Window Xp Admin account
Results 1 to 9 of 9

Thread: Window Xp Admin account

  1. #1
    Junior Member
    Join Date
    Sep 2003
    Posts
    1

    Window Xp Admin account

    hello,
    I am a new admin in a small libary, all users used limited acounts. But I am not sure if they know my pass or not. How do I know if somebody have used my pass and logged in and did some stuff in the computer? Thank you.

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Re: Window Xp Admin account

    Originally posted here by VoDanhLangTu
    hello,
    I am a new admin in a small libary, all users used limited acounts. But I am not sure if they know my pass or not. How do I know if somebody have used my pass and logged in and did some stuff in the computer? Thank you.
    1) If you think someone has used your admin account, change the password!

    2) Check all user accounts to ensure they are set-up as normal users not part of the administrator group.

    3) Search google for some trojan scanning software, install it and run it to check for trojans and keyloggers.


    Cheers:
    DjM

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    um change your password and see who complaines.
    install a keylogger and look at what is getting typed into your machine on the admin account when you are not there.
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    You should turn on auditing for account logins. Then you can easily see in the security log, who logged in when.

    I would not install a key-logger unless you know for a fact that you can legally do so. It would not be legal to install a key-logger on a library computer in the US without giving the user specific notice that you were doing such. Whether is it a public/corporate/school library changes the law dramatically.

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Im guessing that changing the password is your best bet, also makesure you have a password set for the admin account that you access through safemode, because if they get to that you may as well not have a password on any account. Also if you wanna go see if anythign major was changed just go look, your the admin, you can do that kinda stuff, lol oh well gl
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    You should turn on auditing for account logins.
    Absolutely correct.

    One other thing I would do is add a third party syslogd service so that you can correlate all the logins on a single box.

    Here is my favorite free syslogger for Windoze:
    http://www.kiwisyslog.com

    would not install a key-logger unless you know for a fact that you can legally do so.
    Again, absolutely correct. Do not even *think* about doing this in a library. You will be sued faster than Grant went through Richmond (anyone doin their history homework out there? )

    Seriuosly though, we just went through a similar exercise with censorship at a library that we service. Bottom line: Public facility = zero unannounced monitoring.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    (Depending on your setup these may need to be made in the domain controller and domain security policies as well.)

    1. Disconnect the system hosting the admin account (I assume the PDC) from the network.

    2. Review active directory users and groups > builtin > administrators > properties > members.

    3. Auditing, at least: group policy > computer configuration > windows settings > security settings > local policies > audit policy

    Audit account logon events: success, failure
    Audit account management: success, failure
    Audit policy change: success, faulire

    4. key stroke recording:
    group policy > computer configuration > windows settings > security settings > local policies > security options >

    Message title for users attempting to log on: Notice:
    Message text for users attempting to log on: Some legal message that suits you exact needs but should cover that you are making use of all auditing techniques availible to you, including but not limited to keystroke recording. Also discuss that the logs from the audits may not only be turned over to any law enforecement agency you see fit in the event of a compromise but also the log data may be reviewed by library personel during routine system upkeep.

    5. change the admin password

    6. logon to each client system with the new admin account (this is only needed if clients have logon cache enabled)

    there are more extensive guides availible from places like cert:

    http://www.cert.org/tech_tips/win-UN...ompromise.html

    which include things like reviewing for trojans and what not, you may wish to talk that route, but if you just feel that someone has the admin password the 6 steps I gave you should be comprehensive enough to fix the problem and track down the culprit as well as prevent future such issues.

    best of luck,

    catch

    Edited:
    I just noticed that you are in hong kong, the legal notice about key logging may not be needed.

  8. #8
    Senior Member VicE$DoS$'s Avatar
    Join Date
    Nov 2002
    Posts
    209
    Hi VoDanhLangTu?? and AO'ers,

    I,ve just come back from a week in portugal, Excuse the Tan.

    On a slightly even more non technical note;

    I recently did a project for a library here in England, amongst the various broken things we had to fix (everything from the trust between two domains to a dodgy scanner) I discovered that someone was using the Admin password to get free internet access.

    In order to get a vague idea I enabled a keylogging feauture in one of the computer associates product they already use (think it was CA's Etrust Intrusion Detection) which they were only using as a URL filter incidentally. In order to get round the whole privacy / legal issues we re-printed the 'acceptable use policy' notice and put it back on the notice board where its always been. Deliberately making it as plain and boring looking as possible. Size ten font, black and white. The person doing this really l337 hax0r1ng obviously being a regular user didnt bother to check the notice board and just signed into the book as usual. BANG! Caught and banned the from the library forever. LMAO all week.

    I think the US privacy laws are better inforced and far stricter than anything in the UK yet, but it might just work. I know its not neccessarily the moral thing to do in a situation like this but my view is if the guys a thief then screw him, the little bitch shouldnt have rights anyway.

    Cheer$
    Vice$Dos$
    I remember when Nihil was ickle. Does that mean I'm old?

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi, you have had some very good advice which I would go along with.

    You sound as if you have had a total security failure, though? If they had the admin password, they could have done all sorts of things?

    The text book answer is to delete the lot, re-format and re-install. I imagine that this is not an option, so we shall have to "fight them in the jungle" so to speak.

    They may have installed back door or RAT programs, so you really need to do a Google search for AdAware6.0 and SpyBot Search & Destroy. Download, install and update these and run them. If they see a "bad guy" let them kill it.

    You might also get the 30 day trial of "Pest Patrol" and run that

    You MUST have an up to date anti virus application, that you also must run.

    Good Luck

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •