I am sure anyone who works in a school will be aware this is one of the things kids do to get local admin rights over their laptops.
http://community.spiceworks.com/how_to/show/59673-windows-7-8-local-admin-password-reset
The issue becomes that users can get access using Start up Repair to get to a command prompt, then replace sethc.exe or use a registry change to get system level access to command prompt of running instance of Windows, then control userpasswords2
If kids get physical access to someones device, they can add their own account or computer to have remote access with admin rights, thus evading detection from many forms of security and tracking.
5 Spice ups
calpayit
(CalPayIT)
2
Doesn’t it ask you for a local admin username and password before you can sign in to repair?
You do need to provide credentials to get into the startup repair these days, but that is just one of the ways to get into the command prompt…the command prompt is the thing they are after. Once they are in there there are a whole slew of things they can mess around with including account credentials.
Nope!
There are third party tools you can use, but this often requires access to other boot options that can be locked down.
Windows Start Up Repair can be forced to start by powering off the device, you then get to a command prompt for repair and run commands from there.
jenyus
(Joffles)
5
cant do much to secure a windows machine thats not on a domain. even if you block this, they can still get in easily using a Hirens boot CD and Kon-Boot or Offline Password Changer
I have blocked BIOS and other boot options, but that is not at say they could not run and exe like that under Windows…
Applocker is awesome at stopping this. Once tweaked, it is very powerful. I’ve setup a policy to basically allow C:\Program Files and \Windows. Anything else has to get approved. I’ve also locked the BIOS like you said.
Applocker requires 7 Enterprise or 8 Pro.
1 Spice up
mendy
(Mendy)
8
Unfortunately there’s nothing you can do to stop a determined hacker whose physically at the machine. I know, I was one of them 
When the computer was completely locked down with BIOS password protected, and all sorts of other polices, I removed the hard disk forcing it to boot from CD, then while it was still booting I quickly powered the disk back up in time for the live CD to recognize it and allow me to hack the password…it’s really simple and there’s nothing you can really do to prevent it.
It’s all about best effort and then letting them know that although you’re aware they can get by it - the only reason why they’re allowed in the computer room is because they’re NOT hacking it…it becomes a matter of trust and kids usually respond well for the most part when someone in authority openly trusts them.
1 Spice up
I guess that BitLocker can prevent this from happening. AFAIK, hackers… aham, users, will have to unlock the drive first before doing anything.
mendy
(Mendy)
10
True, but the right live CD gives them a fully functioning computer on the network…
Only if BIOS allows booting from CD or USB.
1 Spice up
You can do something similar with Software Restriction Policies, which works on any of the Pro versions of Windows (XP, Vista, 7 and 8).
If there is no option to boot from a cd they are SOL. Dell bios will let you remove items from the boot sequence, in other words hard drive or nothing. I am sure other manufacturers have a similar setup.
Agreed. Problem is they are take home 1 : 1 devices…
I have found some interesting tools that may make it a lot harder for the would be hacker (as I was one too, but not malicious to others…)
M$ EMET 5.0
Applocker as suggested
Bitlocker encryption
4 Spice ups
mendy
(Mendy)
15
Awesome picture! Really explains the world nowadays lol
