Family Matters (and a hacker)...
- Thread starter Clements
- Start date
Doomulation
?????????????????????????
Hehe...that's nice suggestions. But I suppose he wouldn't have to go that far...
But m$ oses will always have loopholes...you'll have to live with it.
But m$ oses will always have loopholes...you'll have to live with it.
RJARRRPCGP
The Rocking PC Wiz
AlphaWolf said:Well, if you are truely wanting to keep him off of it, then you would get one of those cases that you can physically lock, and only install a user secured operating system on your computer (e.g. all NT based OSes, or linux, no DOS or Windows 9X, period,) and then disable booting to anything other than the hard disk in your bios. This is of course assuming that he won't go so far as to render physical damage to the computer (if he does, then your just fucked no matter how you look at it.) Heres why:
In Windows NT and beyond, microsoft decided to be smarter than they were in the past, and not store decryptable passwords (this is actually how everybody else has been doing it for years). Basically, the passwords are stored as a hash, so when somebody enters a password, the OS can only tell if the password is correct or not, but even the OS itself can't know what the exact password is.
But, there is one pitfall to this: It's possible to erase the password hash and reset the checksums so that the OS basically assumes that there is no password, or the password is set to some kind of default, which of course anybody can know (or you can even simply change the hash to match a password that you know). There exist bootable images for both floppy disks and cdroms that contain a set of utilities that do exactly this, and don't require any intelligence on the end users part other than to be able to make the bootable medium in the first place, and then follow some simple instructions.
Sure, you could try to set your bios to not boot to anything other than the hard disk, but there are two easy ways of getting around this. The easiest way is to just pop out the watch battery in the motherboard, and use a wire to short the anode and cathode ends, which will discharge your cmos and reset the bios settings, to include your bios password (some motherboards even include a nice labeled jumper to do this without removing the battery). Another way is to simply take the hard disk to another computer, and boot this utility set from there.
Currently I have only seen one type of PC that is actually immune to this: laptops. 99% of all laptops you buy actually store the bios password to a flashrom chip, so you can't simply reset the bios. Also, most of them (including mine) have a feature that encrypts the hard disks entire Master Boot Record based on your password hash, rendering the data on it basically useless unless you have a few hundred bucks to spare to have a data recovery professional get it off of there for you.
I have not seen one desktop motherboard have any of these features, so, that leaves it up to you to ensure that nobody physically breaks into your PC. The reason that laptops have these features is because they get stolen much easier, and it makes it that much harder for the thief to make use of your laptop, or even worse, steal the data off of the hard disk, which often times is worth more to them than the actual laptop itself is.
So far as removing hard disks whenever your not using your computer: 1) pain in the ass 2) internal HDDs are easily damaged by repeated removal/reinsertion 3) external HDDs are slower and cost more. Best of luck in securing your computer :happy:
Actually, the MS loopholes are not major, compared to the Windows 95-based OSs. I'm a 1337 Windows 95 and Windows 98 system policy bypasser
With a Windows 95-based OS, (possibly also includes Windows ME)
I know how to get around registry editing access blocking and other system policy-based blocking:
You use your Windows CD and it will work *EVEN* with copies of Windows with a different product key. Run the Poledit.exe utility off of it and Windows still will let it save changes to the registry.
Kaoss626
New member
Alphawolf has some great suggestions here.
I do have a suggestion or two to add to them. In making a list I'll probably include some suggestions made by him and others.
-most towers have a tab (optional and usually not installed but not hard to find and install yourself) that allows for locking the computer case inplace there by preventing physical access to the tower. This stops physical access to the cmos battery and the internal hard drive. Once the tab is there and your computer is good to go, install a paddalock on the tab.
-set BIOS to boot C before anything else.
-password protect changes to the BIOS.
-you may at this point use a boot password at the bios level and this should be fairly secure.
-using Win2000 or XP (definitly NOT Dos, 95, 98, 98SE or ME) Log on as Administrator.
-Change the Administrator password.
-for maximum security, create a new account with administrator privlages and set a password on that account. Log on to the new account, ensure that you have administrator privlages. Delete the account named administrator.
-Ensure the "guest" account is disabled or delete it.
-Ensure that users must press Ctrl+Alt+Del to log on.
-Ensure that the last users name will not be displayed at the logon screen. This will prevent a hacker from gaining even an account name.
-Do not run ANY software service that acts as a server unless absolutely necessary (IIS, Apache etc)
-Check out http://www.winguides.com/security/ and make sure you have covered as many back doors as you can
-Use a firewall (that runs as a service, so it will run even if the machine is not logged on) and block any potentially threatening IP.
-For added seureity, use this as a guide http://www.techspot.com/tweaks/win2k_services/index.shtml to disable as many server services as you can.
good luck, maybe, just maybe you might be able to secure your machine, but every day new holes are found to get in.
I do have a suggestion or two to add to them. In making a list I'll probably include some suggestions made by him and others.
-most towers have a tab (optional and usually not installed but not hard to find and install yourself) that allows for locking the computer case inplace there by preventing physical access to the tower. This stops physical access to the cmos battery and the internal hard drive. Once the tab is there and your computer is good to go, install a paddalock on the tab.
-set BIOS to boot C before anything else.
-password protect changes to the BIOS.
-you may at this point use a boot password at the bios level and this should be fairly secure.
-using Win2000 or XP (definitly NOT Dos, 95, 98, 98SE or ME) Log on as Administrator.
-Change the Administrator password.
-for maximum security, create a new account with administrator privlages and set a password on that account. Log on to the new account, ensure that you have administrator privlages. Delete the account named administrator.
-Ensure the "guest" account is disabled or delete it.
-Ensure that users must press Ctrl+Alt+Del to log on.
-Ensure that the last users name will not be displayed at the logon screen. This will prevent a hacker from gaining even an account name.
-Do not run ANY software service that acts as a server unless absolutely necessary (IIS, Apache etc)
-Check out http://www.winguides.com/security/ and make sure you have covered as many back doors as you can
-Use a firewall (that runs as a service, so it will run even if the machine is not logged on) and block any potentially threatening IP.
-For added seureity, use this as a guide http://www.techspot.com/tweaks/win2k_services/index.shtml to disable as many server services as you can.
good luck, maybe, just maybe you might be able to secure your machine, but every day new holes are found to get in.
Doomulation
?????????????????????????
Nice suggestions there, but there are two errors.
One: The administrator account cannot be deleted whatsoever. It can be hidden, however, and usually is. You may also change the name of the default administrator account which can be of some help.
Two: Same as above, but for guest. Also remember that the guest account *CAN NOT* be password protected. The guest account may also be renamed.
One: The administrator account cannot be deleted whatsoever. It can be hidden, however, and usually is. You may also change the name of the default administrator account which can be of some help.
Two: Same as above, but for guest. Also remember that the guest account *CAN NOT* be password protected. The guest account may also be renamed.