Windows account passwords

For a joke one of my coworkers deleted the password from my Windows account on my PC to get in and mess with it while I was out of the office. I let it go as I doubt he understood the seriousness of his actions but as his supervisor and the system admin I advised he never do it again. I was aware such a thing was possible and suspected he was the only one on the office smart enough to pull it off but didn't suspect it was anything that anybody would actually try in the office. Short of logging into a domain account and disabling all local accounts, is there anything I can do that will make this impossible?

 

How did he manage to do that?

 

There are boot disks that will delete the passwords. This can be done on Macs as well.

 

Okay, I see. You might try disable booting off the optical drive in the BIOS, then passwording it, if you can.

 

That would still leave USB boot which would be just as easy. Might be possible to disable them both and password it. I would assume full disk encryption would solve my problem as well.

 

Right, the USB is another avenue of attack. If you can at least move it below the system drive in the boot order, I wonder if that would work, if disabling it won't? Disk encryption might be the way to go, especially if your hardware supports it.

 

This is simple.

1) Password the BIOS (No one is going to bypass a BIOS for a prank)
2) Encryption
3) Disable booting from media other than the hard drive

 

I'm surprised you didn't sack him ?

 

I've taken a quick look and so far as I can see on my m/board passwording the BIOS does not help. I can still hit F8 to bring up a boot menu and choose the optical drive to boot from.

I also tried disabling the optical drive in the BIOS, but I can still select it from the F8 boot menu and boot from it. I see no way of disabling the F8 boot menu either. Maybe on newer m/boards (mine's a 2006 ASUS for AMD 4400+ CPU) it's possible?

 

It could be specific to your BIOS.

If in your BIOS you have it set to boot to your HDD first and you also disable booting from other media (separate options) you should not be able to do so. That's how it is on my machine. To change those settings would require getting into the BIOS.

 

It's an AMI BIOS. I agree it should be possible to disable booting form other media, except I could find a way when I checked in the BIOS settings. I'll have another look tonight.

 

Tempted. I was going to write him up and give a him a couple of days off but then I calmed down. If it ever happens again that will be the least of it. I think full disk encryption is my only reliable option here. But that complicates my backups. If I have to backup an entire encrypted volume I will need more storage.

 

Good thing you weren't using EFS, otherwise you might have lost access to all of the encrypted files stored under that username. Funny prank! Whoops, lost job.

 

It's also possible to "mess with" a TrueCrypt-encrypted system partition or system disk. Track 0 remains unencrypted and can be modified to run a pw-capture utility or various other unwanted actions, and of course there are always hardware keyloggers to consider. If I were one of your co-workers and I wanted to mess with your fully-encrypted system I wouldn't trust me any farther than I could throw me.

 

Have you made it official, as in 'It's been noted and now know at HR'?
I mean, there is no way that this guy can say in a year 'I've never done such thing!'?
I'd give an official warning and make him sign an 'official report' on this.
It all depends on size and culture of the company and his position of course but be sure to cover your own behind...

 

He's young and a good employee and he think he really didn't understand the seriousness of his actions. He did it to change the wallpaper on my screen for a joke. It's not ok but I believe he knows that now. I really don't think it will ever happen again. I'm more concerned with the possibility of the machines allowing it than the likelihood of him doing it in the future.

 

Hi,

Could you as suggested above go into Bios,

1st Boot Option HDD
2nd Disable Optical Drive
3rd Lock your USB witha a USB Port Lock

Just a thought.

 

Some BIOS have an option to enable a boot-password. So you can't log into the BIOS without the BIOS password (when enabled) as well as you can't boot from anything unless you have the boot-password.

Very handy on my laptop

 

The complete answer to your question is this:
If someone has physical access to your system, they can access anything.

A BIOS boot password will stop most hacking attempts but not a determined hacker. Removing the HD and mounting on another system is fairly simple.

One component of security is trust. If a company trusts the employees, there is no need to lock everything down like Fort Knox.
If there are untrustworthy people working at a company, make sure everyone uses a BIOS boot password. Also, use a lock on desktop cases and put laptops in a locked drawer when not in use.

You could also add encryption to your security protocol. That comes with other headaches however.