Lock computer (Ctrl+Alt+Del),can be accessed by other than admin

zillah · 5 Feb 2008 at 10:27

Friend of mine has got two computers (Laptop and Desktop) connected to each other via cross over cable (networked), both computers have got OS win2003 SP2. Normally he accesses both computer via administrator accounts

When he does not use them , he locks them by pressing (Ctrl+Alt+Del), some times he found his son accessed his laptop, he told me that he did not tell his son about the password for the username administrator.

There is no other accounts were created beside administrator account under “Local Users and Groups”.

I have checked by myself the “Add or Remove Programs”, I could not find suspicious program.

Is there away to access a locked PC without knowing the password

Fr0dders · 5 Feb 2008 at 10:32

not without some very hefty hacking

i suspect the person in question didnt lock their machine at the time or hasnt required that a password be entered to log on and his son has rebooted the PC and got in that way.

zillah · 5 Feb 2008 at 10:38

i suspect the person in question didnt lock their machine at the time or hasnt required that a password be entered to log on and his son has rebooted the PC and got in that way.

I can confirm that he locked his both PC, because I was with him when he had done it.

Fr0dders · 5 Feb 2008 at 10:46

why not take the simple step

of asking his son what he did ?

zillah · 5 Feb 2008 at 10:46

of asking his son what he did ?

He did, but he did not tell him the truth

Fr0dders · 5 Feb 2008 at 10:59

your missing something simple

it is not possible to bypass the "this terminal is use and is locked" screen. It is possible to do some funky stuff if you have prior access to change stuff. But faced simply with the locked screen, theres no way round it.

oh and just in case you dont take my word for it. I work for a contractor in the NHS. We have full access to all the GPs practices in the country have potentially access to millions of patient records. Security is very tight and we have to be BS7799 certified. This is the BSI Standard for "Information Technology - Code of practice for information security management."

This DTI written standard deems locking the terminal using CTRL + L as an adequate measure for ensuring computers arent used by unauthorised personal in highly sensitive environments such as the ones we work in.

zillah · 5 Feb 2008 at 11:09

It is possible to do some funky stuff if you have prior access to change stuff.

Thanks MrLOL.

Some time his dad let his son use the computer when the computer is unlocked. Can the son find out the password for the administrator in some how ?

Fr0dders · 5 Feb 2008 at 12:14

he very possibly could have, if he'd had full access to the system

best thing to do is change the password.

sidethink · 5 Feb 2008 at 21:05

MrLOL said:
your missing something simple

it is not possible to bypass the "this terminal is use and is locked" screen. It is possible to do some funky stuff if you have prior access to change stuff. But faced simply with the locked screen, theres no way round it.
QUOTE]

Saying there is 'no' way round it isn't quite true. Given physical access to the machine and a Linux boot CD I can reboot and reset your admin password. Obviously it would be fairly easy to detect a compromise but its far from impossible.

That being said, it doesn't sound like this happened in this particular case.

ns400r · 5 Feb 2008 at 21:19

Simply pressing Contol/Alt/Delete does NOT lock a Windows XP or 2003 computer.
Does he not also press Lock Computer ?

Fr0dders · 5 Feb 2008 at 21:20

but you've not actually managed to get past the CTRL + ALT + DELETE prompt and get into windows.

i dont actually think its possible to get past this without either booting into some other OS, or having prior access to the machine to start deleting / editing stuff.

ns400r said:
Simply pressing Contol/Alt/Delete does NOT lock a Windows XP or 2003 computer.
Does he not also press Lock Computer ?

funny that, i took it he knew the difference, but you're right he doesnt actually say he does. You lock a computer by pressing windows key + l or ctrl + alt + delete then lock PC.

IAmATeaf · 5 Feb 2008 at 21:45

Maybe his son just used the switch user option, this option would be available if the PC(s) aren't members of an AD domain, when he then logs off it would then just return to the locked user screen.

bringans · 5 Feb 2008 at 22:14

IAmATeaf said:
Maybe his son just used the switch user option, this option would be available if the PC(s) aren't members of an AD domain, when he then logs off it would then just return to the locked user screen.

was about to type that, lucky I saw your post hehe.

ns400r · 5 Feb 2008 at 22:35

Only one account on the PC so he couldn't do that.

metalmackey · 5 Feb 2008 at 23:54

Maybe his son enabled the guest account beforehand?

bledd · 6 Feb 2008 at 00:24

are the users called 'administrator' or are they just left blank?

maybe he previously booted from cd with ophcrack to find out the passwords

why does he have 2003 at home? furthermore, why are they connected via crossover

Curiosityx · 6 Feb 2008 at 01:00

both computers have got OS win2003 SP2. Normally he accesses both computer via administrator accounts.....

eh?!

Snapshot · 6 Feb 2008 at 06:49

MrLOL said:
funny that, i took it he knew the difference, but you're right he doesnt actually say he does. You lock a computer by pressing windows key + l or ctrl + alt + delete then lock PC.

Lock is the default button so just Enter works at that point.

.walls · 6 Feb 2008 at 09:54

He hasn't bypassed the gina without either some previous access and a bit of cracking or knowing the account password. simple as that.

IAmATeaf · 6 Feb 2008 at 11:30

How about access via RDC? Also what evidence do you or your friend have that his son accessed the PC(s)?