+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Thread, Kids discovered the administrator password in Technical; I've recently found out some of the kids in our school have discovered the administrator network password. What's the easiest ...
  1. #1
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,738
    Thank Post
    894
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85

    Kids discovered the administrator password

    I've recently found out some of the kids in our school have discovered the administrator network password.

    What's the easiest way to track when the administrator logs in and out? Are there any 3rd party tools available that make it easy to see?

    I can just change the password, but I would like to have an idea who knows it, where they are logging on and how widely it is available.

  2. #2
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    29
    For a start, although it would be nice to know who it is, I would get the password changed ASAP!

    So much damage could potentially be done to your network unless you do.

  3. #3

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144
    Change it, straight away without fail or someone else will and lock you all out the system!

    If you turn on Account auditing, you can trace where and when people login. By default I think it only logs failures, but you can turn it on to log sucesses as well.

    Mike.

  4. #4
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    If your policies are enabled you can track "Audit: Logon Success" through Event Viewer and see everywhere Administrator has successfully logged in.

  5. #5

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Someone else may point out a horrible repercussion to this but if you're determined to catch them logging on, turn on auditing then create a second account with domain admin privileges and a new password and temporarily remove the administrator account from the domain admins - they'll still be able to log on with it but not do anything 'exciting', which will give you time to sneak up and hit them with LART.

  6. #6

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,210 Times in 761 Posts
    Rep Power
    394
    I would actually do the reverse: rename the original Domain Admin account (something which is good practice anyway) and then create a new dummy account called Administrator. You could then customise this account to perform any action you want at logon via script... for example, silently sending you an email saying "I've just logged on at %COMPUTERNAME%"

    http://caspian.dotconf.net/menu/Software/SendEmail/

    Going forward, I would have a think about use of the master Administrator account. Personally, I almost never use it, ever. Anyone who requires admin access (including myself) has their own individual account which is a member of the Domain Admins group. This not only improves accountability, but ensures your master Administrator account is much less exposed, since it is not regularly used.
    Last edited by AngryTechnician; 8th February 2010 at 11:53 AM.

  7. 6 Thanks to AngryTechnician:

    AIT (9th February 2010), bio (8th February 2010), OutToLunch (8th February 2010), pwds (16th February 2010), zag (8th February 2010)

  8. #7

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,272
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412
    Poosibly also look towards 2 factor authentication when logging on to clients as domain admins Yubico looks like a cheap enough solution for this.

    Ben

  9. #8
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    If you turn on auditing, turn on more than just log ons, see what else the little ones are doing in the account.

    Set a bright fluro background and if you have speakers in your computers you could script the setvol tool and have some audio play on login.

  10. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by AngryTechnician View Post
    I would actually do the reverse: rename the original Domain Admin account (something which is good practice anyway) and then create a new dummy account called Administrator. You could then customise this account to perform any action you want at logon via script... for example, silently sending you an email saying "I've just logged on at %COMPUTERNAME%"

    Software :: SendEmail - Send email with this free command line email client

    Going forward, I would have a think about use of the master Administrator account. Personally, I almost never use it, ever. Anyone who requires admin access (including myself) has their own individual account which is a member of the Domain Admins group. This not only improves accountability, but ensures your master Administrator account is much less exposed, since it is not regularly used.
    +1 - this is exactly what I would recommend, that way you get to catch the offenders and secure the network.

  11. #10
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,738
    Thank Post
    894
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    Cool, see my problem is I know the boys who have access, but I can't prove it yet. I need evidence before it can be taken further.

    They apparently found it out via offline files leaving a copy of text file that has a technicians account details in. The file was RAR and Office passworded but they still cracked that. I didn't even think it was possible to break strong RAR passwords but you live and learn.

    I'm more interested in the process they used and the availability of the credentials around the school at the moment. I will do the dummy administrator thing, sounds like a great idea.

  12. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    To be honest I would forget about who worked out the password and focus on restoring security. Quite rightly as others have said, you could become locked out of the network and getting back in would prove to be a right hassle!

    In Active Directory copy the administrator account and name as appropriate. For example call it eduadmin, or whatever you like. Now specify a ridiculously complex password of 20 characters and most importantly, disable the administrator account itself. Now enable Audit logging for failed logon attempts.

  13. #12

    Join Date
    Oct 2009
    Location
    The Netherlands
    Posts
    83
    Thank Post
    1
    Thanked 16 Times in 13 Posts
    Rep Power
    12
    rar passwords can also be cracked, it just takes a little longer.
    Atleast you`ve learned not to put any password in a text file

    All our admins do have a 'normal' user account with some elevated rights and a 'real' admin account which only works on 1 pc in their own office/room.
    All domain admin passwords and other important passwords are securely locked away in a safe and almost never used, just to prevent things like this.

  14. #13
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,738
    Thank Post
    894
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    Quote Originally Posted by gjdb View Post
    All our admins do have a 'normal' user account with some elevated rights and a 'real' admin account which only works on 1 pc in their own office/room.
    How do you lock down the full admin account to one pc?

  15. #14
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,738
    Thank Post
    894
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    For anyone who is interested I implemented some of the recommendations in this thread

    - Renamed the administrator account to admin and changed the password(thinking about disabling this at some point)
    - Created a new account called administrator, giving it normal teacher access rights
    - Created a batch file that emails me when the account logs on, apply this as a script in group policy
    - Changed password of any other admin accounts (also have policy now to change them once a term).
    - Removed any reference to the accounts from files on the network

    Here is the batch file if anyone is interested, it uses bmail which works on windows.

    Code:
    \\serverlocation\scripts\bmail.exe -s mailserver -t your@email.sch.uk -f alert@send.email.sch.uk -b "::Warning:: Administrator has just logged on at [%computername%]"
    I had to also allow the local IP subnet on my smtp server so it can email from anywhere inside the domain.

    Now I hopefully just sit back and wait for them to bite
    Last edited by zag; 9th February 2010 at 10:16 AM.

  16. Thanks to zag from:

    AngryTechnician (9th February 2010)

  17. #15
    Flakes's Avatar
    Join Date
    Nov 2009
    Location
    Newcastle
    Posts
    476
    Thank Post
    38
    Thanked 74 Times in 48 Posts
    Rep Power
    27
    Quote Originally Posted by gjdb View Post
    rar passwords can also be cracked, it just takes a little longer.
    Atleast you`ve learned not to put any password in a text file

    All our admins do have a 'normal' user account with some elevated rights and a 'real' admin account which only works on 1 pc in their own office/room.
    All domain admin passwords and other important passwords are securely locked away in a safe and almost never used, just to prevent things like this.
    theres a bug in an old version of winZip that allows you to change the password on zip/rar files without having to know the old password, i used it quite a few times... you could goto "change password" type something random in for "old password" then type in the new password you want to use click ok, and then use the password you just set to open the RAR or zip. surprised no one picked up on it, ill have to dig out the cd its on...

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 21st January 2010, 10:32 AM
  2. [Video] I've Discovered Something Amazing!
    By mattx in forum Jokes/Interweb Things
    Replies: 1
    Last Post: 16th October 2009, 09:21 PM
  3. Local Administrator Password
    By witch in forum Windows
    Replies: 21
    Last Post: 28th June 2007, 04:32 PM
  4. Local Administrator Password Puzzle
    By Andie in forum Windows
    Replies: 18
    Last Post: 11th February 2007, 09:14 PM
  5. Replies: 8
    Last Post: 12th November 2006, 02:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •