I need to password protect my pc at startup

[Kat]

I have XP Home on my PC at work. I need to protect my computer so NO ONE
else can get on to it. I know someone has been coming into the office after
hours and on weekends and reading my emails and looking at files. Personal
emails have been read and then marked unread but when I click them typically
the person sending has "send a receipt" when opening emails and on Mondays
I'm not getting that message if I reply to an email and the sender again
replies then I do get that. Also when looking at properties on files it
will say when it was last accessed and it will be a time I was not at work.
So...

How do I make my computer secure?
Is using windows logon with a password secure enough so no one else can get
on my pc?
Is there a better way to protect my machine?

Thanks in Advance!

K

 

[Shenan Stanley]

I have XP Home on my PC at work. I need to protect my computer so
NO ONE else can get on to it. I know someone has been coming into
the office after hours and on weekends and reading my emails and
looking at files. Personal emails have been read and then marked
unread but when I click them typically the person sending has "send
a receipt" when opening emails and on Mondays I'm not getting that
message if I reply to an email and the sender again replies then I
do get that. Also when looking at properties on files it will say
when it was last accessed and it will be a time I was not at work.
So...
How do I make my computer secure?
Is using windows logon with a password secure enough so no one else
can get on my pc?
Is there a better way to protect my machine?

If someone has unrestricted physical access to your computer and time - they
can access everything on it. The only 'practical' exception may be
encrypted files/folders - as they *may* take years to get into using means
most would have access to. Beyond that...

I think you may be suspecting something that is not happening. You seem to
concentrate around email specifically - which to me implies that the
security breach may have nothing to do with the local computer. Email goes
through servers - and depending on what type of server your company uses -
someone could easily get access to your email account from anywhere given
the right resources and ingenuity. As for the file 'access' stamps - are
these locally stored files or are they stored on a remote server share?

You can 'somewhat' secure the system from most. There is ways around
everything, however. New lock - custodial staff likely can still get in -
as well as other people. New password(s)? The IT Staff likely still has
full access to your computer remotely and your email without even knowing
your password.

Of course - if this is *not* your computer and is your company's computer
and the IT staff is not involved in fixing this with you - some of this may
be against policy and get you in trouble...

1) Lock your office. The first rule of computing security measures is
physical security. Without physical security - just about everything else
can be overcome. If you think your cuyrrent lock will not stop them - ask
to have the lock changed.

2) Change all your passwords. I recommend passwords that are 15 characters
or longer. Hopefully you don't have any limitations in length (other than
'has to be at least x characters...) Something you can remember - but not
obvious. Making up a phrase and then abbreviating/putting in numbers and
symbols is a good method. Like.. "Stop hacking into my computer!" could
turn into "5topH4ckingInt0MyC0mp!"...

3) You could set a BIOS password and change the boot method so that it boots
only from the hard disk drive (no other methods.) How to get into your BIOS
and such would differ per machine - but most tell you when powering on the
first time what key(s) to press to get into the BIOS/System Setup and once
there - setting a password to boot the computer and/or change BIOS settings
should be easy enough to find. If you set it so that it won't even start to
boot without the password - this is actually your best protection (in your
case) as the 'casual' hacker will not likely be able to get past this and
the better hacker would - but covering their tracks would be almost
impossible - you'd *know* someone came in and did something. Some others
might just take the drive out and boot in a similar/exact other machine -
then put it back when done - but they'd have to REALLY want whatever you
have on that machine. ;-)

 

[JS]

They most likely are using the normally hidden account named
'Administrator'.
The default password for the built in Windows Administrator account is
normally blank (none),
which means they can easily gain access.

How to set a password for this Admin account (XP Home users)
Boot the computer into Safe Mode
Do this by pressing the F8 key after the Power On Self Test is finished,
until the Start menu appears.
This will get you to the correct menu window.
Once in Safe Mode, you will see the normally hidden Administrator account
and any other accounts.
(Note: Accounts are displayed alphabetically).
Use the Up/down arrow keys to highlight the 'Administrator' account;
Remember as mentioned above: The default password is a blank (no password
required).

Once your in, then:
Click Start/Run/and type in: Control Userpasswords2 and then press OK
Next click on the 'Users' tab and then click on the 'Administrator' account
to highlight it.
Then click the 'Reset Password' button.
Enter the new password in both the 'New password' and 'Confirm new password'
boxes
Click the 'OK' button and once again click 'OK' to exit out.

This closes that back door often used for emergencies so do not forget the
password as
you may need it some day.

Also see: How to log on to Windows XP if you forget your password or if your
password expires
(This Microsoft article applies to both XP Home and Pro)
http://support.microsoft.com/kb/321305/en-us

JS

 

[Don Phillipson]

I have XP Home on my PC at work. I need to protect my computer so NO ONE
else can get on to it. I know someone has been coming into the office after
hours and on weekends and reading my emails and looking at files. Personal
emails have been read and then marked unread but when I click them typically
the person sending has "send a receipt" when opening emails and on Mondays
I'm not getting that message if I reply to an email and the sender again
replies then I do get that. Also when looking at properties on files it
will say when it was last accessed and it will be a time I was not at work.
So...

How do I make my computer secure?

1. Change all your passwords now, in case compromised.
2. Most PCs let you set a BIOS password that must be
entered before Windows starts. If you have no motherboard
manual, interrupt the reboot process (probably either DELete
or F8 key) and inspect BIOS menus.
3. Win98 lets you encrypt selected files, explained via
/ start / help / ENCRYPT.
4. You could use a portable flashdrive to carry ultra-sensitive
info on your person, i.e. never leave secret data files in the desktop.
5. There are plenty of books about PC security. If connected to
the Internet, this must be made secure as well.
6. Because you may believe your system has been read by
some unauthorised person, you must consider whether new
security measures would tip him off that his penetration is
known. You may wish to leave things as they are, and
set some sort of trap to catch him in flagrante dilecto.

 

[Kat]

I'm at a very small company... we have 8 people working in the office here.
I don't know that much about how to set up passwords or if using the log on
password is effective enough. I do not have that set up now. I am one of 3
owners here, almost everyone in the office has keys to get in here on
evenings and weekends. We are to small to have an IT person let alone a
department. So we are pretty much on our own. One person here is best with
pc's and does what she can to keep us up and running but doesn't seem to
know if the windows log on is secure enough to prevent other people on my
machine. I have several files password protected so users can not get into
those. However I suspect a co-owner getting nosey and poking around on my
machine.

Hopefully this has helped explain my concern. I have delicate files on my
machine that this other person has admitted getting into and reading. I
don't want them doing that again so I'd like to protect my machine when I am
not here. This person being an owner has access to my office as well with
keys so locking the door isn't going to do it.

I want to set it up with a password so that if the machine is off, they can
not get into it even if they can turn it on.

Thanks

 

[Malke]

I'm at a very small company... we have 8 people working in the office
here. I don't know that much about how to set up passwords or if using the
log on
password is effective enough. I do not have that set up now. I am one of
3 owners here, almost everyone in the office has keys to get in here on
evenings and weekends. We are to small to have an IT person let alone a
department. So we are pretty much on our own. One person here is best
with pc's and does what she can to keep us up and running but doesn't seem
to know if the windows log on is secure enough to prevent other people on
my
machine. I have several files password protected so users can not get
into
those. However I suspect a co-owner getting nosey and poking around on my
machine.

Hopefully this has helped explain my concern. I have delicate files on my
machine that this other person has admitted getting into and reading. I
don't want them doing that again so I'd like to protect my machine when I
am
not here. This person being an owner has access to my office as well with
keys so locking the door isn't going to do it.

I want to set it up with a password so that if the machine is off, they
can not get into it even if they can turn it on.

Shenan has given you good advice. Physical access is everything. See my
standard information about computer security below but please be aware that
all of those precautions can be gotten around. You really need to address
your problems with the other owner and this isn't something you can do with
technology.

On the technical front, if you don't know how to set things up, hire a local
computer professional to come on-site and do it for you. This is a cost of
doing business. Don't use someone from a BigComputerStore type of place.

Any computer running any operating system can be accessed by someone with 1)
physical access; 2) time; 3) skill; 4) tools. There are a few things you
can do to make it a bit harder though:

1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup can't be entered without it.

2. From the BIOS, change the boot order to hard drive first.

3. Set strong passwords on all accounts, including the built-in
Administrator account.

4. If you leave your own account logged in, use the Windows Key + L to lock
the computer (and/or set the screensaver/power saving) when you step away
from the computer and require a password to resume.

5. Make other users Limited accounts in XP Home, regular user accounts in XP
Pro.

6. Set user permissions/restrictions:

a. If you have XP Pro, you can set user permissions/restrictions with Group
Policy (Start>Run>gpedit.msc [enter]) but be careful. Using the Policy
Editor can be tricksy. Questions about Group Policy should be posted in its
newsgroup: microsoft.public.windows.group_policy.

b. If you have XP Home, you can use MVP Doug Knox's Security Console or the
MS Steady State. SteadyState also works in XP Pro if you'd rather not use
Group Policy.

http://www.dougknox.com
Steady State -
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Malke

 

[Shenan Stanley]

I have XP Home on my PC at work. I need to protect my computer so
NO ONE else can get on to it. I know someone has been coming into
the office after hours and on weekends and reading my emails and
looking at files. Personal emails have been read and then marked
unread but when I click them typically the person sending has "send
a receipt" when opening emails and on Mondays I'm not getting that
message if I reply to an email and the sender again replies then I
do get that. Also when looking at properties on files it will say
when it was last accessed and it will be a time I was not at work.
So...
How do I make my computer secure?
Is using windows logon with a password secure enough so no one else
can get on my pc?
Is there a better way to protect my machine?

If someone has unrestricted physical access to your computer and
time - they can access everything on it. The only 'practical'
exception may be encrypted files/folders - as they *may* take years
to get into using means most would have access to. Beyond that...

I think you may be suspecting something that is not happening. You
seem to concentrate around email specifically - which to me implies
that the security breach may have nothing to do with the local
computer. Email goes through servers - and depending on what type
of server your company uses - someone could easily get access to
your email account from anywhere given the right resources and
ingenuity. As for the file 'access' stamps - are these locally
stored files or are they stored on a remote server share?
You can 'somewhat' secure the system from most. There is ways
around everything, however. New lock - custodial staff likely can
still get in - as well as other people. New password(s)? The IT
Staff likely still has full access to your computer remotely and
your email without even knowing your password.

Of course - if this is *not* your computer and is your company's
computer and the IT staff is not involved in fixing this with you -
some of this may be against policy and get you in trouble...

1) Lock your office. The first rule of computing security measures
is physical security. Without physical security - just about
everything else can be overcome. If you think your cuyrrent lock
will not stop them - ask to have the lock changed.

2) Change all your passwords. I recommend passwords that are 15
characters or longer. Hopefully you don't have any limitations in
length (other than 'has to be at least x characters...) Something
you can remember - but not obvious. Making up a phrase and then
abbreviating/putting in numbers and symbols is a good method. Like..
"Stop hacking into my computer!" could turn into
"5topH4ckingInt0MyC0mp!"...
3) You could set a BIOS password and change the boot method so that
it boots only from the hard disk drive (no other methods.) How to
get into your BIOS and such would differ per machine - but most
tell you when powering on the first time what key(s) to press to
get into the BIOS/System Setup and once there - setting a password
to boot the computer and/or change BIOS settings should be easy
enough to find. If you set it so that it won't even start to boot
without the password - this is actually your best protection (in
your case) as the 'casual' hacker will not likely be able to get
past this and the better hacker would - but covering their tracks
would be almost impossible - you'd *know* someone came in and did
something. Some others might just take the drive out and boot in a
similar/exact other machine - then put it back when done - but
they'd have to REALLY want whatever you have on that machine. ;-)

I'm at a very small company... we have 8 people working in the
office here. I don't know that much about how to set up passwords
or if using the log on password is effective enough. I do not have
that set up now. I am one of 3 owners here, almost everyone in the
office has keys to get in here on evenings and weekends. We are to
small to have an IT person let alone a department. So we are
pretty much on our own. One person here is best with pc's and does
what she can to keep us up and running but doesn't seem to know if
the windows log on is secure enough to prevent other people on my
machine. I have several files password protected so users can not
get into those. However I suspect a co-owner getting nosey and
poking around on my machine.
Hopefully this has helped explain my concern. I have delicate
files on my machine that this other person has admitted getting
into and reading. I don't want them doing that again so I'd like
to protect my machine when I am not here. This person being an
owner has access to my office as well with keys so locking the door
isn't going to do it.
I want to set it up with a password so that if the machine is off,
they can not get into it even if they can turn it on.

None of that changes my advice, really. You may have to learn some things
in order to do some of the things I suggested - but the advice is not going
to change. A logon password is *not* enough to prevent someone with
time/tools/skills from getting to your files. As I stated - the reality is
not much will stop someone who wants to get to your stuff if they have time
and access.

You may be in over your head without an IT staff - you may want to hire
someone who knows what they are doing to go through the steps I provided -
someone who has nothing to gain by leaving any backdoors in your system. ;-)

By the way, you said, "... I have several files password protected ..." <--
what do you mean by that? Password protected in what way? Using
Word/Excel/Office's password protect? Or creating a ZIP file and password
protecting it? Or perhaps using file encryption (EFS or truecrypt or
something similar?) Other than the encryption - the other methods I
mentioned provide about as much protection as the logon password - which is
just about none. ;-)

 

[Don Phillipson]

I'm at a very small company... we have 8 people working in the office here.
I don't know that much about how to set up passwords or if using the log on
password is effective enough. I do not have that set up now. I am one of 3
owners here, almost everyone in the office has keys to get in here on
evenings and weekends. We are to small to have an IT person let alone a
department. So we are pretty much on our own. One person here is best with
pc's and does what she can to keep us up and running but doesn't seem to
know if the windows log on is secure enough to prevent other people on my
machine.

1. It seems you have not investigated security provisions
of the MS OS already installed.
2. MS sells additional security software e.g. Forefront.
If you lack confidence in in installing and operating it,
you could pay a contractor to do it for the company.

 

[JS]

As Don mentioned "the Trap" could be as simple as this technique
(which will at least tell you which account name they use and the time of
day they logged into your PC)

How to view and manage event logs in Event Viewer in Windows XP:
http://support.microsoft.com/kb/308427
Read the information about: Event Viewer, Event Log Types, Security Log
Also: Success Audit (Security log)

Easy way to view and change what is audited:
Right click on 'My Computer' icon
Click on 'System Tools', 'Event viewer' and then 'Security'
If your PC has been logging events you should see a listing for each days
activities.
If the log is empty then right click on 'Security' and select 'Properties'.
Click on the 'Filter' tab in the Security Properties window.
Check the Success and Failure audit boxes.
Click 'Apply' button and then 'OK'.

JS

 

[Anteaus]

The tech side on this one has been well covered, but I'd agree that catching
the guy might be the best course of action. He/she is obviously an
untrustworthy employee, and even if you put a stop to this, who knows what
else they will get up to? Or, for that matter, are already up-to?

Logging software, remote screen-viewing software (VNC etc) or a temporary
concealed video cam suggest themselves. I'd be aiming to get enough evidence
that I could safely dismiss on the spot.