Disable F8 Now!!!

Students can deactivate PC monitoring software by booting Windows into Safe Mode with Networking.

Audience:
This 'advisory' is for those of you who use PC monitoring/control software which relies on a agent on the student PC that is implemented as a windows service.

Affected software: all Windows versions of ABControl, Impero, NetOP, Net Support, SynchronEyes, Securus etc.

Vulnerability details:
When Windows boots into Safe Mode it does not start third party services. As the client agents for most PC remote control/monitoring software are implemented as a Windows service, they will not run during a safe Mode session.
By choosing Safe Mode with Networking a student can perform a domain log on and use Internet Explorer and other programs while outside the control of a teacher PC.
NT Based versions of Windows do not allow control of the F8 troubleshooting menu.


Mitigation: Safe Mode only has a VGA screen resolution (640x480 by 16 colours) which may be uncomfortable for and hence deter most students users. Students will only have the access rights they have during a normal window session. If they are members of the <Computer Name>\Users group they will not be able to modify any files or registry settings outside their own profile.
If you have webfiltering via a seperate proxy computer (ISA+Websense or Linux+Squid+Dansguardian) then students will not be able to load any webpages that they would not normally have access to.

Workarounds:Create a login script which logs off the user if it detects the environment variable SafeBoot_Option=Network
Windows 2000 does do not have a builtin logoff command so you may have to download the LOGOFF.EXE from the Windows 2000 Resource KIT

Rename or delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\
Network\DHCP
Renaming at least allows later reactivation by an administrator under one of the other Safe Mode options

Use a hex editor to manually edit NTLDR to deactivate the dectection of F8 keypress.

Warning: Changing system files directly is very dangerous. Make sure you can recover your Windows Installation and user data from backup.

There is a modified NTLDR on the net for this but its frowned upon as you arent allowed to alter it really.

Quote:

---

Originally Posted by ChrisH

There is a modified NTLDR on the net for this but its frowned upon as you arent allowed to alter it really.

---

I wouldn't trust it anyway.


The problem with the NTLDR method is that it inolves physical access to each machine. To do whole school would ruin my halfterm schedule.

Quote:

---

Originally Posted by NetworkGeezer

The problem with the NTLDR method is that it inolves physical access to each machine. To do whole school would ruin my halfterm schedule.

---

Yes yes, and mine. Id have to stop being at home watching Futurama.

Good news everyone!

The registry edit is probably the most effective as the logout option may fall prey to the same problem as other GPOs, the RJ45 yank.

Quote:

---

Originally Posted by NetworkGeezer

The registry edit is probably the most effective as the logout option may fall prey to the same problem as other GPOs, the RJ45 yank.

---

You could always copy the script to the local machine and run it from there. The patch-yank should then not affect the script running.

Didn't think of that TBH.

I'm going for a reg edit in a GPO startup script. The lockdown should be in before the kids are back.

Get out of that one you little ****s :angry1:

I'm for getting several lengths of MDF, some yale/mortice locks, hinges, screws/nails & fans - then encasing all the base units inside them and nailling the monitors to the MDF that should stop a lot of problems :D

Done that for one area, and TBH they then just murder the keyboards and mice so its a loosing battle

Nailing the monitors to the MDF? Wouldn't that reduce the picture quality somewhat :)

I prefer to use these - http://www.cclonline.com/product-inf...ufacturer_id=0 Great bits of kit they are.

Quote:

---

Originally Posted by NetworkGeezer

Nailing the monitors to the MDF? Wouldn't that reduce the picture quality somewhat :)

---

Lol - not what I meant but would be funny to see!!

Depending on your profile setup you can put a login script in the local profile to log people off if that profile is used eg when the network is disconnected.

I can't think of any piece of software that needs F8. Why not just destroy the F8 key on all your keyboards;-)

Quote:

---

Originally Posted by ajbritton

I can't think of any piece of software that needs F8. Why not just destroy the F8 key on all your keyboards;-)

---

Ah so all along the kids were trying to help me out by destroying the "F" keys :D