Access control

[Alonso]

How to detect if computer has been turned on during weekend days and
accessed(unauthorized), when it should not be turned on?
The admin account is password protected, however it possible hack this via
booting Linux. Where to check Windows XP log files? Is it Event Viewer logs,
to run eventwvr?

 

[Tim Meddick]

Yes.

One simple way is just to run the Event Viewer, either by locating the
shortcut to it under the "Administrative Tools" menu, or by typing
"eventvwr.exe" into the "Run" box on the Start Menu.

When open, look in virtually any of the categories to find dates and times
of recent activity.

You could also always download and use "logevent.exe" (a command-line
console application that writes to the Event Log) to create your own Event
Log entries whenever your PC starts.

Download "Logevent.exe" from:
http://www.dynawell.com/download/ResKit/Microsoft/WinNT/logevent.zip

==

Cheers, Tim Meddick, Peckham, London.

 

[Nil]

How to detect if computer has been turned on during weekend days
and accessed(unauthorized), when it should not be turned on?

Check the System Event log in Event Viewer. You will see the series of
services starting up at boot time.

You can also issue the command "systeminfo" at a command line prompt
(this might only be found on XP Pro.) The line "System Up Time" will
tell you how long since the last reboot.

There's also an "UPTIME" from Microsoft, but I don't remember where I
got it from. May be left over from my NT days.

You can check the Security log in Event viewer for a record of all
logins.

 

[VanguardLH]

How to detect if computer has been turned on during weekend days and
accessed(unauthorized), when it should not be turned on?
The admin account is password protected, however it possible hack this via
booting Linux. Where to check Windows XP log files? Is it Event Viewer logs,
to run eventwvr?

Enable auditing on logon events.

You never mentioned WHICH edition of Windows XP that you have. Home
editions don't include the group policy editor (gpedit.msc). If you
have an edition OTHER than a Home edition then use gpedit to configure
the auditing policies.

- Load gpedit.msc.
- Go to the following tree node:
Computer Configuration
\__ Windows Settings
\__ Security Settings
\__ Local Policies
\__ Audit Policy

That only tells you when there was a logon (or other auditable event).
That doesn't tell you WHO logged in (unless you establish SEPARATE
accounts for each user and you're sure they don't share logins). You
look in the Event Viewer to see the audit events.

While you're there in gpedit, you could go under the Security Options
tree node under the Interactive Logon settings to configure the login
message and logon title to warn users that their logons are being
recorded and will be reviewed. That might deter someone from an
unauthorized logon. Sneaks like to work in the dark and scurry away in
the light.

If this within a domain, you can push logon/logoff scripts onto the
Windows accounts. These can run programs to record or take whatever
action you want. If not in a domain, you will have to manually assign
the batch file or program executable to the logon/logoff scripts for
each Windows account.

If running in a domain, you can push policies that restrict the logon
hours. See the following articles on managing logon restrictions:

http://support.microsoft.com/kb/816666
http://technet.microsoft.com/en-us/library/bb726988.aspx
http://technet.microsoft.com/en-us/library/cc766208(WS.10).aspx
http://www.ehow.com/how_8467159_set-restriction-hours-group-policy.html

If not in a domain but instead using workgroups, you have to use the
"net user" command. You runt he command to put limits on accounts. See
http://www.techrepublic.com/blog/security/restrict-logon-access-with-this-command/281.
Of course, you could put the command in the logon/logoff scripts for
each Windows account to ensure they get run before and after any 'net'
commands that the user might run during their Windows session if, say,
they happen to be logging under an admin-level account (but then they
can modify account setup just like you).

You could put a web camera attached to the computer that sends its
images to another computer (so the perp can't erase on that host what's
already been sent to a different host). Obviously the software running
the snapshots or streamed video taken by the webcam has to load as a
service so it is running without requiring a login.

If you're real intent is to restrict when users can access the Internet
(for all hosts under a router) then get a router that lets you define
usable hours.

If you leave the BIOS configured to allow other bootable devices to be
used to load an OS than that was your choice. If you only want the OS
loaded that's on a hard disk then stop allowing other boot devices to
load a different OS. Configure the BIOS to only allow booting from the
hard disk. If you allow booting another OS using other devices then
obviously Windows XP isn't booting and cannot record anything, could it?

 

[Tim Meddick]

If you re-read the initial question, you will note that the OP did not say
anything about "securing" the computer, but merely stated; "how to detect
if computer has been turned on?"...

We were tying to answer *that* question!

==

Cheers, Tim Meddick, Peckham, London.

 

[VanguardLH]

I've looked through the responses so far, and Googled the
issue, but so far have seen no reference to physically
securing the computer. The least bothersome would be to
lock the door to the room the computer is in (maybe in
some cases it would also be necessary to disconnect the
Ethernet cable from the computer). But this is just
Plan A.

Since you're making it sound like the computer(s) are involved in a
corporate environment where domains are established and are used for
login, it's also possible to NOT allow roaming logins. That is, users
can only login to *their* host, not anyone else's. Of course, even with
roaming logins, auditing takes care of watching who logs in and when -
but that assumes you actually have individual logins for each user. If
a user shares their login, well, then they're just as responsible for
someone else using their login.

Is there a reason why you aren't using auditing or assigning unique
logins for EVERY user? If it is a shared host, like at a kiosk or
Internet cafe, why not use Returnil, MS SteadyState, or similar to lock
down the state of the host. Whatever changes the user makes gets wiped
when the host gets rebooted. You still have to disable all bootable
devices other than the hard disk to prevent users from booting from a
Live CD with a different OS.

Plan B: disconnect the computer, and lock it away in a
secure container or room. This has the disadvantage of
needing to connect maybe a dozen cables at the start of the
next week. Does the hazard of unauthorized access outweigh
the hassle of disconnecting and reconnecting?

Why aren't you creating [sysprep] images of standardized images of the
OS and apps to install on your various hosts? Eventually even an
authorized user will screw over a host and you'll have to restore.

Plan C: in the early days, when most computers were
corporate or research, some machines required use of a
physical key in a lock to turn them on or access their
interiors. Outside the CIA and similar environments,
I don't know whether this _really_ hardware solution is
still available.

Some cases come with a keylock. Alas, those keylocks are such inferior
quality (few pins, easy to pick) that often a key from one case (even a
different brand) would work in another case.

Plan D: analogously to removing a vital engine component
from a car in an environment where theft runs riot,
remove a vital piece of hardware over the weekend.
For high security, this would have to be something
an intruder couldn't simply provide a replacement for.
The main disk drive would be the obvious component,
but a real hassle to disconnect and reconnect. If it's
almost entirely a matter of protecting data rather
than preventing access, make the main disk drive the
site of no more than the most vital software, and keep all
data on a USB-connected external drive which is taken
home by one of the owners of the data or locked away,
perhaps in a safe.

You could always use hotswap drive bays and remove the hard disks.
Then, like a library, whomever wants to use the host has to check out
the hard disk to insert into the bay to use the host.

Plan E: expensive, but replace the computer with a laptop,
and leave it nowhere out of the control of the owner.
Sleep with it if you have to: and watch also _who_ you
sleep with

Since you never actually describe what is the need and environment for
controlling the host, all responses will be vague. No one knows what
are really your needs and there are too many physical and software-based
solutions to bother discussing them all.

 

[Alonso]

If you leave the BIOS configured to allow other bootable devices to be
used to load an OS than that was your choice. If you only want the OS
loaded that's on a hard disk then stop allowing other boot devices to
load a different OS. Configure the BIOS to only allow booting from the
hard disk. If you allow booting another OS using other devices then
obviously Windows XP isn't booting and cannot record anything, could it?

---------

That's Win XP home. Yes, Bios was configured allowing booting from the
CD-ROM, I missed this.
If assume an attempt was made to access hard-drive via booting Linux, is it
possible to determine this somewhere in windows xp logs?

 

[Patok]

---------

That's Win XP home. Yes, Bios was configured allowing booting from the
CD-ROM, I missed this.
If assume an attempt was made to access hard-drive via booting Linux, is
it possible to determine this somewhere in windows xp logs?

If they booted Linux, and then only looked at the hard drive
contents, but didn't write anything, then no, you can't determine that.
There's no trace left on the HD.
If the computer has a network connection, and it was on when this
booting happened, and if your DHCP server has a log, you may find in
that log, whether that computer asked for an IP address during the
forbidden time period.

 

[VanguardLH]

---------

That's Win XP home. Yes, Bios was configured allowing booting from the
CD-ROM, I missed this.
If assume an attempt was made to access hard-drive via booting Linux, is it
possible to determine this somewhere in windows xp logs?

Dead people cannot write a diary of the weather. How is an OS that
isn't running going to do anything?

Since this is a Home edition of Windows then it's not used in a
corporate environment. In whatever room you left your home PC, lock the
door to prevent physical access. If you must physically share the
computer room with others and it really is your computer then set a
password in the BIOS. No one can load any OS until they enter the
password prompted by the BIOS when the computer is powered up. You boot
the computer, you enter the password, you pass off the computer to
someone else to use. When you don't want the computer used anymore,
walk over to it and power it off. Remember to lock the case so it
cannot be opened to short the 2-pin CMOS clear jumper to wipe the BIOS
back to its factory-time defaults (which won't have a BIOS password
enabled).

 

[Paul]

The OS wouldn't be able to do anything but the file system should
modify the timestamp of any files accessed or modified. It wouldn't
matter if it were Win XP, Win7, Linux, Unix or any other OS if it's
using a NTFS file system that's set up properly then the timestamp
would be the only indication of unwanted activity.

If you boot with something like a Knoppix 5.3.1 LiveDVD, it mounts NTFS
partitions read-only by default, so not even things like Accessed would
get changed. There are other Linux distros that are sloppy by default
and aren't as careful, in which case, a little hand crafted read-only
mount can be done. You can then browse the tree at your leisure, make
copies of docs or whatever.

If I suspected someone had been into my machine here, the last thing
I'd do is boot Windows to see. I'd start with the above named LiveDVD,
then have a look around for dates on things that were out of whack with
expectations. Running read-only, you can take your time checking things.

Paul