there is no "back door" password unless the computer manufacturer modified the BIOS to have one. The password is stored in CMOS and cannot be accessed by any other means. Contact your manufacturer for assistance. If you cannot contact your manufacturer, take the PC to a computer repair shop.

If you wish to attempt disabling the password yourself, you will need to erase CMOS. You should not do this unless you already have written down or printed out of all the BIOS Setup parameters, or if you are certain that restoring the Setup default values is sufficient for operating your system. Take these steps:

clear the CMOS (remove the CMOS battery until POST displays a "CMOS checksum bad" or a similar message);

re-install the CMOS battery;

run the BIOS Setup;

restore the correct BIOS Setup settings.

Those password are so unimaginative and easily guessed i would tend to think they nothing more than a crackers attempt at a dictionary file. thing about bios password they require you to manually enter them so cracking can take a while and if you use a password like p#f&%2G*! it's not likely to be in any dictionary file.
on high -end machines you can open the box set a couple of jumpers and reboot resetting the password.

I'll reiterate what I said in an earlier post (with more detail) any time your machine is available to a cracker physically you are at very high risk. In fact, it's impossible to prevent a security breach from a determined cracker!!
That said; just because someone can find away around your security is no reason not to make it as difficult as you can to do so.
Even if there are back doors available you still close all the front doors. lock the widows, close and lock the doors if some one wants in, make 'em work their asses off.
To manage a computer lab is tough, tough tough. You'll need to stay up on the common exploits:
just to note one I remember from before there is a way to execute code as an administrator on a local machine, by injecting commands into processes running as admin, like a virus prot program. There are several buffer overflow exploits in services running on Win NT machines (yes XP is just a flavor of NT) that allow the cracker to execute malicious code.
To find out more go to www.securityfocus.com get on one, or more. of their mailing lists. you 'll get about 20 extra emails a day But maybe one of them can help prevent a disaster.
if one of your students cracks a machine and infects it with trojan or worm the other machines will be a bit more secure if you lock down your machines.
On another tack; build your machines identical, make an image file of that install using one of the several tools available and when a machine gets cracked, hose it and install fresh with your image. Do some research on what's available. Ghost works, but used to require a few hacks for machines in a domain. Win2k (2003 too) server has a couple of tools to package machine configs. There are others. Read, read, read The internet is good source but stay away from too many fly-by-night sites do a google on security.
I spent a few years as a systems and security architect. The job will make you old and cranky. It's a never ending battle. new exploits are discovered every day and if you aren't up on the bleeding edge, you're just bleeding.
Thing is; if it's important keep it on a secure machine(server), away from prying fingers.

dirty dog · 16th October 2005, 00:20

I assume they are manufacturers passwords, its not a dictionary, its the same with locked phones, the manufacturers have their own passwords.

friscofrankie · 16th October 2005, 00:40

gonna try'em on my machine just to verify.

Hell, not sure what BIOS I'm using. but i'm gonna try 'em all and if even one of 'em works I'm gonna complain; demand a refund.
Tomorrow
Was on the phone with Cisco one day they gave me an undocumented way around their config passwords. Those things are like the first stage of a good firewall if you're setting up a DMZ for a website or online app.
Had to be at the router, shut it down and bring it up with a few extra keystrokes. I keep repeating, securing a machine against someone that has physical access is impossible. you do all you can get a image of the thing and stay tuned to every security bulliten you can.

need to add this

Quote:

Originally Posted by Phoenix also

NOTE: it can take up to several days for the CMOS to go bad without a battery. This is caused by capacitance in the circuit. This charge can be safely discharged by using a 10k-ohm resistor, touched to the battery connectors for a few moments (while the battery is removed).

dirty dog · 16th October 2005, 01:12

As you posted earlier everything is out on the web, just google it, when windows brought out the new verification thingy for the ppl with dodgy versions of windows so they couldn't update, it was cracked in 3 hours, and the guy didn't probably know about it for the previous 2 hours and 50 minutes