Windows XP - Beating the Password System.

Factual Questions
1

Hi guys… here’s a computer question for you which has a bit of humour attached to it… it’s a true story which unfolded two nights ago…

I’ll list the various factors in point form so it reads a bit easier…

(1) 50 year old father fights with 22 year old son over Windows XP machine. The father recently purchased a state of the art PC with Windows XP “Home Edition” loaded.

(2) The son is an IT student currently doing machine code programming on a DIY electronic fuel injection thingey. Smart kid. Smart enough to be bloody dangerous if you know what I mean.

(3) The father was getting pissed off with his son making wholesale configuration changes to the new PC. So they settled on “user login profiles” which allowed father, son, and 20 year old daughter to make the PC behave just how they wanted - for them and them alone.

(4) The son, however, was using the “Default Owner” account - named “Spectre”. The father was using an account named “Garry”. Both accounts had full Administration rights - but the “Spectre” account was the true “owner” of the machine if you know what I mean - it was “user No 1” - originally named “Administrator” and later renamed to “Spectre”.

(5) The son kept loading new software, stuff like PC ANYWHERE and shit like that, which kept hi-jacking the default login screens. The father didn’t like that.

(6) 2 nights ago… the father asked myself (I’m a web database designer you see) to give him a hand setting up his PC to run super smooth and fast etc. Also, he wanted my opinions as to how to keep his son’s pottering in check. So I helped the father “retake” the “Spectre” acount, we setup a special “son” account and made all users except the “Spectre” account “Limited Users” and only the “Spectre” account had “Administrator” permissions". We gave the “Spectre” account a new password that the son didn’t know - which was fair enough - it was the father’s PC after all.

(7) Well! The son beat us at our OWN GAME! The little twerp!

(8) When the father got back home from work, the son had applied a new password to the “Spectre” account, and was using it again, and had applied a password to the father’s account thereby locking him out. Of course, it’s all ego wars… but the question is this… how did the little twerp do it? The father had locked all the OS disks in the family safe - knowing full well his son would try and beat the challenge. The father locked the PC chassis and took the keys to work. How did the son manage this? The Twerp! :smiley: After all, he could only log on as the “Son” account, which had “Limited Permissions”.

(10) In short, how did the son beat the Windows XP Password system?
Please feel free to offer hypotheses - and or to ask me for further info if you require such before offering said hypotheses.

Regards, Boo Boo! :slight_smile:

2

The account “Administrator” is always there, it cannot be removed or disabled. This is the system account with full previleges.

3

The same way I did when a customer brought his PC into the store I used to work at. He had his personal account all nicely passworded up, and every time we’d boot it, it would ask for it, and that’s as far as we could get. Then I discovered I could log in as adminstrator, because he’d forgotten to password protect that. You see, every XP system has a special Administrator account but everyone seems to forget about it when setting their systems up with user accounts.

4

If he has any Windows 2000 CD he can boot a Windows XP machine and start the Windows 2000 Recovery Console which will allow him to operate as Administrator without a password. In fact he can use any account without a password.

The most likely answer though from my security admin experience is the old PPP - a piss poor password.

5

:smiley:

Yes, silliness like this accounts for 80% of security breaches.

6

My understanding is that the “Administrator” account had been “renamed” to “Spectre” on this particular machine.

I verified this via Registry Editor too. When logged in as “Spectre” you were taken within “HKEY CURRENT USER” to the properties associated with “HKEY DEFAULT USER” - and not as a “sub user account”.

7

“HKEY DEFAULT USER” is the account the machine will boot to by default. Yes, that account can have administrator priveges, but the Administrator account still exists as a separate entity. It is not password protected by default; you have to go in and enter one. I think a good modification for Microsoft to add to XP would be to ask you for one when you first set your machine up.

8

Indeed Q.E.D. - a great suggestion.

May I confirm something then - is it impossible to rename the “Administrator” user account? As per my original belief?

9

If you used User Accounts in Control Panel you already have renamed the Administrator Account which is recommended for all XP installations so that hackers do not know an account name.

10

It is not impossible to rename the Administrator user account - in fact my company does it as a matter of policy, to discourage password guessing. (i.e., you can’t even reliably assume there’s an account named ‘Administrator’ to break in)

I second/third the vote for a weak password, or password written on a post-it on the monitor…or maybe the son downloaded some brute-force cracking software? Does anything interesting show up in the event log?

11

I’d also second the guess of using a boot disc or CD or the like to get in. Such a thing can often change the password without actually finding it out.

12

Here’s the run down again guys…

When the father and I “reclaimed” the son’s login account - formerly known as “Spectre” - we used the offical “User Accounts and Passwords” interfaces to do the following…

(1) Create a new account called “the son’s name” and…

(2) Give a new password to the “Spectre” account… and…

(3) We then configured all users OTHER than “Spectre” as “Limited Users”.

I categorically assure you - there was no other username in the password interface called “Administrator” - there was, however, a user named “Guess” but it was idsabled and you could not use it to log onto the machine at all.

May I repeat - I personally drove the Password Interface with account name “Garry” which had Administrator rights, we then unlocked the password attached to “Spectre” and logged in as “Spectre” and then drove the Password Interface again. Never, ever, did we see an account called “Administrator” - and this is because the name “Administrator” had been renamed to “Spectre” you see.

So how did the son crack the password system?

It looks like the CD or boot disc option is the most likely at this point.

SO how do you beat THAT?

13

By the way I’m not quite clear whether Dad is using the Garry account or thinks of the Spectre account as his but like your UNIX/LINUX root account Spectre should only be used for admin functions and not for browsing the web.

Years of security paranoia make me check this.

14

Boo Boo Foo - just to reiterate - you are right, the built-in Administrator account can be renamed to whatever you like.

I know in some BIOSes you can disable booting from CD/floppy and only allow booting from the hard drive. I believe (ice is slightly thinner here) that in some BIOSes there’s also a facility for password-protecting BIOS changes, so someone can’t change it back to boot from floppy. I know that most BIOSes have a “supervisor password” that will lock the machine, but I’m thinking of a password to prevent unauthorized changing of settings.

An option that will disable booting from the floppy would be to connect the floppy drive to the “Drive B” connector, and see if that works. Doesn’t help you with the CDROM, though.

This “arms race” between father and son reminds me a little of this story.

15

Sorry I meant to say you can’t beat the XP security bug I mentioned, it’s just the latest hole in “the most secure version of Windows ever”. You have to deny physical access to the machine until there’s a patch.

16

Some great answers guys.

Thank you ever so much. Honestly.

And don’t ask - yes, you’re so right. I agree entirely. After I left on Monday night, the ONLY account which had true “Administrator” priviliges was the “Spectre” account and all other accounts, including the father’s account called “Garry” was a limited user.

And also, I so totally agree with you regarding the analogy with a UNIX machine and the root user account. For your reference, I was working with Unix systems as long ago as 1987 so the security aspects are pretty firmly entrenched.

But it would appear the physical access “method of attack” is a woeful oversight on the part of Microsoft I would suggest.

17

I also found this product - it’s a hardware key that plugs into the USB port for real security. No idea how good this works.

Regarding the “physical attack” problem - how do Un*x machines deal with the same issue? I recall that even though NT 3.51 was “C2 Certified”, in order to receive that certification the server had to be physically locked in a room with guards outside, or something similar, and not connected to a network.

18

Yes it’s a pretty horrible flaw.

One last tip change HK_DEFAULT_USER to Garry so that Garry gets in to the habit of changing accounts for root access you know the old SU to root.

19

DarrenS: Any machine that can be booted from a floppy or a CD-ROM isn’t secure. IOW, *nixes deal with it the same way as any other OS does: They can’t, because it’s a BIOS-level breach. The OS loaded on the hard drive never boots.

That’s what you get for keeping 70s-era technology in modern hardware. The BIOS should have died about the time CP/M was falling out of fashion.

Password-protecting the BIOS is an option. Locking the tower in a steel box and hiding the key is a better option.

20

Woo Hoo Derleth! That’s what I like about you Americans! Just like your old saying regarding V8’s - namely, “there’s no substitute for cube’s” - well, there’s nothing like sheer brute impregnable steel to protect a computer, huh? :smiley: