At school I am a computer technician and we may have a problem with certain student bypassing our security. There are several methods which we are aware of however due to other circumstances and evidence we had to rule them out. What other methods are the of cracking/bypassing foolproof. I am not asking how to only what methods can be used (ie: startup disks etc.) I will look into it and see what may have happened. Also over the summer we may be changing to another system as foolproof has been giving us compatibility problems, any suggestion, deepfreeze? :confused:

Well, perhaps if I could understand your question a little better I could attempt to help. Slow down and try to ask your question in a more organized manner.

Edit: bypassing foolproof what?

My apologies

At the lab we run the security program "foolproof" (version 4 i think) by smartstuff http://www.smartstuff.com/fps/fpsinfo.html
the computer run win 98 se

We believe a student was able to trash/crack foolproof and then access the registry and cause chaos.

we had spyware in place to review later what was done however we were not able to return to windows and were forced to format.

I am aware of that a bot disk can be used to delete certain files that prevents the program from running however the floppy drive on this particular computer was not working at the time (jammed with another broken floppy)

the same thing can be done with a cd if you change the settings in bios

apparantly (i have however not confirmed) it is also possible to disabe it from safe mode but we have evidence that the student never went into safe mode.

i was wondering if there were any other such methods of either disabling or entirely trashing/cracking this program

i hope this post is clearer and again my apologies for the original mess

This might not be a satisfying anwser for you but here are my 0.02$:

Win95, 98, Me, have no security builtin at all. It's VERY hard (I'd personnaly say impossible) to keep users from messing with the system. I haven't tried such security programs but I've heard good about Deepfreeze (which ensures the system always boots like new but doesn't prevent users from doing stuff ). The thing is, most security programs for win9X, can be screwed with through the registry (MS's poledit (security policies) for example are only registry keys that tell windows what to allow) but anyone can pretty easily modify the registry.

The ideal solution is to run NT4 or W2K with NTFS partitions and proper permissions set. NT4 and W2k can also have permissions set on registry keys (regedt32.exe). W2K with Active Directory is also quite cool with the group policies which allow you to manage a whole domain at the domain controler...

Ammo

for get all of that all you have to do is bring up the dos prompt cd to the food proof directory and delete it

My advice: get Win NT.

Jaguar291

My.02
I know someone that is a special Ed teacher at a school in Florida (not gonna say where because the security over there is HORRID). in his classrom there are 3 boxes. One box is 95 (yes, 95) one is 98 and the other is 2k. He had suspected that the kiddies were screwing around, then one day after sachool started he cought one of them with a Napster Client. Furher investigation revealed that this student had had 40 MP3's on the HD. School security can be HORRID. GET 2000 OR XP PRO

the best way to prevent things like that from happening again is for the school to expell this student permanently and bill his parents for damages, press charges if they don't pay.

quess you didn't back up anything, reg files?! maybe?...nothing!

i think you said you couldn't recover logs of the incident because you had to reformat...who in hell is in charge of your operation.

nobody tried a boot disc to get these files? reg dosn't affect that.

your story's not holding a whole lot of water! unless im just not understanding.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Tedob1
the best way to prevent things like that from happening again is for the school to expell this student permanently and bill his parents for damages, press charges if they don't pay.

quess you didn't back up anything, reg files?! maybe?...nothing!

i think you said you couldn't recover logs of the incident because you had to reformat...who in hell is in charge of your operation.

nobody tried a boot disc to get these files? reg dosn't affect that.

your story's not holding a whole lot of water! unless im just not understanding.

I find that most sysadmins that work in schools can be idiots (no offense to the thread starter). so they may have just reformatted off the cuff (which was a bit stupid IMHO). I've also had the pleasure of working with some good school sysadmins :D

Maybe you should use some form of Linux (that would keep the kiddies tryin to get in busy for a while). Most know nothing but windows. As for Foolproof, theres a couple ways to remove it, and even get the password for it. A method for getting the password would be starting the computer up using selective startup (Hold Shift while booting), install a keylogger, and while you're at it screw something up. Then restart the computer with foolproof and the keylogger running. Pretty sure you can figure it out from there. Another method would just be deleting the SSS directory with DOS. Foolproof is a crappy excuse for security.

Computer technician? I hope you aren't trying to pass yourself off as a teacher/fully-employed system administrator, because I find it hard to believe. Whatever the case...

The bottom line, DO NOT USE FOOLPROOF. I know from first hand experience that it is possible to grab the foolproof password from the computer's memory WHILE THE PROGRAM IS RUNNING. In other words, no matter WHAT you change the password to, a student who knows how can bypass the system. I know this because I was able to do it at my old school.

Excuse me if I don't outline the exact procedure here, I can't be sure if you aren't some student just looking for a way to bypass foolproof. But I would suggesting checking out DeepFreeze as an alternative. I highly recommend it (again, with personal experience as a student trying to get past it.)

You can check out more items in the Antionline Product Reviews forum.

Yeah...Foolproof is anything but. There's so many different methods of bypassing it, it's less secure than Bill Clinton's pants.

If you've got a boot disk with edit.com on it, you're in. Hell, if you've got a boot disk, you're in.

You can get it from safe mode, deleting the directory, and whee. Now you say that you have evidence that he didn't get into safe mode, yet, no logs are available for any information on said intrusion. Hmm...

Is the Help button, under Start, enabled?

Run MS Word, and open up a shell session using the macro Shell Environ$("COMMAND").

Can you open up a process viewing application?

You can rename any executable you want to .SCR, and Foolproof won't do anything about screensavers. The executable will then run.

Got an antivirus program? The user can right click the icon running, and go to the logs option, which will allow you to specify a new target folder - while in this mode, you can press F2 to rename anything, like the Foolproof folder.

What sort of network access do you have?

Sigh, if this kid was this much of a dumbass to make the machine unbootable, just press charges on him. And get DeepFreeze.

Arminnius,
The rest of the gentlemen are correct; Its child's play to get into a Win9x system, with the lack of ability to restrict user permissions. NT is substantially more difficult, but can be done provided that you have boot access (there is a linux floppy image available specifically for resetting NT passwords). Rule #1: BOOT ACCESS IS ROOT ACCESS!
LS

Thank you very much

I was not there at the time however they did not format and then reinstall everything the recopied the contents from a saved image on the server which they seem to like doing rather often as you get a fresh computer in 20 minutes. I am simply a student and am unpaid simply working as a "computer technician" for expierence as the teacher relized i was not suited for the normal course. We will be changing to deepfreeze this summer i thank you for all this info i will confirm it is possible use it thanks alot sorry for any false impressions i portrayed.

Being a student i think that i can offer a unique perspective on this situation. We have FoolProof installed on our computers in school, needless to say its garbage. I had the pass in under a week. Then they reinstalled it and it took me longer, but i got it. Here are the methods i employed:

1) Keylogger

2) Memory Viewer (foolproof stores the password in PLAINTEXT in the applications TSR space while running, all you have to do is run FP and search its memory for the string FOOLPRO the password will follow that string)

3) Win32Dasm and HEIW (when all else fails, changes 1 number in the origional assembly code of the program and it became my bitch NOTE: this does not get you the pass, simply gets you access)


As far as bypassing it goes, that is much easier, you can disable it at startup, or you can cut and paste the folder SSS and it will not work on next startup.

Bottom line, its not a bad security program... but it will only work as good as its configured, our school had weak configuration on it, so i was able to beat it. But afterwords some other kids were trying to get it for malicious purposes and i took it upon myself to lock it down, and they never got it... and never will...

My school has Fool Proof as well, and of course it is easier than hell the either bypass it or get rid of it completely. We have Compaqs, so holding down a key while it is first booting will caus it to display an error and ask you if you want to boot in safe mode. Choose yes, move a .vxd file from the FP95 folder to the desktop, reboot, and have fun! http://www.holyzoo.com/media/Weeee.html

Many programs/admins also forget to block executing *.reg -files. With those you can write anything to registry.

Alright, if you want a list of bypass methods, go to jayb.net or blacksun.box.sk, they both have articles on the topic. i am a student, and at my middle school they used foolproof. listen: you will never secure a windows computer with foolproof or any other program. actually, you never will, period. there are hundreds of ways of messing up a windws box, so don't try with fp. now, if you want to have good security, i roccommend what my current (high) school does. have one server with all of the apps on it (i think they use novell as the client) and have all of the computers completely disabled from windows and just access those progs. even this is not secure, as i have bypassed it, but you need to know how to program, and know a lot about windows' internals. usually if someone is good enough to not just download something and make a boot disk, they'll be more concerned with the challenge than trashing your boxes. so, anyway, don't use a security prog, as it will just want them to hack more, and supervision is the key, don't assume there is some miracle program/method.

btw, linux is a good idea, and so is auto-format after shutdown and then auto-restore, i don't know how this is done, but i have heard of some colleges doing it. also, recruit a student hacker to help you.

Win95, 98, Me, have no security builtin at all. It's VERY hard (I'd personnaly say impossible) to keep users from messing with the system.

ammo -- That may not be entirely true, althought it's definitely true of the default install. If you use a smart combination of Windows 95/98 MS policies/profiles along with utilizing the BIOS password, you can lock a terminal down to nothing but a blank desktop with a disabled Start Menu (this would be completely impractical, but you can see the potential of policies and profiles). You can disable the Start Menu, My Computer icon, everything, and without access to the boot process (using the BIOS password), you can also block the use of a boot disk to bypass the Windows startup. This extreme scenario would require monitoring each boot process for each terminal and would require physical locks on the hardware casing to prevent the BIOS from being reset, but for good security this may be necessary.

The biggest problem I've had with policies/profiles is that there isn't a whole lot of documentation on the most effective use of these tools and how to implement them wisely.

That's why I was saying so. The effort would have to be so greate and chances of forgetting any stupid little detail ... And besides, how usefull is a blank desktop with disabled start menu?
Security basis are often stated on these 3 points:
Confidentiality, Integrity and Availability ( easy acronym to remember ;)
Perfect "security" in terms of confidentiality and integrity would be to pull the plug on the box.
But you have availability to consider... (availability also means invulnerability to DOS attacks)

Ammo

"The perfect firewall is a pair of cisors... and perhaps a pair of rubber gloves to cut that power cord ;)"

I only have limited knowledge about policies, but the blank desktop was merely an example. From what I've been able to deduce, policies and profiles together have the ability to assign very specific controls based on username -- even down to the objects on the desktop. For a guest account, however, I would only recommend a few access points.

The problem with policies is that it's not a security subsystem like that of NT or W2k...
It lies higher in the system and can thus be technically/theorically circumvented.
Policies only limit what the the UI offers to the user... It doesn't control access to ressouces, (memory space, disk access, registry access...).
Example:
As said before, policies can be modified on the fly by modifiying the appropriate regestry keys. To avoid that, you remove regedit.exe from the list of allowed programs in the policies.
Workaround: some kid either -a: renames regedit.exe to an allowed program like mspaint.exe or -b: makes a little piece of code in vb modify the keys...
Result: policies were circumvented, "security" breached...

Policies are good, but can't be trusted by themselves for security. You need to combine that with NTFS and registry permissions (NT/w2k)...

Ammo

Isn't that the point of policies, though? To limit access to vital areas like the DOS shell? This, in combination with the BIOS boot password (making it impossible to boot off a floppy without either knowing the password or cracking open the case to reset the BIOS -- you could also remove the floppy drive from the boot order completely through the BIOS), and you should be able to force the user into the GUI where the objects can be manipulated, restricted, or removed. There wouldn't be access to the shell at all. In such a restricted environment, access to the registry would be near impossible, and renaming files such as regedit.exe would be extremely difficult if there is no way to get to that file (ie, restricted My Computer object and no DOS access). For a bunch of students, I would think this would be an appropriate solution.

I've seen this solution used by many public institutions for their terminals available to the public. Libraries and such often provide only a desktop with a non-modifiable shortcut to the A: drive and perhaps a shortcut to Internet Explorer, and maybe the printer. They then can lock off access to the harddrives except for one folder -- the desktop. You can save information to the desktop or the A: drive, and that's it. You can even deny the ability to save at all.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by roswell1329
Isn't that the point of policies, though? To limit access to vital areas like the DOS shell? This, in combination with the BIOS boot password (making it impossible to boot off a floppy without either knowing the password or cracking open the case to reset the BIOS -- you could also remove the floppy drive from the boot order completely through the BIOS), and you should be able to force the user into the GUI where the objects can be manipulated, restricted, or removed.

well, just to provide a bit of counter-point: to get a bios password one could use a hardware key-logger(yes, they actually exist: they look like a small patch cord for the keyboard and have enough memory onboard to hold quite a few key strokes if they work as advertised(something i cant attest to)). from there the entire security scheme is broken.

For a bunch of students, I would think this would be an appropriate solution.

you would be surprised at the lengths "a bunch of students" will go to to impress their geek friends(belive me, i know from experiance).

I've seen this solution used by many public institutions for their terminals available to the public. Libraries and such often provide only a desktop with a non-modifiable shortcut to the A: drive and perhaps a shortcut to Internet Explorer, and maybe the printer. They then can lock off access to the harddrives except for one folder -- the desktop. You can save information to the desktop or the A: drive, and that's it. You can even deny the ability to save at all.

well, i agree that techniques similar to this are often used, but most of the time they can be broken fairly quickly by a dedicated individual.

well, just to provide a bit of counter-point: to get a bios password one could use a hardware key-logger(yes, they actually exist: they look like a small patch cord for the keyboard and have enough memory onboard to hold quite a few key strokes if they work as advertised(something i cant attest to)). from there the entire security scheme is broken. .

Yeah, I knew about those. In fact ThinkGeek has one: http://www.thinkgeek.com/stuff/gadgets/5a05.shtml

However, once the BIOS password is captured, almost any Windows 9x security is lost because of the ability to boot off a floppy. Even Windows NT/2K/XP is vulnerable to password modification through the floppy drive. :bigsmile:

In this case, it appears that the main goal of security is to provide a system of protection that is just beyond what the system/data is worth to protect, to keep out only those most dedicated to messing things up. (Let's hope someone would notice someone installing a keygrabber) If you go balls-to-the-wall with security, you limit the convenience of the users and costs of implementation and maintainence go up. If this school was maintaining national security secrets on their systems, I would recommend they speak with the NSA, but since we're talking about school computers I wanted to keep it simple. Profiles and Policies are built-in to Windows, so their cost is minimal, and they provide a fairly robust alternative to FoolProof which apparently isn't working. No sense getting another high-profile commercial product (whose exploits are usually publically available about 30 minutes after the product hits the shelves), that will eventually be defeated anyway.