A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows 8 » Windows 8 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Windows 8.1 user accounts, you have GOT to be kidding.



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old September 21st 14, 10:23 AM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).

--
Not confused, just ... bewildered
Ads
  #2  
Old September 21st 14, 10:29 AM posted to alt.comp.os.windows-8
Uncle Peter
external usenet poster
 
Posts: 119
Default Windows 8.1 user accounts, you have GOT to be kidding.

On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).


So you managed to hack your own computer. Now tell me how you can use this to hack someone else's, otherwise I fail to see what you achieved.

--
What happens if you install windows 98 on a system with 2 processors?
It crashes twice.
  #3  
Old September 21st 14, 10:31 AM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

On 21/09/14 10:29, Uncle Peter wrote:
On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).


So you managed to hack your own computer. Now tell me how you can use
this to hack someone else's, otherwise I fail to see what you achieved.


If you can't figure that out from the above I fail to see how I can help
you further. Probably better that you stick to your abacus.


--
Not confused, just ... bewildered
  #4  
Old September 21st 14, 11:28 AM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

On 21/09/14 10:31, Joe User wrote:
On 21/09/14 10:29, Uncle Peter wrote:
On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).


So you managed to hack your own computer. Now tell me how you can use
this to hack someone else's, otherwise I fail to see what you achieved.


If you can't figure that out from the above I fail to see how I can help
you further. Probably better that you stick to your abacus.


Maybe that was a bit unfair, OK, here's the problem.

I'm a volunteer for a local charity. Recently we received a grant to
replace our aging equipment and got 4 spanky new computers running
Windows 8.1. A wide range of people have access to these machines
including the elderly, the homeless, the unemployed the disadvantaged,
dispossessed, and other groups on the outskirts of society. We have no
idea who's using the machines at any moment as I and the other
reasonably competent volunteer can't be there all the time. We *know*
someone has been trying to get into the guts of the things and now we
are beginning to understand how they might be doing it.

What is out solution?

A non admin account with no password is the most open solution we have
but as we can see, that leaves us wide open. A password protected non
admin account is the only other option but that also leaves us exposed.

Actually I think the solution is quite simple, put a password on the
hidden admin account.

Would that do the trick? well possibly but I'm no expert on Windows
security so I came here looking for advice.

Does that make things a bit cleared?


--
Not confused, just ... bewildered
  #5  
Old September 21st 14, 11:30 AM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

On 21/09/14 11:28, Joe User wrote:
On 21/09/14 10:31, Joe User wrote:
On 21/09/14 10:29, Uncle Peter wrote:
On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all
powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).

So you managed to hack your own computer. Now tell me how you can use
this to hack someone else's, otherwise I fail to see what you achieved.


If you can't figure that out from the above I fail to see how I can help
you further. Probably better that you stick to your abacus.


Maybe that was a bit unfair, OK, here's the problem.

I'm a volunteer for a local charity. Recently we received a grant to
replace our aging equipment and got 4 spanky new computers running
Windows 8.1. A wide range of people have access to these machines
including the elderly, the homeless, the unemployed the disadvantaged,
dispossessed, and other groups on the outskirts of society. We have no
idea who's using the machines at any moment as I and the other
reasonably competent volunteer can't be there all the time. We *know*
someone has been trying to get into the guts of the things and now we
are beginning to understand how they might be doing it.

What is out solution?

A non admin account with no password is the most open solution we have
but as we can see, that leaves us wide open. A password protected non
admin account is the only other option but that also leaves us exposed.

Actually I think the solution is quite simple, put a password on the
hidden admin account.

Would that do the trick? well possibly but I'm no expert on Windows
security so I came here looking for advice.

Does that make things a bit cleared?


.... clearer?


--
Not confused, just ... bewildered
  #6  
Old September 21st 14, 12:04 PM posted to alt.comp.os.windows-8
Uncle Peter
external usenet poster
 
Posts: 119
Default Windows 8.1 user accounts, you have GOT to be kidding.

On Sun, 21 Sep 2014 11:28:31 +0100, Joe User wrote:

On 21/09/14 10:31, Joe User wrote:
On 21/09/14 10:29, Uncle Peter wrote:
On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).

So you managed to hack your own computer. Now tell me how you can use
this to hack someone else's, otherwise I fail to see what you achieved.


If you can't figure that out from the above I fail to see how I can help
you further. Probably better that you stick to your abacus.


Maybe that was a bit unfair, OK, here's the problem.

I'm a volunteer for a local charity. Recently we received a grant to
replace our aging equipment and got 4 spanky new computers running
Windows 8.1. A wide range of people have access to these machines
including the elderly, the homeless, the unemployed the disadvantaged,
dispossessed, and other groups on the outskirts of society. We have no
idea who's using the machines at any moment as I and the other
reasonably competent volunteer can't be there all the time. We *know*
someone has been trying to get into the guts of the things and now we
are beginning to understand how they might be doing it.

What is out solution?

A non admin account with no password is the most open solution we have
but as we can see, that leaves us wide open. A password protected non
admin account is the only other option but that also leaves us exposed.

Actually I think the solution is quite simple, put a password on the
hidden admin account.

Would that do the trick? well possibly but I'm no expert on Windows
security so I came here looking for advice.

Does that make things a bit cleared?


I can't remember, but aren't you prompted to put in a password for the standard admin account when installing? Anything but a home PC where everyone is trusted should have one. If you aren't prompted, then this is a large glaring bug. You could report it to M$ but I doubt they'll listen.

--
A lawyer is an expert on justice in much the same way your average hooker is an expert on love.
  #7  
Old September 21st 14, 12:52 PM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

On 21/09/14 12:04, Uncle Peter wrote:
On Sun, 21 Sep 2014 11:28:31 +0100, Joe User wrote:

On 21/09/14 10:31, Joe User wrote:
On 21/09/14 10:29, Uncle Peter wrote:
On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all
powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).

So you managed to hack your own computer. Now tell me how you can use
this to hack someone else's, otherwise I fail to see what you achieved.

If you can't figure that out from the above I fail to see how I can help
you further. Probably better that you stick to your abacus.


Maybe that was a bit unfair, OK, here's the problem.

I'm a volunteer for a local charity. Recently we received a grant to
replace our aging equipment and got 4 spanky new computers running
Windows 8.1. A wide range of people have access to these machines
including the elderly, the homeless, the unemployed the disadvantaged,
dispossessed, and other groups on the outskirts of society. We have no
idea who's using the machines at any moment as I and the other
reasonably competent volunteer can't be there all the time. We *know*
someone has been trying to get into the guts of the things and now we
are beginning to understand how they might be doing it.

What is out solution?

A non admin account with no password is the most open solution we have
but as we can see, that leaves us wide open. A password protected non
admin account is the only other option but that also leaves us exposed.

Actually I think the solution is quite simple, put a password on the
hidden admin account.

Would that do the trick? well possibly but I'm no expert on Windows
security so I came here looking for advice.

Does that make things a bit cleared?


I can't remember, but aren't you prompted to put in a password for the
standard admin account when installing? Anything but a home PC where
everyone is trusted should have one. If you aren't prompted, then this
is a large glaring bug. You could report it to M$ but I doubt they'll
listen.


You are indeed prompted for a password but one is not *required*
personally I think this is an obvious security hole.

What ideally we want is a single non-admin user account with no password
required. We need as few obstacles as possible so people who are
completely unfamiliar with computers but unfortunately required by our
beloved government to have access to the interweb can get to the
interfaces without unnecessary problems.

If you leave the built in administrator unprotected you are wide open.
Just about anybody can promote themselves to an admin.

So, I think the answer is to password protect the built in administrator
account but make it active so we can access admin features. We can then
create an unprotected non-admin account and due to the fact that the
built in is protected and visible the non-admin will need to know the
built in password to elevate themselves to admin.

This is what I'm going to try.

Thanks to all who have contributed.

--
Not confused, just ... bewildered
  #8  
Old September 21st 14, 03:52 PM posted to alt.comp.os.windows-8
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Windows 8.1 user accounts, you have GOT to be kidding.

Joe User wrote:

From a clean install

* Create the standard admin account during setup, no password
* log into your standard account
* enable built in Administrator from elevated command prompt with
net user Administrator /active:yes
* Don't change users but change your standard admin to non admin
* disable built in Administrator from elevated command prompt with net
user Administrator /active:no
* sign out

You now have a standard non-admin account with no password (stupid I
know but bear with me)

* log in to standard non admin account
* from desktop WinKey + x
select elevated command prompt. You will be asked for an
Administrator password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.

Now with a password on the original account
reload clean install from saved virtualbox snapshot

* log into your standard account
* add a password in PC Settings
* sign out
* go to the log in screen

Now you need to take a slightly different approach

* click the power button
* hold down the shift key and select restart
* navigate to the safe boot mode (menu item 4)

now, you need to know your password,

* log into safe mode
* from desktop WinKey + x
select elevated command prompt. You will be asked for an
Administrator password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).


From your restricted account ("standard non-admin account") whether it
has a password itself or not, you asked for elevated privileges, you
entered the Administrator's password to get elevated privileges, so you
got elevated privileges.

That you, the administrator of that host, decided to leave blank the
password for the Administrator account was your choice to leave open
that account's use for any account to elevate its privileges. A host
with a blank password for the Administrator account is highly vulnerable
to virus, trojan, hacker, and user abuse.
  #9  
Old September 21st 14, 04:33 PM posted to alt.comp.os.windows-8
Char Jackson
external usenet poster
 
Posts: 10,449
Default Windows 8.1 user accounts, you have GOT to be kidding.

On Sun, 21 Sep 2014 11:28:31 +0100, Joe User wrote:

OK, here's the problem.

I'm a volunteer for a local charity. Recently we received a grant to
replace our aging equipment and got 4 spanky new computers running
Windows 8.1. A wide range of people have access to these machines
including the elderly, the homeless, the unemployed the disadvantaged,
dispossessed, and other groups on the outskirts of society. We have no
idea who's using the machines at any moment as I and the other
reasonably competent volunteer can't be there all the time. We *know*
someone has been trying to get into the guts of the things and now we
are beginning to understand how they might be doing it.

What is out solution?


Maybe kiosk mode would help. You allow access to specific applications and
AFAIK that's all that anyone has access to.

http://blogs.technet.com/b/canitpro/archive/2013/12/17/step-by-step-enabling-kiosk-mode-in-windows-8-1-via-assigned-access.aspx


  #10  
Old September 21st 14, 04:52 PM posted to alt.comp.os.windows-8
Dave[_48_]
external usenet poster
 
Posts: 172
Default Windows 8.1 user accounts, you have GOT to be kidding.

On Sun, 21 Sep 2014 12:52:18 +0100, Joe User wrote:

I once knew a guy who bought an expensive home with an elaborate security
system. However, setting the alarm each time he left the house was a pain
so he didn't bother.
One day he was robbed. Naturally he tried to sue the alarm company,
claiming that their system failed to protect him. The case is still in
litigation.
  #11  
Old September 21st 14, 05:28 PM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

On 21/09/14 15:52, VanguardLH wrote:
Joe User wrote:


snip

From your restricted account ("standard non-admin account") whether it
has a password itself or not, you asked for elevated privileges, you
entered the Administrator's password to get elevated privileges, so you
got elevated privileges.


Incorrect, there is no need to enter the Administrator password as the
default embedded Administrator account does not have a password nor is
there any chance to add a password during install. I just wonder how may
people running Windows 8.1 know that their system is wide open like this.

That you, the administrator of that host, decided to leave blank the
password for the Administrator account was your choice to leave open
that account's use for any account to elevate its privileges.


Incorrect, I decided no such thing, I have no choice in respect of the
default embedded Administrator account, to fix this I first need to know
it exists then I need to understand the CLI and how to access it then I
need to know the net command exists then I need to know how to invoke
it. I personally have no problem with this as I administer several Linux
and Unix based servers purely from the CLI, I suggest that this is a bit
of a tall order for the average uninterested user however.

A host
with a blank password for the Administrator account is highly vulnerable
to virus, trojan, hacker, and user abuse.


And yet the is the default situation, both for the admin account created
at install time, (solvable by adding a password during install) and for
the hidden Administrator account.

Try again.


--
Not confused, just ... bewildered
  #12  
Old September 21st 14, 05:30 PM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

On 21/09/14 16:33, Char Jackson wrote:
On Sun, 21 Sep 2014 11:28:31 +0100, Joe User wrote:

OK, here's the problem.

I'm a volunteer for a local charity. Recently we received a grant to
replace our aging equipment and got 4 spanky new computers running
Windows 8.1. A wide range of people have access to these machines
including the elderly, the homeless, the unemployed the disadvantaged,
dispossessed, and other groups on the outskirts of society. We have no
idea who's using the machines at any moment as I and the other
reasonably competent volunteer can't be there all the time. We *know*
someone has been trying to get into the guts of the things and now we
are beginning to understand how they might be doing it.

What is out solution?


Maybe kiosk mode would help. You allow access to specific applications and
AFAIK that's all that anyone has access to.

http://blogs.technet.com/b/canitpro/archive/2013/12/17/step-by-step-enabling-kiosk-mode-in-windows-8-1-via-assigned-access.aspx


Looks interesting, I'll check it out, thanks.

--
Not confused, just ... bewildered
  #13  
Old September 21st 14, 05:31 PM posted to alt.comp.os.windows-8
Joe User[_3_]
external usenet poster
 
Posts: 57
Default Windows 8.1 user accounts, you have GOT to be kidding.

On 21/09/14 16:52, Dave wrote:
On Sun, 21 Sep 2014 12:52:18 +0100, Joe User wrote:

I once knew a guy who bought an expensive home with an elaborate security
system. However, setting the alarm each time he left the house was a pain
so he didn't bother.
One day he was robbed. Naturally he tried to sue the alarm company,
claiming that their system failed to protect him. The case is still in
litigation.


Your point being?


--
Not confused, just ... bewildered
  #14  
Old September 22nd 14, 12:11 AM posted to alt.comp.os.windows-8
Gene E. Bloch[_2_]
external usenet poster
 
Posts: 7,485
Default Windows 8.1 user accounts, you have GOT to be kidding.

On Sun, 21 Sep 2014 10:29:18 +0100, Uncle Peter wrote:

On Sun, 21 Sep 2014 10:23:03 +0100, Joe User wrote:

I can't believe the following even though I have seen it with my own
eyes, surely I'm missing something.

From a clean install

*Create the standard admin account during setup, no password

*log into your standard account

*enable built in Administrator from elevated command prompt with net
user Administrator /active:yes

*Don't change users but change your standard admin to non admin

*disable built in Administrator from elevated command prompt with net
user Administrator /active:no

*sign out
You now have a standard non-admin account with no password (stupid I
know but bear with me)

*log in to standard non admin account

*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an uprotected non-admin user account anyone can elevate
themselves to an all powerful Admin.
!!!!!!!!!!

Now with a password on the original account
reload clean install from saved virtualbox snapshot

*log into your standard account
*add a password in PC Settings
*sign out
*go to the log in screen

Now you need to take a slightly different approach

*click the power button
*hold down the shift key and select restart
*navigate to the safe boot mode (menu item 4)

now, you need to know your password,

*log into safe mode
*from desktop WinKey + x

select elevated command prompt. You will be asked for an Administrator
password, leave the field blank and select yes
You now have an all powerful Administrator CLI that you can use to
enable the hidden Administrator account and do whatever you like.

!!!!!!!!!!
So, from an password protected non-admin user account anyone who knows
the non-admin account password can elevate themselves to an all powerful
Admin.
!!!!!!!!!!

This just can't be right can it???

Tell me I've missed something ... (yes I know that most of this can be
obviated by adding a password to the default admin account but I'd be
prepared to bet that most people don't know this).


So you managed to hack your own computer. Now tell me how you can use this to hack someone else's, otherwise I fail to see what you achieved.


Well, he *can* hack someone else's computer if that person made the same
mistake[1] he did :-)

I haven't read the rest of the thread yet, so I'm probably just a bit
redundant now.

[1] I know it was intentional, but still...

--
Gene E. Bloch (Stumbling Bloch)
  #15  
Old September 22nd 14, 12:14 AM posted to alt.comp.os.windows-8
Gene E. Bloch[_2_]
external usenet poster
 
Posts: 7,485
Default Windows 8.1 user accounts, you have GOT to be kidding.

On Sun, 21 Sep 2014 11:28:31 +0100, Joe User wrote:

Actually I think the solution is quite simple, put a password on the
hidden admin account.


Ça va sans dire...

--
Gene E. Bloch (Stumbling Bloch)
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 12:37 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.