Password protect PC

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a password on the Office PC, for bootup, screensaver, etc via my user
account.

I just found out, that there's a website, www.loginrecovery.com, whereby one
dowloads a program onto a floppy or CD.

You then insert this disk into the PC, boot it up and it copies the windows
encrypted file which contains all the info about all user accounts on that PC
and shuts it back down so no one is aware that someone tampered with this PC.

You then upload the info to that website and via email they send you back
withing 2 business days all the user names, passwords. If you need it rush,
they'll send it back withing 10 mintues for 10 Euros. (Looks like they're in
Europe.)

Is there any protection, software or hardware against such hackers?

I need this ASAP.

Thanks
 
mendi1mendi said:
I have a password on the Office PC, for bootup, screensaver, etc via my
user account.

I just found out, that there's a website, www.loginrecovery.com, whereby
one dowloads a program onto a floppy or CD.

You then insert this disk into the PC, boot it up and it copies the
windows encrypted file which contains all the info about all user accounts
on that PC and shuts it back down so no one is aware that someone tampered
with this PC.

You then upload the info to that website and via email they send you back
withing 2 business days all the user names, passwords. If you need it
rush, they'll send it back withing 10 mintues for 10 Euros. (Looks like
they're in Europe.)

Is there any protection, software or hardware against such hackers?
Click to expand...

Any computer running any operating system can be accessed by someone with 1)
physical access; 2) time; 3) skill; 4) tools. There are a few things you
can do to make it a bit harder though:

1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup can't be entered without it.
2. From the BIOS, change the boot order to hard drive first.
3. Set strong passwords on all accounts, including the built-in
Administrator account.
4. If you leave your own account logged in, use the Windows Key + L to lock
the computer (and/or set the screensaver/power saving) when you step away
from the computer and require a password to resume.
5. Make other users Limited accounts.
6. Keep your operating system and major applications patched.
7. Use the computer in a safe, secure, careful way if it is important to
keep the data on that machine uncompromised.

The really important part of the first paragraph is *access*. That is why
mission/security-critical servers are kept locked, in locked rooms, with
precise security as to who can access them.

Malke
 
mendi1mendi said:
I have a password on the Office PC, for bootup, screensaver, etc via my
user
account.

I just found out, that there's a website, www.loginrecovery.com, whereby
one
dowloads a program onto a floppy or CD.

You then insert this disk into the PC, boot it up and it copies the
windows
encrypted file which contains all the info about all user accounts on that
PC
and shuts it back down so no one is aware that someone tampered with this
PC.

You then upload the info to that website and via email they send you back
withing 2 business days all the user names, passwords. If you need it
rush,
they'll send it back withing 10 mintues for 10 Euros. (Looks like they're
in
Europe.)

Is there any protection, software or hardware against such hackers?

I need this ASAP.

Thanks
Click to expand...
Don't let people you don't trust have physical access to your computer.
Jim
 
You forgot number 8 and 9

8. Solder the battery to the battery retainer on the motherboard. This
prevents the bios from being cleared by the removal of the battery.

9. Break off the jumper pins used to clear the CMOS.

<grin> (-:

Actually, if someone with physical access wants in, he will get in.

--
Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
 
Yes you need to use strong passwords and also disable storage of lm hash on
next password change. Try disabling storage of lm hash and then create three
user accounts. Use passwords of 10, 12, and 15 characters mixed with
uppercase, lowercase, numeric, and other character seen on the keyboard. Now
submit again and let us know how they did. I would be extremely surprised if
they cracked all three passwords. Environments that can support smart card
logon would also mitigate such a problem for password cracking. Note that
what you describe has been available for a long time with freely available
password cracking tools and that anyone that has full physical access to
your computer, as Malke says also, can access all your unencrypted data
anyhow.

I could boot your computer from Bart's PE or such and copy your data files
or boot from my Ghost floppy and image your hard drive. So your best option
is to physically secure your computer to the needed degree or at least the
hard drive. There are removable trays for hard drives and you could take
your's with you or lock it in a safe when you are not around. Encryption of
sensitive data [such as EFS in XP Pro] is also a possible security procedure
though encryption has it's own set of problems such as the legitimate user
being denied access to their own data if best practices are not used or a
false sense of security if the encryption keys are not safeguarded or
implemented correctly or complexities of sharing encrypted data. --- Steve
 
Oops. Here is the info on disabling storeage of lm hash and passwords longer
than 14 characters will not be able to have an lm hash in any event. Method
1 only works for XP Pro and the setting can be accessed in Local Security
Policy - secpol.msc --- Steve

http://support.microsoft.com/kb/299656/

Method 1: Implement the NoLMHash Policy by Using Group Policy
To disable the storage of LM hashes of a user's passwords in the local
computer's SAM database by using Local Group Policy (Windows XP or Windows
Server 2003) or in a Windows Server 2003 Active Directory environment by
using Group Policy in Active Directory (Windows Server 2003), follow these
steps: 1. In Group Policy, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Local Policies, and then click
Security Options.
2. In the list of available policies, double-click Network security:
Do not store LAN Manager hash value on next password change.

Method 2: Implement the NoLMHash Policy by Editing the Registry Click
Enabled, and then click OK.





Windows XP and Windows Server 2003
Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.WARNING: If you use
Registry Editor incorrectly, you may cause serious problems that may require
you to reinstall your operating system. Microsoft cannot guarantee that you
can solve problems that result from using Registry Editor incorrectly. Use
Registry Editor at your own risk.
To add this DWORD value by using Registry Editor, follow these steps: 1.
Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type NoLMHash, and then press ENTER.
5. On the Edit menu, click Modify.
6. Type 1, and then click OK.
7. Restart your computer, and then change your password.


Steven L Umbach said:
Yes you need to use strong passwords and also disable storage of lm hash
on NEXT password change. Try disabling storage of lm hash and then create
three user accounts. Use passwords of 10, 12, and 15 characters mixed with
uppercase, lowercase, numeric, and other character seen on the keyboard.
Now submit again and let us know how they did. I would be extremely
surprised if they cracked all three passwords. Environments that can
support smart card logon would also mitigate such a problem for password
cracking. Note that what you describe has been available for a long time
with freely available password cracking tools and that anyone that has
full physical access to your computer, as Malke says also, can access all
your unencrypted data anyhow.

I could boot your computer from Bart's PE or such and copy your data files
or boot from my Ghost floppy and image your hard drive. So your best
option is to physically secure your computer to the needed degree or at
least the hard drive. There are removable trays for hard drives and you
could take your's with you or lock it in a safe when you are not around.
Encryption of sensitive data [such as EFS in XP Pro] is also a possible
security procedure though encryption has it's own set of problems such as
the legitimate user being denied access to their own data if best
practices are not used or a false sense of security if the encryption keys
are not safeguarded or implemented correctly or complexities of sharing
encrypted data. --- Steve



mendi1mendi said:
I have a password on the Office PC, for bootup, screensaver, etc via my
user
account.

I just found out, that there's a website, www.loginrecovery.com, whereby
one
dowloads a program onto a floppy or CD.

You then insert this disk into the PC, boot it up and it copies the
windows
encrypted file which contains all the info about all user accounts on
that PC
and shuts it back down so no one is aware that someone tampered with this
PC.

You then upload the info to that website and via email they send you back
withing 2 business days all the user names, passwords. If you need it
rush,
they'll send it back withing 10 mintues for 10 Euros. (Looks like they're
in
Europe.)

Is there any protection, software or hardware against such hackers?

I need this ASAP.

Thanks
Click to expand...
Click to expand...
 
And there's always the utility to blow away the administrator password, or any other user password.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

Steven L Umbach said:
Yes you need to use strong passwords and also disable storage of lm hash on
next password change. Try disabling storage of lm hash and then create three
user accounts. Use passwords of 10, 12, and 15 characters mixed with
uppercase, lowercase, numeric, and other character seen on the keyboard. Now
submit again and let us know how they did. I would be extremely surprised if
they cracked all three passwords. Environments that can support smart card
logon would also mitigate such a problem for password cracking. Note that
what you describe has been available for a long time with freely available
password cracking tools and that anyone that has full physical access to
your computer, as Malke says also, can access all your unencrypted data
anyhow.

I could boot your computer from Bart's PE or such and copy your data files
or boot from my Ghost floppy and image your hard drive. So your best option
is to physically secure your computer to the needed degree or at least the
hard drive. There are removable trays for hard drives and you could take
your's with you or lock it in a safe when you are not around. Encryption of
sensitive data [such as EFS in XP Pro] is also a possible security procedure
though encryption has it's own set of problems such as the legitimate user
being denied access to their own data if best practices are not used or a
false sense of security if the encryption keys are not safeguarded or
implemented correctly or complexities of sharing encrypted data. --- Steve



mendi1mendi said:
I have a password on the Office PC, for bootup, screensaver, etc via my
user
account.

I just found out, that there's a website, www.loginrecovery.com, whereby
one
dowloads a program onto a floppy or CD.

You then insert this disk into the PC, boot it up and it copies the
windows
encrypted file which contains all the info about all user accounts on that
PC
and shuts it back down so no one is aware that someone tampered with this
PC.

You then upload the info to that website and via email they send you back
withing 2 business days all the user names, passwords. If you need it
rush,
they'll send it back withing 10 mintues for 10 Euros. (Looks like they're
in
Europe.)

Is there any protection, software or hardware against such hackers?

I need this ASAP.

Thanks
Click to expand...
Click to expand...
 
Of course there is but they will not help if the computer is physically
secured like I suggested and in many cases, when the opportunity presents
itself, an attacker will want the user's credentials such as to access EFS
encrypted files or to logon to the network to impersonate the user. ---
Steve


And there's always the utility to blow away the administrator password, or
any other user password.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

Steven L Umbach said:
Yes you need to use strong passwords and also disable storage of lm hash
on
next password change. Try disabling storage of lm hash and then create
three
user accounts. Use passwords of 10, 12, and 15 characters mixed with
uppercase, lowercase, numeric, and other character seen on the keyboard.
Now
submit again and let us know how they did. I would be extremely surprised
if
they cracked all three passwords. Environments that can support smart card
logon would also mitigate such a problem for password cracking. Note that
what you describe has been available for a long time with freely available
password cracking tools and that anyone that has full physical access to
your computer, as Malke says also, can access all your unencrypted data
anyhow.

I could boot your computer from Bart's PE or such and copy your data files
or boot from my Ghost floppy and image your hard drive. So your best
option
is to physically secure your computer to the needed degree or at least the
hard drive. There are removable trays for hard drives and you could take
your's with you or lock it in a safe when you are not around. Encryption
of
sensitive data [such as EFS in XP Pro] is also a possible security
procedure
though encryption has it's own set of problems such as the legitimate user
being denied access to their own data if best practices are not used or a
false sense of security if the encryption keys are not safeguarded or
implemented correctly or complexities of sharing encrypted data. ---
Steve



mendi1mendi said:
I have a password on the Office PC, for bootup, screensaver, etc via my
user
account.

I just found out, that there's a website, www.loginrecovery.com, whereby
one
dowloads a program onto a floppy or CD.

You then insert this disk into the PC, boot it up and it copies the
windows
encrypted file which contains all the info about all user accounts on
that
PC
and shuts it back down so no one is aware that someone tampered with this
PC.

You then upload the info to that website and via email they send you back
withing 2 business days all the user names, passwords. If you need it
rush,
they'll send it back withing 10 mintues for 10 Euros. (Looks like they're
in
Europe.)

Is there any protection, software or hardware against such hackers?

I need this ASAP.

Thanks
Click to expand...
Click to expand...
 
Back
Top