Avoid Administrator password hacking ????

Dear all,

We are deploying to our worldwilde customers a set of application which is
installed on an standard industrial PC (we are delivery the same PC to all
our customer).

The system need to be stable and fully functionnal 24h/day.
For that we have issue a deployement security policy which is as follow:
- Administrator user has been rename to something else
- our customers can update any program on the system
- our customers can not install any windows update
- our customers cannot coonect the PC to they company Domain Controler
- Administrator password is know only by us for maintenance purpose

With this rules in place, we have a really stable and fully tested known
environment.
This to avoid library conflict as every developer is faced on each time

Unfortunatly, we have some customer which managed to hack administrator
password either by knowing it or by resetting it.

As far as I know tools that can be found on the internet can just reset the
password, or is there some which are able to show in clear text passwords?

If this occurs, which procedure can I put it place in order to block my
application if administartor password is changed ?

thnaks helping me to solve that issue
regard
serge

Physical access to a box means that you can easily reset the password

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

A contract with your client saying 'you void the warranty if you reset
the password'

However... "no updates?" Sir... I'd be having you sign a contract
saying within a reasonable about of time..say a day or so...that you'd
be patching that box. There's no way I'd let a vendor of mine determine
my patch status.

serge calderara wrote:

>Dear all,
>
>We are deploying to our worldwilde customers a set of application which is
>installed on an standard industrial PC (we are delivery the same PC to all
>our customer).
>
>The system need to be stable and fully functionnal 24h/day.
>For that we have issue a deployement security policy which is as follow:
> - Administrator user has been rename to something else
> - our customers can update any program on the system
> - our customers can not install any windows update
> - our customers cannot coonect the PC to they company Domain Controler
> - Administrator password is know only by us for maintenance purpose
>
>With this rules in place, we have a really stable and fully tested known
>environment.
>This to avoid library conflict as every developer is faced on each time
>
>Unfortunatly, we have some customer which managed to hack administrator
>password either by knowing it or by resetting it.
>
>As far as I know tools that can be found on the internet can just reset the
>password, or is there some which are able to show in clear text passwords?
>
>If this occurs, which procedure can I put it place in order to block my
>application if administartor password is changed ?
>
>thnaks helping me to solve that issue
>regard
>serge
>
>
>

--
An open letter to the Security Community::
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx

G'day,

For certain applications - like ATM code - connectivity that is required to
pull the patches creates more exposure than just opening (usually) single
port that is required for the functionality. I was working on a
configuration for one of those and our baseline was a system with 0 ports
listening; it's located in an alarmed steel safe and therefore physical
security is taken care of.

And I love NTpassword. It now lives on my MP3 player - a short doco how to
do the config is found here:

http://sl.mvps.org/docs/PasswordResetUSBDrive.htm

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:enIxJKhfFHA.3936@TK2MSFTNGP14.phx.gbl...
> Physical access to a box means that you can easily reset the password
>
> http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
>
> A contract with your client saying 'you void the warranty if you reset
> the password'
>
> However... "no updates?" Sir... I'd be having you sign a contract
> saying within a reasonable about of time..say a day or so...that you'd
> be patching that box. There's no way I'd let a vendor of mine determine
> my patch status.
>
> serge calderara wrote:
>
> >Dear all,
> >
> >We are deploying to our worldwilde customers a set of application which
is
> >installed on an standard industrial PC (we are delivery the same PC to
all
> >our customer).
> >
> >The system need to be stable and fully functionnal 24h/day.
> >For that we have issue a deployement security policy which is as follow:
> > - Administrator user has been rename to something else
> > - our customers can update any program on the system
> > - our customers can not install any windows update
> > - our customers cannot coonect the PC to they company Domain Controler
> > - Administrator password is know only by us for maintenance purpose
> >
> >With this rules in place, we have a really stable and fully tested known
> >environment.
> >This to avoid library conflict as every developer is faced on each time
> >
> >Unfortunatly, we have some customer which managed to hack administrator
> >password either by knowing it or by resetting it.
> >
> >As far as I know tools that can be found on the internet can just reset
the
> >password, or is there some which are able to show in clear text
passwords?
> >
> >If this occurs, which procedure can I put it place in order to block my
> >application if administartor password is changed ?
> >
> >thnaks helping me to solve that issue
> >regard
> >serge
> >
> >
> >
>
> --
> An open letter to the Security Community::
> http://msmvps.com/bradley/archive/2004/12/12/23540.aspx

Hi,

First of all the fact of not allowed my customers to update anything is
simply linked to the simple developper situation that always aoocurs when new
version arrive : DLL of HELL. And the only way to secure a standard system is
to fixed it with a particular version of files.

Now going back to my main issue, I do not want to get tool that reset admin
password, I need to know how I can prevent it to be reseted with those tools

serge

"S. Pidgorny <MVP>" wrote:

> G'day,
>
> For certain applications - like ATM code - connectivity that is required to
> pull the patches creates more exposure than just opening (usually) single
> port that is required for the functionality. I was working on a
> configuration for one of those and our baseline was a system with 0 ports
> listening; it's located in an alarmed steel safe and therefore physical
> security is taken care of.
>
> And I love NTpassword. It now lives on my MP3 player - a short doco how to
> do the config is found here:
>
> http://sl.mvps.org/docs/PasswordResetUSBDrive.htm
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:enIxJKhfFHA.3936@TK2MSFTNGP14.phx.gbl...
> > Physical access to a box means that you can easily reset the password
> >
> > http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
> >
> > A contract with your client saying 'you void the warranty if you reset
> > the password'
> >
> > However... "no updates?" Sir... I'd be having you sign a contract
> > saying within a reasonable about of time..say a day or so...that you'd
> > be patching that box. There's no way I'd let a vendor of mine determine
> > my patch status.
> >
> > serge calderara wrote:
> >
> > >Dear all,
> > >
> > >We are deploying to our worldwilde customers a set of application which
> is
> > >installed on an standard industrial PC (we are delivery the same PC to
> all
> > >our customer).
> > >
> > >The system need to be stable and fully functionnal 24h/day.
> > >For that we have issue a deployement security policy which is as follow:
> > > - Administrator user has been rename to something else
> > > - our customers can update any program on the system
> > > - our customers can not install any windows update
> > > - our customers cannot coonect the PC to they company Domain Controler
> > > - Administrator password is know only by us for maintenance purpose
> > >
> > >With this rules in place, we have a really stable and fully tested known
> > >environment.
> > >This to avoid library conflict as every developer is faced on each time
> > >
> > >Unfortunatly, we have some customer which managed to hack administrator
> > >password either by knowing it or by resetting it.
> > >
> > >As far as I know tools that can be found on the internet can just reset
> the
> > >password, or is there some which are able to show in clear text
> passwords?
> > >
> > >If this occurs, which procedure can I put it place in order to block my
> > >application if administartor password is changed ?
> > >
> > >thnaks helping me to solve that issue
> > >regard
> > >serge
> > >
> > >
> > >
> >
> > --
> > An open letter to the Security Community::
> > http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
>
>
>

First, I must ask, when you initially posted the list with
- our customers can update any program on the system
that was a mistake, right?
You did mean to say they cannot update any program.

As both Susan and Slav indicate, physical access to the
machine is everything. If they can shut down and boot the
machine, then they can zap the password.

You could certainly bubby-trap you application, such as
by having it read the hash of the pwd as stored in the
Security area of the registry, and if it has changed from
the expected value then just not run, of shut down the
system, or whatever.

However, I am with Susan. I would not let your machine
live on my network, not under those conditions. If a device
is going to be able to have an internal network connection
then it must meet minimal standards, including patch state
and ability to perform full inspection of its health, config,
etc.. which means full administrative access is available.

What you may need to do is rethink your application.
There have been many claims that Dll Hell is a thing of
the past, claims made for initial introduction of COM
and its binary contract, etc.. and claims now made for
..Net Framework v2 applications. In fact, if you look at
the ClickOnce install wrappering in NetFx v2 this may
actually become a reality this time (although with the
potential for much disk storage use bloat for admins to
worry over).
Other things that might be better in you case are use of
a version of Windows Embedded, or a CE based device,
instead of a general purpose machine.

Your terms and conditions are going to limit you
in your marketing efforts.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
message news:E5AF00CC-C4E9-490E-AAA4-CD08B69D6CC8@microsoft.com...
> Hi,
>
> First of all the fact of not allowed my customers to update anything is
> simply linked to the simple developper situation that always aoocurs when
new
> version arrive : DLL of HELL. And the only way to secure a standard system
is
> to fixed it with a particular version of files.
>
> Now going back to my main issue, I do not want to get tool that reset
admin
> password, I need to know how I can prevent it to be reseted with those
tools
>
> serge
>
> "S. Pidgorny <MVP>" wrote:
>
> > G'day,
> >
> > For certain applications - like ATM code - connectivity that is required
to
> > pull the patches creates more exposure than just opening (usually)
single
> > port that is required for the functionality. I was working on a
> > configuration for one of those and our baseline was a system with 0
ports
> > listening; it's located in an alarmed steel safe and therefore physical
> > security is taken care of.
> >
> > And I love NTpassword. It now lives on my MP3 player - a short doco how
to
> > do the config is found here:
> >
> > http://sl.mvps.org/docs/PasswordResetUSBDrive.htm
> >
> > --
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
> >
> > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> > wrote in message news:enIxJKhfFHA.3936@TK2MSFTNGP14.phx.gbl...
> > > Physical access to a box means that you can easily reset the password
> > >
> > > http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
> > >
> > > A contract with your client saying 'you void the warranty if you reset
> > > the password'
> > >
> > > However... "no updates?" Sir... I'd be having you sign a contract
> > > saying within a reasonable about of time..say a day or so...that you'd
> > > be patching that box. There's no way I'd let a vendor of mine
determine
> > > my patch status.
> > >
> > > serge calderara wrote:
> > >
> > > >Dear all,
> > > >
> > > >We are deploying to our worldwilde customers a set of application
which
> > is
> > > >installed on an standard industrial PC (we are delivery the same PC
to
> > all
> > > >our customer).
> > > >
> > > >The system need to be stable and fully functionnal 24h/day.
> > > >For that we have issue a deployement security policy which is as
follow:
> > > > - Administrator user has been rename to something else
> > > > - our customers can update any program on the system
> > > > - our customers can not install any windows update
> > > > - our customers cannot coonect the PC to they company Domain
Controler
> > > > - Administrator password is know only by us for maintenance purpose
> > > >
> > > >With this rules in place, we have a really stable and fully tested
known
> > > >environment.
> > > >This to avoid library conflict as every developer is faced on each
time
> > > >
> > > >Unfortunatly, we have some customer which managed to hack
administrator
> > > >password either by knowing it or by resetting it.
> > > >
> > > >As far as I know tools that can be found on the internet can just
reset
> > the
> > > >password, or is there some which are able to show in clear text
> > passwords?
> > > >
> > > >If this occurs, which procedure can I put it place in order to block
my
> > > >application if administartor password is changed ?
> > > >
> > > >thnaks helping me to solve that issue
> > > >regard
> > > >serge
> > > >
> > > >
> > > >
> > >
> > > --
> > > An open letter to the Security Community::
> > > http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
> >
> >
> >

serge calderara wrote:
> Hi,
>
> First of all the fact of not allowed my customers to update anything
> is simply linked to the simple developper situation that always
> aoocurs when new version arrive : DLL of HELL. And the only way to
> secure a standard system is to fixed it with a particular version of
> files.
>
> Now going back to my main issue, I do not want to get tool that reset
> admin password, I need to know how I can prevent it to be reseted
> with those tools

You can't, or rather you might be able to block the odd thing here and there
but you're essentially entering an arms-race that you will not win. If I can
touch the machine physcially, and I'm determined to get in, I own the
machine. End of story.


--
--
Rob Moir
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
Kazaa - Software update services for your Viruses and Spyware.

Our terms in condition in the way we have setup our system is not prevent it
at all the fact of selling them. But only few customers are hackers and we
get so many trouble afterwards.

I understand your point when you say that you will not implement my system
on your network. But I have to tells you that our industry is really
different that a PC you place on a network. We need to be sure at 99% that
the system will be stable and reliable as our customers are runing and
procucing cable with it 24h/day.
In terms on money, you can not imagine our expensive is a simple meter of
cable of they production, so if the PC became the bootleneck due to a
corrupted updated driver or badly installed service pack or antivirus
software... then we will have to pay for that.


"Roger Abell" wrote:

> First, I must ask, when you initially posted the list with
> - our customers can update any program on the system
> that was a mistake, right?
> You did mean to say they cannot update any program.
>
> As both Susan and Slav indicate, physical access to the
> machine is everything. If they can shut down and boot the
> machine, then they can zap the password.
>
> You could certainly bubby-trap you application, such as
> by having it read the hash of the pwd as stored in the
> Security area of the registry, and if it has changed from
> the expected value then just not run, of shut down the
> system, or whatever.
>
> However, I am with Susan. I would not let your machine
> live on my network, not under those conditions. If a device
> is going to be able to have an internal network connection
> then it must meet minimal standards, including patch state
> and ability to perform full inspection of its health, config,
> etc.. which means full administrative access is available.
>
> What you may need to do is rethink your application.
> There have been many claims that Dll Hell is a thing of
> the past, claims made for initial introduction of COM
> and its binary contract, etc.. and claims now made for
> ..Net Framework v2 applications. In fact, if you look at
> the ClickOnce install wrappering in NetFx v2 this may
> actually become a reality this time (although with the
> potential for much disk storage use bloat for admins to
> worry over).
> Other things that might be better in you case are use of
> a version of Windows Embedded, or a CE based device,
> instead of a general purpose machine.
>
> Your terms and conditions are going to limit you
> in your marketing efforts.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
> message news:E5AF00CC-C4E9-490E-AAA4-CD08B69D6CC8@microsoft.com...
> > Hi,
> >
> > First of all the fact of not allowed my customers to update anything is
> > simply linked to the simple developper situation that always aoocurs when
> new
> > version arrive : DLL of HELL. And the only way to secure a standard system
> is
> > to fixed it with a particular version of files.
> >
> > Now going back to my main issue, I do not want to get tool that reset
> admin
> > password, I need to know how I can prevent it to be reseted with those
> tools
> >
> > serge
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> > > G'day,
> > >
> > > For certain applications - like ATM code - connectivity that is required
> to
> > > pull the patches creates more exposure than just opening (usually)
> single
> > > port that is required for the functionality. I was working on a
> > > configuration for one of those and our baseline was a system with 0
> ports
> > > listening; it's located in an alarmed steel safe and therefore physical
> > > security is taken care of.
> > >
> > > And I love NTpassword. It now lives on my MP3 player - a short doco how
> to
> > > do the config is found here:
> > >
> > > http://sl.mvps.org/docs/PasswordResetUSBDrive.htm
> > >
> > > --
> > > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > > -= F1 is the key =-
> > >
> > > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> > > wrote in message news:enIxJKhfFHA.3936@TK2MSFTNGP14.phx.gbl...
> > > > Physical access to a box means that you can easily reset the password
> > > >
> > > > http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
> > > >
> > > > A contract with your client saying 'you void the warranty if you reset
> > > > the password'
> > > >
> > > > However... "no updates?" Sir... I'd be having you sign a contract
> > > > saying within a reasonable about of time..say a day or so...that you'd
> > > > be patching that box. There's no way I'd let a vendor of mine
> determine
> > > > my patch status.
> > > >
> > > > serge calderara wrote:
> > > >
> > > > >Dear all,
> > > > >
> > > > >We are deploying to our worldwilde customers a set of application
> which
> > > is
> > > > >installed on an standard industrial PC (we are delivery the same PC
> to
> > > all
> > > > >our customer).
> > > > >
> > > > >The system need to be stable and fully functionnal 24h/day.
> > > > >For that we have issue a deployement security policy which is as
> follow:
> > > > > - Administrator user has been rename to something else
> > > > > - our customers can update any program on the system
> > > > > - our customers can not install any windows update
> > > > > - our customers cannot coonect the PC to they company Domain
> Controler
> > > > > - Administrator password is know only by us for maintenance purpose
> > > > >
> > > > >With this rules in place, we have a really stable and fully tested
> known
> > > > >environment.
> > > > >This to avoid library conflict as every developer is faced on each
> time
> > > > >
> > > > >Unfortunatly, we have some customer which managed to hack
> administrator
> > > > >password either by knowing it or by resetting it.
> > > > >
> > > > >As far as I know tools that can be found on the internet can just
> reset
> > > the
> > > > >password, or is there some which are able to show in clear text
> > > passwords?
> > > > >
> > > > >If this occurs, which procedure can I put it place in order to block
> my
> > > > >application if administartor password is changed ?
> > > > >
> > > > >thnaks helping me to solve that issue
> > > > >regard
> > > > >serge
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > An open letter to the Security Community::
> > > > http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
> > >
> > >
> > >
>
>
>

Robert Moir wrote:

> If I can
> touch the machine physcially, and I'm determined to get in, I own the
> machine. End of story.

Wrong. That's why full disk encryption products are becoming so popular
these days. See alt.security.scramdisk for discussions about such products.


Regards,
John

"John" <john.veldhuisSTOPSPAM@universal.nl> wrote in message
news:42cb8439$0$935$6c56d894@diablo.nl.easynet.net...
> Robert Moir wrote:
>
> > If I can
>> touch the machine physcially, and I'm determined to get in, I own the
>> machine. End of story.
>
> Wrong. That's why full disk encryption products are becoming so popular
> these days. See alt.security.scramdisk for discussions about such
> products.

Not wrong.

I sneak into the building one night, put a hardware keylogger on the
keyboard, then sneak out.

Next evening, I come in, and access the hardware keylogger, and I've now got
the password for the disc encryption.

Physical Access trumps all.

Matt Gibson - GSEC

John wrote:
> Robert Moir wrote:
>
>> If I can
>> touch the machine physcially, and I'm determined to get in, I own the
>> machine. End of story.
>
> Wrong. That's why full disk encryption products are becoming so
> popular these days. See alt.security.scramdisk for discussions about
> such products.

Ok so you're making me work a little harder. Big deal.

Robert Moir wrote:
> If I can touch the machine physcially, and I'm determined to get in, I own
> the machine. End of story.

John wrote:
> Wrong. That's why full disk encryption products are becoming so
> popular these days. See alt.security.scramdisk for discussions about
> such products.

Physical Access+Time = Owned when it comes to a computer.. Encrypted or not.

Hardware Keyloggers, Decryption techniques, password hacker to gain the
password of the user from the computer (then I can log in as them and open
the encrypted files at will), Ghost the entire machine and apply it to the
same hardware, etc.. I can gain time and make it happen in so many ways -
if I am given physical access.

Not to mention that although you say encryption products are "popular" -
that is not the way I am seeing it. They may be popular among
technologically minded individuals - but the normal person who has a job
where their data should be secure (usually the really intelligent people in
research and development) see it as troublesome. They don't even believe in
backups most of the time. It's almost laughable - in a scary way.

Physical Access+Time = Owned.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

While I agree with almost everything in what an attacker can do with a
computer that they have physical access to, decrypting encrypted files may
not be possible even if the users password is obtained. Such could be the
case with files encrypted via EFS on XP Pro and the user had exported and
deleted their private key and ideally using something like cipher /w
afterwards. Getting users to do such reliably is another matter
owever. --- Steve


"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:u%23ELUNngFHA.3316@TK2MSFTNGP14.phx.gbl...
> Robert Moir wrote:
>> If I can touch the machine physcially, and I'm determined to get in, I
>> own the machine. End of story.
>
> John wrote:
>> Wrong. That's why full disk encryption products are becoming so
>> popular these days. See alt.security.scramdisk for discussions about
>> such products.
>
> Physical Access+Time = Owned when it comes to a computer.. Encrypted or
> not.
>
> Hardware Keyloggers, Decryption techniques, password hacker to gain the
> password of the user from the computer (then I can log in as them and open
> the encrypted files at will), Ghost the entire machine and apply it to the
> same hardware, etc.. I can gain time and make it happen in so many ways -
> if I am given physical access.
>
> Not to mention that although you say encryption products are "popular" -
> that is not the way I am seeing it. They may be popular among
> technologically minded individuals - but the normal person who has a job
> where their data should be secure (usually the really intelligent people
> in research and development) see it as troublesome. They don't even
> believe in backups most of the time. It's almost laughable - in a scary
> way.
>
> Physical Access+Time = Owned.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>