Windows 8.1 user accounts, you have GOT to be kidding.
On 21/09/14 10:31, Joe User wrote:
On 21/09/14 10:29, Uncle Peter wrote:
On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:
I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.
From a clean install
*Create the standard admin account during setup, no password
*log into your standard account
*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes
*Don't change users but change your standard admin to non admin
*disable built in Administrator from elevated command prompt with net
user Administrator /active:no
*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)
*log in to standard non admin account
*from desktop WinKey + x
select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.
!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!
Now with a password on the original account
reload clean install from saved virtualbox snapshot
*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen
Now you need to take a slightly different approach
*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)
now, you need to know your password,
*log into safe mode
*from desktop WinKey + x
select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.
!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.
!!!!!!!!!!
This just can't be right can it???
Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).
So you managed to hack your own computer. Now tell me how you can use
this to hack someone else's, otherwise I fail to see what you achieved.
If you can't figure that out from the above I fail to see how I can help
you further. Probably better that you stick to your abacus.
Maybe that was a bit unfair, OK, here's the problem.
I'm a volunteer for a local charity. Recently we received a grant to
replace our aging equipment and got 4 spanky new computers running
Windows 8.1. A wide range of people have access to these machines
including the elderly, the homeless, the unemployed the disadvantaged,
dispossessed, and other groups on the outskirts of society. We have no
idea who's using the machines at any moment as I and the other
reasonably competent volunteer can't be there all the time. We *know*
someone has been trying to get into the guts of the things and now we
are beginning to understand how they might be doing it.
What is out solution?
A non admin account with no password is the most open solution we have
but as we can see, that leaves us wide open. A password protected non
admin account is the only other option but that also leaves us exposed.
Actually I think the solution is quite simple, put a password on the
hidden admin account.
Would that do the trick? well possibly but I'm no expert on Windows
security so I came here looking for advice.
Does that make things a bit cleared?
--
Not confused, just ... bewildered
|