Inside-family hacking job — how to block

Topic

New Reply

Any suggestions as to how to block a rogue user, who doesn’t have administrator rights and who is supposedly restricted by Parental Controls to time limits and selected applications/web sites, from hacking into what apparently is administrator rights?
A youthful member of the family apparently has learned how to gain access to administrator rights on the Win XP OS in our desktop PC. S/he is able to go around the settings in Windows XP Parental Controls. She is also able to change file/folder ownerships, apparently. He has also deleted the Norton Internet Security application — or at least disabled it.
Recently, when I came into the room unexpectedly, I looked at the screen as she was leaving the room, and the OS was just starting-up in the screen at which the user can select start-up in Normal, or Safe Mode, or a few other choices. I selected Safe Mode and hit Enter. Then began a scrolling of what I recall was a list of programs, or perhaps they were folders. Of course, I wound up in Safe Mode.
We want to let the user to continue to use the PC, only within the limits we set with Win XP Parental Controls.

[*]Has this ever happened to you — on any version of Windows?
[*]Any ideas how the perp is doing this?
[*]Any ideas how to block this ability, other than locking up either the PC or the perp?

Thanks.

Reply | Quote

Replies

Possibly, the user knows the password of the hidden “Administrator” account.

Reply | Quote

tfspry:
Well, the user might have known my wife’s account password — I made both her and myself administrators on this PC. I’m not sure, but that leak perhaps lasted long enough for the initial mischief to take place.
The two administrators’ accounts have quite secret passwords now, since the first violation occurred — which was over six months ago.
/// New question: is there a third account, a hidden administrator account, in Win XP? Or, are you referring to one of the two I mentioned? ///

Reply | Quote

I selected Safe Mode and hit Enter. Then began a scrolling of what I recall was a list of programs, or perhaps they were folders. Of course, I wound up in Safe Mode.

This sounds like the SOS option was added to that boot selection. This option displays all of the drivers and services as they get loaded and started.

Has this ever happened to you — on any version of Windows?

My kids always had unlimited admin access. So far they haven’t hosed their computers with a virus; though my wife did once.

Any ideas how the perp is doing this?

Google is a wonderful thing, you can find all kinds of way to crack into systems, especially ones that are not locked down sufficiently. Any even if you lock the system down tighter than a drum, all the perp needs is a USB drive or CD with an OS on it (such as a Linux live CD) and boot from that. At that point she can change/modify/remove any file on the hard drive.

Any ideas how to block this ability, other than locking up either the PC or the perp?

What is it that you are trying to limit? Access to certain files? Access to certain web sites? Access to certain programs? If you can pinpoint exactly what you want protected, there are usually ways. Files and apps are easier to protect, limiting web access is more difficult – there are tools to help with this, but there are probably cracks for each tool.

Reply | Quote

If using a router you coulks always block access to certain programs or ports and /or else you could also set predetermined times where the PC can be used. Lot of work but a solution

Reply | Quote

I would definitely change the password of the Administrator account, and DO NOT share this password. Choose a password that only the adults in the home know and one that is strong and not obvious. A Google searchgives various ideas on parental controls. Read through several of the sites to get ideas.

Stronger parental punishment might be a deterrent as well.

Reply | Quote

Hi John, during set up, did you set a password for the ‘Administrator’s’ account ?

Reply | Quote

Yes… both administrator accounts are on [separate] passwords.

Reply | Quote

Keep the computer in a very public part of the house.

Reply | Quote

Hi John,

/// New question: is there a third account, a hidden administrator account, in Win XP? Or, are you referring to one of the two I mentioned? ///

The real Administrator account is not accessible during normal use, only yours & wifes which are part of the Admin Group.
The only way I know to see the Real Admin account is to boot in safe mode, by tapping F8 during start up.

Reply | Quote

Update.
–
Installation is going to automatically assign a computer name in the Computer Name and Administrator Password screen. Once you see the name it chooses you’ll be grateful it can be easily changed. The important part of this screen is the administrator password. All the begging and pleading in the world can’t make you choose something that’s hard to guess, but just remember that this one single choice you’re making right now is the key into everything you hold near and dear (and private) in the world of computing. It’s also essential you remember the password, even if you aren’t a case sensitive type of guy/gal.

Reply | Quote

Hi John – To get to a listing of Users and Groups….
You can Right Click My Computer, > Manage > Local Users and Groups
You will see Descriptions for some Users and Descriptions for all Groups.
You can Right Click any of the Users or Groups for further info.

Reply | Quote

Sounds to me that a bit of corporal punishment applied to the buttocks is in order. Regardless of the age of the perpetrator. Might be even more effective on older culprits.

Reply | Quote

I don’t know about a paddling, but if I found out my kid had intentionally disregarded the limits I had placed on his/her computer use, he/she would find his/her computer privileges revoked until such time as said child agreed to abide by the rules of the household. Once that issue was settled, I would encourage and support my child’s obvious computer-related talents.

Reply | Quote

1. When installing WinXP keep the computer OFF-LINE (not connected to any network);
2. As Roderunner said: provide a strong password to the “Administrator” account when prompted during the install;
3. Keep in mind that every other account created during install (i.e. yours and wifes) is in the “Administrators” group. Provide those accounts with strong passwords immediately after the first login;
4. Lock down your fresh WinXP install (after you’ve installed your preferred bunch of applications) using a method that is suitablefor you (stop unnecessary services and/or disable them, configure your security suite according to your needs etc.);
5. Connect your machine to the net and update everything you can;
6. Create the limited user account(s) and configure them and the parental control method(s) of your choice;
7. Disable booting from USB, CD/DVD, SD-Card, Network (BIOS settings) and password protect the access to BIOS (read the “User manual” of your motherboard/computer).
8. It would’n hurt to use a home router running DD-WRT (an open-source router and firewall that runs on home-use routers as Linksys, D-Link and others).

Those are standard practices that I’ve come to recommend to everyone, but keep in mind that physical access to a computer means that, given enough time and knowledge, any security measure can be circumvented.

My final thoughts on that post: educate better, restrain less. Imprint in your kids and/or pupils, friends, coworkers the commandments like “Knowledge is power”, “With (great) power comes (great) responsability”, “Do to others what you want to be done to you” and such. And _always_ encourage exploration and the responsible search for knowledge. An overprotected child can become a victim or a criminal, and neither of those are our ideals

Reply | Quote

When my son had an online gambling problem we used the ‘full transparancy’ model. We installed the free version of ManicTime. This is a PC usage logging program that keeps a record of every file opened and every website visited. The beauty is it also gives the time on and time off every activity. If he tries to delete any activity it shows up as a ‘hole’ in the usage log and we know he has someting to hide – knowing that we can check at any time is a fantastic deterrent to him. In your case you can apply sanctions such as “every hole will reduce your usage by one week” – and stick to it.

Mind you how you can stop smartphone activity is another problem.

Reply | Quote

I don’t have time to give a detailed overview right now, but sign up with OpenDNS. (it’s free for basic functions)

It will give you a better internet experience, and has parental control capability that can’t be bypassed by simple computer hacks (assuming you have a router that you can control and secure).

http://www.opendns.com/

(just a happy user!)

Ben~

Reply | Quote

Hi John

When you first install Win XP and you dont assign an administrator password, the admin account is unprotected. Just remember that this is not the same account as the two you created with administrative rights. Boot into safe mode and logon as the administrator. If the account is unprtected you will not be asked for a password. Go to Control Panel and then User Accounts. Select the Create Password option and give the Administrator account a password that contains lower case letters + upper case letters + digits. This will lockout your hacker kid from the admin account. The same obviously applies to you and your wife’s accounts as they have admin rights. Good luck

Reply | Quote

It may seem harsh, but to at least prevent use without someone around to monitor the culprit. Try using a BIOS password.

Reply | Quote

If you are at the graphical login screen, all you have to do is type in ctrl+alt+del twice and it gives you the textual login screen. After you have that all you do is type in the username: Administrator, and the appropriate password, then you are in as the Administrator with no safemode limitations. Once you are in this account you will want to do all of the other things mentioned, change password, insure the access levels of all of the other accounts are what you think they should be, etc.

As an aside I would recommend, like some others before me, more stringent physical security. For example: taking the monitor cable off when you are away to limit alone access, setting a difficult BIOS password such that the computer will not boot unless you have already booted it, putting the computer in the family room or kitchen so that the screen is clearly visible from most of the room, etc.

Remember, where security is concerned the simpler the system is, the more difficult it is to hack around it.

Reply | Quote

For anyone having difficulty remembering passwords, the longer ones being more secure but harder to recall, then do a keyboard combination, not obvious ones like qwerty or asdfgh or 123456 etc, but combinations that describe a shape or figure on the keyboard.

No-one can guess them or computer hacker programs crack them, try to include numbers and “shifted” keys as well and or characters like full stops too.

The more the merrier.

Be artistic with your passwords !

Hope this helps.

Reply | Quote

The best way to stop this sort of thing is to purchase a program such as “Net Nanny” and spend a bit of time getting to know and control it.
I have listed a few things that you can do below but I would still suggest getting a program such as Net Nanny. Here is a review of some of these programs http://internet-filter-review.toptenreviews.com/

A quick way to secure your administrator password is to load windows normally using your administrator account. Click on the START button and click on “Run”.
In the “Open” text field type “control userpasswords2” (omit the quotes) and then click “OK”
Highlight the “Administrator” account and then click on “Reset Password”
Type in the new password and repeat it. Click OK and finally click “OK” again to close the the user control window.
With windows you can also use shifted numeric keys such as @ # & * in your passwords. A password length of 10 characters made up of Upper Lower Numeric and Shifted Numeric keys is a good minimum length to use for your passwords.

As stated in a previous reply you should password your BIOS. and also set your BIOS so that the only boot disk is your hard drive.
Being able to boot from USB Floppy Disk or CD / DVD will allow password re-setters (available freely on the Internet) to be used.

One last think is to check your security programs (antivirus and Firewall) for exclusions listed which may be keyloggers.
Keyloggers can be downloaded free on the Internet that record passwords etc for anyone who installs the program.
To be sure you could run one of the many free online antivirus/malware scanners. Choose one from a well known vendor to be safe.

Reply | Quote

I have a feeling that most people commenting on this issue disregard how the relationship with their children will be in some years. Tough control and “spying” may very well lead to lack of trust – and that is probably not what you want.
My advice would be to drop all kinds of control / supervision, and rather have a very open dialogue with your children on what they may find on the internet, what they are not supposed to do with computers, the dangers of making appointments with strangers etc. If you try to control them, they will most likely find some way around – or they will visit friends and use their computers. And preventing them (by using some program) from visiting certain internet sites will at the same time most certainly prevent them from finding useful information on the net for school work.
As some have pointed out, it may be a good idea to put the computer in a very open place, accessible to everybody. But, as the use of wireless networks is being used by more and more people, and children have their own PCs, this advice will probably have limited value.

Reply | Quote

Another possibility, the kids are not so untrustworthy. So what if they want to explore their erotic side or some other aspect of their humanity, a computer can be used for that as well as anything else. If they like/need it they will pursue it no matter what safeguards are in place.

Reply | Quote

We have always had all our computers in a family area, usually close to the kitchen. There are always headphones if someone wants to play games when someone else wants quiet. Since we now have a couple of young software engineers in the family most of the “Net Nanny” type of software would have been a waste of time. We are nagged about “unsafe practices” now.

Reply | Quote

You can also lock down some of the browsing or at least shape some of the internet access by using OpenDNS as your DNS provider. You basically reset the DNS on your router to point to OpenDNS instead of your ISP. You can get pretty granular on the type of sites allowed. Works great for teenage sons ;>)

Reply | Quote

Reset your DNS in your router to point to OpenDNS. This will allow you to control what types of websites users can or cannot get to. Works great on teenage sons ;>)

Reply | Quote

Disable the “administrator” account and the “Guest” accounts. (Make sure you hhave a “administrator” account with another name.)

Change the passwords on administrator accounts, and make sure that all other users are not administrators. In my house I am the only administrator, but have 3 different administrator accounts with difficult passwords that have never been shared, and several non admin accounts.

Parental controls (Vista) is set to block downloads for all other “users” (except one). Unfortunately I have not found a way to selectively allow PDF and text and block all others, or some method of allowing selective downloads. This means that I have to log onto an account that allows downloads and supervise the downloads. My 27 year old daughter has a second account that allows downloads that she uses for PDF files.

“UserTimeControl” from 1securitycenter.com to set time limits for all children and block changes to system files. This can be overridden with a separate password that I have shared only with my wife.

I use OPENDNS as the DNS server for both the computer and the router.

Autoplay is turned off for all removable devices.

COMODO Internet Security

ACER Vista Home 32 bit, 2GB memory.

One dauaghter has lost computer privileges except for school work requirements due to posting family information that should not have been shared. She has refused to write up an agreement for computer use that we parents require before she is allowed to log on herself. The computer is in the living room behind the couch, the desk and side table create a walkway between the living room and dining room.

Reply | Quote

Greetings John!

I have a concern about why the Norton Internet Security was disabled. There is usually also Norton AntiVirus installed as part of that package. If this is the case in your situation, I would tend to suspect that she disabled the suite in order to install a Key Logger, which explains why she can possibly access your account to disable stuff.

I would recommend installing Malwarebyte’s AntiMalware app (free) to see if it can find and remove any such occurrence.

Reply | Quote

If you are using XP Home, one thing that most people are unaware of is that the password for Administrator is left blank by default when the first user is set up. Your child probably figured out how to get into Safe Mode, gave himself privileges or made the changes that he wanted, and then booted back into normal mode.

Reply | Quote

It should also be noted that every control described in earlier posts in this thread can be overcome. Even BIOS passwords to prevent CD/USB boot and Open DNS routing can be removed or overcome.

Personally, I second what Dlira says: Talk to your children. Building walls around them simply pushes the problem underground (to a friends place, or onto a smartphone) and before you know it they are hiding potentially more serious stuff too.

The bottom line is that if the child is suitably motivated then he/she will find a way…..and for me, that’s where “jaw jaw, not war war” comes in. Back that up with the full transparency advocated by Bluenose1912 and you have something that works even for teenagers.(!)

It’s what we do with our children and it works: our middle daughter came to us last year almost in tears worried that she might be in trouble because she had seen something on an otherwise legitimate website that was beyond where our boundaries lay. She did not get into trouble, rather we praised her for her honesty and explained that it was not her fault that bad people posted bad stuff in a supposedly safe environment. It also gave us the opportunity to talk through some personal questions that she had bottled up. Everyone ended up a winner.

Reply | Quote

I highly recommend http://opendns.org for filtering your whole network. It’s best set up at the router (choose a strong password on your router!), and then it covers your wired network, and also any WiFi devices, such as iPod touch etc.

Reply | Quote

If you have a child who is sufficiently motivated to find ways around your security settings, they will find ways around your security settings.
Talk to your kids, figure out what they’re doing, and help them understand how to be smart on-line. Teach them some life skills other than ‘NO’.

On the technical side, nobody has yet mentioned using bootable linux disks; great way to bypass pretty much anything you set up.

It is possible to lock PCs down and have total control over who gets to do what. Our work PCs are pretty close to military grade secure. Unfortunately (or fortunately) this level of security requires third party tools that are non-trivial to set up and maintain AND they require some level of active monitoring so you can see when/where breech attempts occur. They include controls that begin at the bios and go out to the web interface. Unless you are running a mil-grade network, you’re probably not going here.

Reply | Quote

I agree with the ‘they will find a way around’, but a router-level filter (such as http://opendns.org has nothing to do with the PC, so a linux boot disk still has to get out to the internet, and opendns will block it then.
They could use some other network, but if they are going to that length you’ve got bigger troubles.
I still think opendns (or similar) should be set up on just about everyone’s router. It (probably) faster than your ISP’s DNS, it provides phishing protection, and you get to choose how much (or how little) filtering gets done. And it’s free.
(I’m not affiliated with them, and don’t get paid for this!)
Peter

Reply | Quote

Open DNS is an excellent service and well worth installing for its many benefits. However, to assume that it will protect your children is perhaps not seeing the bigger picture.

Open DNS can be turned off. I’m not going how to post how to do it here, but a very simple trick can remove Open DNS from a password protected router in less than 30 seconds.

There are ways to work-around it too; many that do not disturb Open DNS settings and yet still allow access to the internet.

Just to be 100% clear, I’m not saying don’t install Open DNS – it’s well worthwhile, but if you do, please don’t assume that’s the end of the story.

If the child is motivated, they will find a way.

Reply | Quote

Double Ditto on the trust issues!
The greatest motivator is the word “NO” & the computer equivalent is somebody else controlling what you can do!
Both encourage the opposite of the desired behaviour :o: How would YOU react to being spied on & not trusted?
Yes kids need boundaries & yes they will push those boundaries, didn’t we all?!?! But a child who is intelligent enough to defeat what you have set up is certainly intelligent enough to participate in a discussion of the issues involved.

If you consider it necessary to exercise control without the restriction of someone physically being around, make sure your child understands WHY then get creative with the HOW. e.g. If it’s a ‘time online’ issue use a kitchen timer or loud alarm clock but don’t put it anywhere near the computer. A loud alarm going off in the bathroom alerts the whole household that someone’s computer time is up.

Reply | Quote

If you are using the XP Home operating system, the clue to what is going on is that she appears to be accessing the computer in Safe Mode. When XP is installed it creates a default Administrator account that cannot be deleted. The password for this default account is blank and can only be accessed in Safe Mode so as to assist if you ever need to run Recovery Console. So, she is probably accessing the computer through the default Administrator account in Safe Mode since there is no password. As others in this thread mentioned, you could put a password on that default Administrator account, but in XP Home that password can be defeated if you search for the instructions on the internet. XP Home is not a secure operating system, so if you seriously want to control the use of the computer, you will have to replace XP Home with XP Professional – or get Windows 7 if your computer meets the system requirements (http://windows.microsoft.com/en-US/windows7/products/home). I also agree with some of the other replies that suggest having a discussion with her about this situation. The fact that she is making such an effort to bypass your oversight is somewhat disturbing.

Reply | Quote