Need some WinNT/2K/XP Linux "boot disk hack" Counter Measures.

[JoLLyRoGer]

We've all seen and heard about that Linux program that fits on a floppy and allows a would be hacker to locally access the sam file and re-write the administrator password.

I know basically what I need to do to defeat this. Move the sam file from the default location so that the linux program can no longer mount that file.

What I need to know is....what key do I have to edit in the registry to point Windoze to the new location for the sam file.



You would absolutely die laughing if I were to tell you why I need to do this.

Thanks,
JR..

 

[n0cmonkey]

Not exactly the solution you are looking for but hear me out:

1. remove floppy drive

2. take floppy drive out of the bootup sequence in the BIOS and password protect BIOS.

The second is probably the best option (Even though I hate floppy drives with a passion) of the two ways to stop it that I know of. I really just want to know why you need to do this. You can tell a fellow DCer

 

[JoLLyRoGer]

OK, I'll spill it: When dinosaurs walked the earth...........................................

This is a computer I'm building for my mom. A home workstation. My little brother still lives at home with her and is driving her crazy with his "internet habits" . Basically it boils down to him getting into trouble with ICQ and MSIM and surfing where he shouldn't be. He said some things to some girls that weren't quite appropriate and her parents got p!ssed, called my mom and blah blah blah. She was pretty embarrased. Anyway.....She calls me (she ALWAYS calls me....thinks I'm her personal tech support rep.) and wants to know if there is anything she can do to control what he can do on the 'puter. So......I offer to build a new computer running win2K pro. Making her admin, and him a guest, giving her complete control over what gets installed on the 'puter and the parental settings on the browser.

Sounds good right? The problem is, he knows about the Linux hack and would not think twice about locking mom out of her own computer all together (sheesh.... the information I've shared with my brother is coming back to haunt me.).

I've thought about the BIOS and it is password protected (for now), but I know how to defeat that and I'm pretty sure he does too.

I can't exactly send mom back a computer with no floppy drive either.

Now you see why I'm going for the "sam file relocation" trick since the conventional counter measures are more or less a moot point.
I'm pretty sure he won't think of this, and even if he does, a. he won't have enough priv's to find out where I've stuck the sam file, and b. He doesn't know enough about linux to re-configure the hack programs mount point even if he did know where I put that file.

The goal is to protect the Admin rights. I know. It's a lot of trouble considering I'm not storing any top secret information on this box or anything. Just tryin to keep a kid (who knows enough about computers to be a danger to himself and to others) from installing IM programs and surfing prOn.


The End..


P.S. I live almost 2000 miles from my mom, so I need to make sure this thing is locked down tight before I ship it out. It's not like I can just drive over and fix it if my brother does something stupid.

 

[Sunner]

There's no substitute for discipline

But anyways, one way could be to get one of those cases(not computer case, but rather a case where you put your computer in, you know anti-theft type cases).
Just get one that allows you to poweron the box without opening it, then tell her to lock it and keep the key somewhere safe.

 

[thornc]

Well,
I've used those boot disks before (forgot the admin password ), but they will only work if you have not encrypted
the file.

Do a search on google and check how they work. You'll found a few sites describing the conditions where those work,
you just have to make sure that this conditions aren't fullfilled....

 

[cleverhandle]

Buy a floppy drive lock - little gizmos that sort of go into the drive like a disk, but contain a key lock that prevents their removal. Give Mom the key. That should work, though those locks are pretty expensive IIRC.

 

[Saltin]

Like n0c said, a "lights out" policy on any computer you are worried about.
Floppies are a thing of the past anyhow.

 

[NogginBoink]

There's a fundamental rule of computer security that says if you 'aint got physical security of the machine, you 'aint got no security on that machine. (I paraphrase here, of course.)

Seriously, though, think about that: whether it's mom' computer or BigCorp's server in an unlocked computer room, a determined attacker needs no more than a phillips screwdriver to completely bypass any logical security you've implemented.

So, as others have stated, your first line of defense should be physical security. A floppy lock is a good idea. (Or the absence of a floppy drive altogether.)

I will assume that little brother disassembling the computer would be noticed and is not an attack you wish to protect against. (If it is, the computer gets tamper resistant screws and/or goes in a locked cabinet.)

Physical security does get much much more involved in this, but for mom's computer, most of that is out of scope.

THEN talk logical security.

Put strong passwords on the user accounts, of course.

DO NOT give the little brother local admin rights with his user account. And yes, DO create an account for both mom and little brother. Sooner or later little brother will need to use the computer. If he knows mom's password and mom is an admin, you just lots all your security.

Computer security is a battle between the attackers and the defenders. Ultimately, the attacker ALWAYS wins. In *any* security system, the goal of the defender is simple. You want to make it more expensive to attack and defeat the security system than the attacker is willing to pay. (That means time and effort as well as money.) Your littke brother, if determined enough, WILL get past your security. Is he willing to disassemble the computer and get caught? Or is that "too expensive" for him? Those are the questions you need to answer before you can build a security plan.

 

[Strafe]

You do realize that security isn't the issue right?

 

[rahvin]

Umm, are you putting the Windows2000 on an NTFS partition and encrypting the important files you are concerned with? If you do that I doubt he could hack the security because there are few tools in linux that can write to an NTFS partition without toasting the partition and encrypting a file on NTFS should make it well beyond his abilities. Win2k did get DOD approval for a non networked machine, meaning you can lock it down in a non networked environment.

And as mentioned before this appears to be a discipline issue foremost more than it's a security issue. If his computer use is a problem, he shouldn't be allowed to use the computer unsupervised, that would include placing it in a locked room.

 

[JoLLyRoGer]

I agree whole hartedly with this being a dicipline issue, but it's not my place to enforce that dicipline. BTW, did I mention that I live 2000 miles away from them? I've tried to tell mom this, but she's just not asertive enough. My first suggestion to her was to get a laptop and store it when not in use, but she doesn't like those. Ultimately everyone who has said this really isn't a security issue is absolutely right. I'm just trying to do what I can to make that OTHER job a little easier for mom.

Physical security is definately a consideration, but it's just not feasable in this application, so here I am back to logical security.

I spoke with a few of the administrators that work the NT side of the house at work, and one of them was telling me that moving the sam file would work, I'm just curious about what's involved with doing that. I hadn't thought of the encryption idea, so I'm going to reseach that too (thanks for the suggestion).

I'm just wanting to logically lock down this machine as tight as I can, and hope little bro.'s not ambitious enough to worry about defeating the security. (I doubt this will be the case.) I honestly want to persue this moving the sam file idea because I'm almost positive he won't think about that (I wouldn't have if someone hadn't tipped me off), and even if he does, there will be nothing he can DO about it (hopefully).

Thank you to everyone who has replied so far. I appreciate the thoughts and ideas that have been coming out of this thread.



BTW, since we're on the security topic, does anyone know if "they" have figured out a way to circumvent WinXP activation?

Who are "they"? I don't know. "They" are whoever "they" are.

[dons flame suit] Just looking for a yes or no answer here, I'm a happy Linux user and could give a rat's a$$ about pirating MicroSuck software. However, I DO think that WPA crap is BS

and I can't wait to hear that someone has figured out how consistantly to take it down! [/dons flame suit]

 

[n0cmonkey]

<< BTW, since we're on the security topic, does anyone know if "they" have figured out a way to circumvent WinXP activation?

Who are "they"? I don't know. "They" are whoever "they" are. >>



Not a security issue, but yes, its possible. And apparently not that hard since plenty of immoral people use a cracked version every day.



<< [dons flame suit] Just looking for a yes or no answer here, I'm a happy Linux user and could give a rat's a$$ about pirating MicroSuck software. However, I DO think that WPA crap is BS

and I can't wait to hear that someone has figured out how consistantly to take it down! [/dons flame suit] >>



Its not BS.

BTW, how would you remove the password from the BIOS? Im curious since Ive seen almost no ways to do it and I always worry that if I set that I would forget the password. If you dont want to mention it in here feel free to pm me.

Thanks.

 

[JoLLyRoGer]

I don't know, I would tend to interpret WPA as security, not in the same light that this thread is written in, but it is a counter measure designed to protect intellictual data. I still have to say it's BS, for instance, I like to upgrade my PC(s) every once in a while, usually this consists of building a new one, and if I'm paying $300.00+ for some software, I better damn well be able to install it on every last PC in my house.

But to answer your question, there is a program out there called "!Bios". I runs a script on a PC's bios and is able to detect the password in most cases. I'm not sure how it works on newer bios's, but I have used it and it does work. I know that it supports Award, Phoenix, and American Megatrends bios along with some others. I don't remember where I found it at, but if you're interested I can FTP it to you. It's small and doesn't take long to transfer (even on dialup). PM me with your MS Instant messenger name if you want it.

 

[n0cmonkey]

<< I don't know, I would tend to interpret WPA as security, not in the same light that this thread is written in, but it is a counter measure designed to protect intellictual data. I still have to say it's BS, for instance, I like to upgrade my PC(s) every once in a while, usually this consists of building a new one, and if I'm paying $300.00+ for some software, I better damn well be able to install it on every last PC in my house. >>



You can, but just like *EVERY OTHER MS OS* you need an individual license for each. Its their software, you play by their rules. It sucks, Ill give you that, but I pay $80 (up from $60) per year for OSes for 2 of my systems so I dont have to worry about it.



<< But to answer your question, there is a program out there called "!Bios". I runs a script on a PC's bios and is able to detect the password in most cases. I'm not sure how it works on newer bios's, but I have used it and it does work. I know that it supports Award, Phoenix, and American Megatrends bios along with some others. I don't remember where I found it at, but if you're interested I can FTP it to you. It's small and doesn't take long to transfer (even on dialup). PM me with your MS Instant messenger name if you want it. >>



No thanks. Ill take a look for it if I get interrested enough to try it out. Thanks though.

*MSN messanger? Bah

 

[JoLLyRoGer]

yeah, MSN messenger, I know, it's sleeping with the enemy, but so many of my friends use it, I'm left with no choice.

 

[n0cmonkey]

<< yeah, MSN messenger, I know, it's sleeping with the enemy, but so many of my friends use it, I'm left with no choice. >>



I cant flame you too much, I use aim

 

[Barnaby W. Füi]

<< BTW, how would you remove the password from the BIOS? Im curious since Ive seen almost no ways to do it and I always worry that if I set that I would forget the password. If you dont want to mention it in here feel free to pm me. >>


all you have to do is take the battery off the mobo and/or use the "clear cmos" jumper, and that clears the bios of any settings you've made (returns to default), including password

 

[n0cmonkey]

<<

<< BTW, how would you remove the password from the BIOS? Im curious since Ive seen almost no ways to do it and I always worry that if I set that I would forget the password. If you dont want to mention it in here feel free to pm me. >>


all you have to do is take the battery off the mobo and/or use the "clear cmos" jumper, and that clears the bios of any settings you've made (returns to default), including password >>



I knew that one, but I was looking for a way outside of dismantling the computer

 

[mobly99]

here is where it is at in the registry...
wether or not it will work if you relocate the file and modify the registry - I'll leave up to you to try.




Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
Value 5
Name: \REGISTRY\MACHINE\SAM
Type: REG_SZ
Data: \Device\HarddiskVolume1\WINDOWS\system32\config\SAM

 

[Abzstrak]

there are other ways to remove a bios password, the easiest way I know is just using debug... I wont post instructions here though for obvious reasons, but its worked on every system I've tried it on...

 

[NogginBoink]

If physical security (the right answer) is beyond your means, create a login for little brother and deny him execute permissions on the programs you don't want him to be able to run.

But a floppy lock really is the better answer.