XP Security on PC
Thread Starter
Joined: Feb 2002
Posts: 747
Likes: 22
From: (LFA 7a)
XP Security on PC
Hi all.
Heres the silly question of the day.
Can I secure my PC with a password?
As soon as it boots I want no further access unless a password is put in. (or maybe as soon as windows loads)
I am running XP home.
I think I have a problem with people able to acdess my PC when Im not in the office and I want to secure the whole caboosh
Heres the silly question of the day.
Can I secure my PC with a password?
As soon as it boots I want no further access unless a password is put in. (or maybe as soon as windows loads)
I am running XP home.
I think I have a problem with people able to acdess my PC when Im not in the office and I want to secure the whole caboosh
Administrator
Joined: Mar 2001
Aviation Qualifications: PPL
Posts: 8,121
Likes: 686
From: Twickenham, home of rugby
Cheerio,
Is it really not possible to set a power-on password? Having a BIOS admin password is not the same thing.
Your teenagers must be quite savvy if XP passwords are of no use! Have you set up their accounts as administrators?
It is not THAT easy to break out of a plain USER account...
Start by disabling fast user switching...
You may also want to investigate the Group Policy settings which can proscribe activities for some or all users. Best to go to the MS website and search for Group Policy.
Also, with most hardware firewalls you can block access to specific internet sites - e.g. hacking, cracking, etc. if that is where they are getting their information.
SD
Is it really not possible to set a power-on password? Having a BIOS admin password is not the same thing.
Your teenagers must be quite savvy if XP passwords are of no use! Have you set up their accounts as administrators?
It is not THAT easy to break out of a plain USER account...
Start by disabling fast user switching...
You may also want to investigate the Group Policy settings which can proscribe activities for some or all users. Best to go to the MS website and search for Group Policy.
Also, with most hardware firewalls you can block access to specific internet sites - e.g. hacking, cracking, etc. if that is where they are getting their information.
SD
Joined: Apr 2004
Posts: 373
Likes: 0
From: Civ/HAL/SHY/FYY/PWK/AAS/WAD/AVI/GPT/BZN/BSN/WAD/BAS/FLK/WIT/MND/WAD/WIT/WAD/Civ
various methods
PC World (and other retailers) sell security dongles - a USB key that will not allow access to the PC unless plugged in.
Another idea - google for an "XP Power Tool" called "TweakUI.exe" - it's a free download from MS
All the Win2000 machines at work have "BSA" across the desktop with several of the PC facilities disabled - e.g. Click Start, but no shotdown option, no control panel. Right-click on the desktop to try & change wallpaper - access denied.
Another idea - google for an "XP Power Tool" called "TweakUI.exe" - it's a free download from MS
All the Win2000 machines at work have "BSA" across the desktop with several of the PC facilities disabled - e.g. Click Start, but no shotdown option, no control panel. Right-click on the desktop to try & change wallpaper - access denied.
Administrator
Joined: Mar 2001
Aviation Qualifications: PPL
Posts: 8,121
Likes: 686
From: Twickenham, home of rugby
Cheerio,
I would be very interested to know how said youth got into the admin account (safe mode makes no difference, it is the same account). Did he a) know the password, b) guess the password or c) use a password cracking tool? Or some other method?
I just feel that you are fighting a losing battle against such technical whizz-kids
If they can circumvent such security as Windows XP offers (not great, admittedly), I wonder how long a dongle will last...
SD
I would be very interested to know how said youth got into the admin account (safe mode makes no difference, it is the same account). Did he a) know the password, b) guess the password or c) use a password cracking tool? Or some other method?
I just feel that you are fighting a losing battle against such technical whizz-kids
If they can circumvent such security as Windows XP offers (not great, admittedly), I wonder how long a dongle will last...
SD
Plastic PPRuNer
Joined: Sep 2000
Posts: 1,902
Likes: 0
From: Rochechouart, France
I rather tend to agree with Saab....
XP isn't THAT insecure! Is your Windows drive set up as FAT32 rather than NTFS perhaps (FAT32 has no security)? Do all accounts with root privileges have secure PWs (at least 7 characters, alphanumeric, mixed case, no dictionary words)?
If your PFY has really rooted your box from a properly restricted account on a secured box then he's quite smart, because it isn't that easy.
Note that the Admin account doesn't have a default password in XP Home (this isn't that much of a net security risk, because external logons are not permitted to Admin if there is no PW). Have you set one? Have you changed the name of the Admin account (always a good idea)?
I suspect that your PFY merely booted up in Safe Mode and logged in to the unpassworded Admin/root account. This is too simple to qualify as a hack BTW! Once there he could easily create a new account with a admin/root privileges.
See http://www.windowsecurity.com/articl...ed-Groups.html for some tips on increasing security.
Having said that, once someone has physical access to a machine and a bit of time to spare they'll always get in eventually, whether it is WinXP, Linux, UNIX or whatever.
BIOS PWs are dead easy, just short the jumper or pull the battery for a few minutes and it's all reset.
And if he's an enterprising feller he'll just pull the HDD, stick it in an XP machine to which he has Admin/root access, copy over some hacks and tinker away with the registry to make the OS autostart them before putting it back. Easy peasy!
PS: There ARE low level ways to make it harder (like using a different boot manager) or fiddling with the MBR and boot.ini but this is more security by obscurity than anything else. They won't do anything but slow down a real hacker with access to your box.
PPS: We're not talking about access to encrypted files on the NTFS EFS here, just access to the OS.
NB: If "youth X" did this in spite of a "final warning" then that's a declaration of war and I'd act accordingly!!
XP isn't THAT insecure! Is your Windows drive set up as FAT32 rather than NTFS perhaps (FAT32 has no security)? Do all accounts with root privileges have secure PWs (at least 7 characters, alphanumeric, mixed case, no dictionary words)?
If your PFY has really rooted your box from a properly restricted account on a secured box then he's quite smart, because it isn't that easy.
Note that the Admin account doesn't have a default password in XP Home (this isn't that much of a net security risk, because external logons are not permitted to Admin if there is no PW). Have you set one? Have you changed the name of the Admin account (always a good idea)?
I suspect that your PFY merely booted up in Safe Mode and logged in to the unpassworded Admin/root account. This is too simple to qualify as a hack BTW! Once there he could easily create a new account with a admin/root privileges.
See http://www.windowsecurity.com/articl...ed-Groups.html for some tips on increasing security.
Having said that, once someone has physical access to a machine and a bit of time to spare they'll always get in eventually, whether it is WinXP, Linux, UNIX or whatever.
BIOS PWs are dead easy, just short the jumper or pull the battery for a few minutes and it's all reset.
And if he's an enterprising feller he'll just pull the HDD, stick it in an XP machine to which he has Admin/root access, copy over some hacks and tinker away with the registry to make the OS autostart them before putting it back. Easy peasy!
PS: There ARE low level ways to make it harder (like using a different boot manager) or fiddling with the MBR and boot.ini but this is more security by obscurity than anything else. They won't do anything but slow down a real hacker with access to your box.
PPS: We're not talking about access to encrypted files on the NTFS EFS here, just access to the OS.
NB: If "youth X" did this in spite of a "final warning" then that's a declaration of war and I'd act accordingly!!
Last edited by Mac the Knife; 5th April 2006 at 18:40.
Joined: Sep 2001
Posts: 741
Likes: 0
From: UK
Hey - if they don't want to stick to the rules,why not remove the PC -
Take it to work or somewhere and leave it there for a few days until the point has been made
You're not allowed to beat the kids in the UK any more -
but you can still crack the whip - here - borrow mine
No point having rules that can be broken without consequence now is there
Coconutty
Take it to work or somewhere and leave it there for a few days until the point has been made
You're not allowed to beat the kids in the UK any more -
but you can still crack the whip - here - borrow mine
No point having rules that can be broken without consequence now is there
Coconutty
Plastic PPRuNer
Joined: Sep 2000
Posts: 1,902
Likes: 0
From: Rochechouart, France
"I'm sure I'm not alone with this problem!"
By no means!
Brief explanation:
There is *always a master admin/root account called "Administrator" - this is created during installation and has full admin/root privileges .
* the name of this admin/root account is "Administrator" by default - to increase security it is possible to change it to something harmless looking like "Jim" or whatever - I wouldn't bother in your situation.
This account is never shown on a normal login screen, only if you boot up in Safe Mode. In a default XP Home install "Administrator" may or may not have a password - installations vary, but usually not.
I suggest you login as "Administrator" from Safe Mode (just press Enter at the password prompt), go to Control Panel/User Accounts and change the "Administrator" password. Anything non-obvious will do - best is an easily remembered passphrase like "A Hostage 24 Tune" (a hostage to fortune), mixing capitals and lowercase and numbers. Write it down and put it in two safe places where you, but not youth X can find it.
Now for your account. Logout of "Administrator" and login normally as "Cheerio" (or whatever name you use). Check that your PW is non-obvious (Cheerio is a bad choice!) - pick a passphrase as above and write it down somewhere where youth X can't find it. The kids know your old one by now, so do change it.
Create a new, limited account for the kids. Don't bother to assign a PW.
See how they get on using that account.
Be warned that some carelessly written games (and some other apps) may not run. They want accesses to system files which is not allowed if started from limited accounts.
This is a big problem in XP that Vista, the next MS OS is "supposed" to address.
There are ways round this in XP, but they are all difficult, involve a LOT of fiddling and are distinctly non-obvious.
By no means!
Brief explanation:
There is *always a master admin/root account called "Administrator" - this is created during installation and has full admin/root privileges .
* the name of this admin/root account is "Administrator" by default - to increase security it is possible to change it to something harmless looking like "Jim" or whatever - I wouldn't bother in your situation.
This account is never shown on a normal login screen, only if you boot up in Safe Mode. In a default XP Home install "Administrator" may or may not have a password - installations vary, but usually not.
I suggest you login as "Administrator" from Safe Mode (just press Enter at the password prompt), go to Control Panel/User Accounts and change the "Administrator" password. Anything non-obvious will do - best is an easily remembered passphrase like "A Hostage 24 Tune" (a hostage to fortune), mixing capitals and lowercase and numbers. Write it down and put it in two safe places where you, but not youth X can find it.
Now for your account. Logout of "Administrator" and login normally as "Cheerio" (or whatever name you use). Check that your PW is non-obvious (Cheerio is a bad choice!) - pick a passphrase as above and write it down somewhere where youth X can't find it. The kids know your old one by now, so do change it.
Create a new, limited account for the kids. Don't bother to assign a PW.
See how they get on using that account.
Be warned that some carelessly written games (and some other apps) may not run. They want accesses to system files which is not allowed if started from limited accounts.
This is a big problem in XP that Vista, the next MS OS is "supposed" to address.
There are ways round this in XP, but they are all difficult, involve a LOT of fiddling and are distinctly non-obvious.
Administrator
Joined: Mar 2001
Aviation Qualifications: PPL
Posts: 8,121
Likes: 686
From: Twickenham, home of rugby
Mac, great stuff!
Cheerio, just to clarify:
In order to maintain access control on files and folders and support limited accounts, you must use NTFS. If you use FAT32, all users will have access to all files on your hard drive, regardless of their account type (administrator, limited, or standard.)
So you REALLY, REALLY NEED NTFS!!
Also, you shouldn't need to go into Safe mode to access the administrator account, but this may be a "feature" of Fast User Switching , and the Welcome Login Screen. Go to Control panel, untick the Use the Welcome screen and Fast User Switching - that will force all users to enter a username and password - you can even set this so that it is always blank - i.e. doesn't show the last login ID.
There is a wealth of (reasonably) accessible information on Windows XP here, on the MS XP product documentation site - have a look at the security section
Cheers
SD
Cheerio, just to clarify:
In order to maintain access control on files and folders and support limited accounts, you must use NTFS. If you use FAT32, all users will have access to all files on your hard drive, regardless of their account type (administrator, limited, or standard.)
So you REALLY, REALLY NEED NTFS!!
Also, you shouldn't need to go into Safe mode to access the administrator account, but this may be a "feature" of Fast User Switching
, and the Welcome Login Screen. Go to Control panel, untick the Use the Welcome screen and Fast User Switching - that will force all users to enter a username and password - you can even set this so that it is always blank - i.e. doesn't show the last login ID.There is a wealth of (reasonably) accessible information on Windows XP here, on the MS XP product documentation site - have a look at the security section
Cheers
SD
