[dave20046]

Right I'll ignore most of your sniggers at the title, but I've got an 'awkward' pupil just after some tips.
The kid's managed to successfully hack the network and change security rights on shared folders, how he's doing it I'm not entirely sure, he's either used a boot tool or somehow obtained an admin password. What he has managed to do is create local admin accounts on machines, I really reckon he's used a boot tool actually (the admin accounts he's set up are named 'adm' if it's of any significance).

Now firstly is there anyway of stopping him messing with the local admin passwords, I'm thinking the chances are slim. Secondly (mainly) how is he utilizing the local admin account to mess with the servers and how do I block him? I thought to do anything to files on the server he'd be prompted to enter network credentials upon connecting.

Help anyone?

[dave20046]

Sorry, forgot to add; the client machines are all XP.
Pupils have command prompt blocked and haven't many priveledges.

[cookie_monster]

Well the first thing that you need to so is change the BIOS boot order and set a password so that the person can't boot your stations from any bootable media.

I'd probably also set this value to help stop local passwords being cracked "Do not store LAN Manager hash value on next password change"

Use restricted groups to stop local admins from being added to stations.

http://www.windowsecurity.com/articl...ed-Groups.html


Make sure that all of your users are only ordinary users NOT power users or local admins. Then I'd audit all users in the domain with administrator rights and change the passwords.
Also run the MBSA on servers and a few clients this will highlight any obvious problems.


Oh and I'd also be sitting the student down for a 'chat' it doesn't have to be nasty but they must be in breach of your AUP and could be suspended not to mention any seriouse breach of data should involve the police.

[KWestos]

Put it on the school intranet that he wears his mam's knickers!

[Michael]

As above the BIOS boot sequence configuration needs to be changed and passworded. Secondly the local administrator account password should be changed to something random too. By default XP leaves the administrator password blank. You can specify what the local adminstrator password should be in an answer file when Sysprepping machines.

On your domain, if you're using 'administrator', you should really rename this. You could also introduce Access-based Enumeration (ABE), so you can hide shares based on permissions.

[cookie_monster]

Quote:

On your domain, if you're using 'administrator', you should really rename this

Good call. You can do this at the domain level and it will rename the local on your stations as well.

HOW TO: Rename the Administrator and Guest Account in Windows Server 2003

[dave20046]

Quote:

Originally Posted by cookie_monster

Well the first thing that you need to so is change the BIOS boot order and set a password so that the person can't boot your stations from any bootable media.

I'd probably also set this value to help stop local passwords being cracked "Do not store LAN Manager hash value on next password change"

Use restricted groups to stop local admins from being added to stations.

Using Restricted Groups


Make sure that all of your users are only ordinary users NOT power users or local admins. Then I'd audit all users in the domain with administrator rights and change the passwords.
Also run the MBSA on servers and a few clients this will highlight any obvious problems.


Oh and I'd also be sitting the student down for a 'chat' it doesn't have to be nasty but they must be in breach of your AUP and could be suspended not to mention any seriouse breach of data should involve the police.

Thanks for the above, I wasn't aware of the restricted groups setting I'll look into it and get it enforced. I'll nip round as many vulnerable stations as possible to alter the bios settings too (was hoping I could avoid that!) . Could you tell me where the 'do not store lan manager' value can be found?

I've had a chat with the pupil All I could really say was 'don't be distructive it's pointless' he told me the machines he'd added the extra user account to and refused to give me much more information. He reckoned he could get on remotely from home and he reckoned he was using tools that automatically cleared the logs. He also reckoned his mate who works for the MOD would be launching a dos attack at 15.05 today. It's just trying to determine the truth...

I'm keen to know how he's using the local admin account he's made to mess with the shared folders too.

[Michael]

Yeah and I reckon he has 4 arms too. Too busy doing things he shouldn't.

[dave20046]

Quote:

Originally Posted by Michael

Yeah and I reckon he has 4 arms too. Too busy doing things he shouldn't.

Indeed it's frustrating, however I'm staying positive. I'm not a teacher I'm not allowed to discipline him, the teachers and head are well aware so it's up to them.

My main priority's getting stuff back on track and blocking him out, interesting episode too.

Thanks for your help michael, just renaming the admin now.

PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?

[cookie_monster]

Take a look here for Do not store LAN Manager hash value on next password change, read the notes about 9x clients if you have any.

Network security: Do not store LAN Manager hash value on next password change

Quote:

PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?

The DA will still have the same SID but it's still an extra stumbling block, security in layers remember.

[theriver]

Quote:

Originally Posted by dave20046

PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?

If you know the username, you know half the login details. Admittedly the smaller half (!), but every little helps . . . .

If network folders have been changed, it means that either the compromised local accounts have access to the network folders (unlikely?), his account has access to do that to the network (unlikely?) OR that he's compromised a network account that has the relevant access. Given that many of your staff will be using their fave football team as their password, that won't have been rocket surgery.

Who has access to modify those folders? Enforce a password change, and for added fun scan the logs for failed login attempts in the next few days and see if you can catch him red-handed :-)

Good luck with the MOD ;-)

[dave20046]

Quote:

Originally Posted by theriver

If you know the username, you know half the login details. Admittedly the smaller half (!), but every little helps . . . .

True, I've applied that GPO now however it doesn't seem to have changed the username

Quote:

Originally Posted by theriver

If network folders have been changed, it means that either the compromised local accounts have access to the network folders (unlikely?), his account has access to do that to the network (unlikely?) OR that he's compromised a network account that has the relevant access. Given that many of your staff will be using their fave football team as their password, that won't have been rocket surgery.

Who has access to modify those folders? Enforce a password change, and for added fun scan the logs for failed login attempts in the next few days and see if you can catch him red-handed :-)

Good luck with the MOD ;-)

What he's actually done to the network folders is removed rights, he stripped all the users of rights to their own my documents (folder redirected). Only an administrator could have done that...

[cookie_monster]

Quote:

True, I've applied that GPO now however it doesn't seem to have changed the username

I made the change in the default domain policy, I'd be temped to wait until scheduled downtime to try it and remember that the stations might need a policy refresh or reboot.

Quote:

What he's actually done to the network folders is removed rights, he stripped all the users of rights to their own my documents (folder redirected). Only an administrator could have done that...

Again another task for the evening or hols but change all of the share permissions to 'change' rather than full control this stops users editing NTFS permissions remotely. I'd test this with folder redirection as I haven't tried it with that.

[fagan]

We had this problem with kids adding local administrators accounts. It turned out that they had been bringing in the shortcut to computer managment in on a USB pen drive and running it. All as we done is set up software restricitons to stop them running lnk files. Was a pain as they also changed local admin passwords aswell as adding there own users.

[cookie_monster]

Quote:

Originally Posted by fagan

We had this problem with kids adding local administrators accounts. It turned out that they had been bringing in the shortcut to computer managment in on a USB pen drive and running it. All as we done is set up software restricitons to stop them running lnk files. Was a pain as they also changed local admin passwords aswell as adding there own users.

They must have some form of admin rights already to be able to add users to the administrators group.