By Lou Dolinar
First of five articles
Updated Feb. 14, 2006

Another day, another computer virus, another couple of billion in productivity down the drain. If you're concerned about personal computer security, however, it pays to start worrying about the guy or gal sitting at the desk next to yours--or your huband, wife, parent or kid.

Why? In the past year or so, there has been a proliferation of simple, easy-to-use tools that crack Windows' mediocre security - provided you have on-site access to the computer in question. Despite any password you put on your PC, everything on it is wide open.

The funny thing is, these aren't really "hacker" tools, though similar stuff has been circulating in the online underground almost as long as Windows has been around. Rather, most of these user- friendly programs are intended for use by system administrators who need to get back on a PC that's locked with a password.

You know the scenario: Bookkeeper John Doe keels over with a heart attack, and is survived by an XP computer that holds accounts receivable locked up with a 14-digit alphanumeric code. Obviously, management has to get in to recover the data, and just as obviously programs like this have their place.

The flip side, however, is that increasing amounts of personal information are held in corporate settings. John Doe's secretary probably accesses her bank, credit card and brokerage accounts on the office computer - not to mention personal mail and caches that reveal Web-surfing habits. A data thief could make a very nice living cleaning offices and accessing that data with a password- recovery disk overnight. A similar situation prevails in the home--a home burglar couild proably steal more money by accessing your online banking program than by heisting the family silver. 

How do these disks work? Most of the freebies are based on the Linux operating system, stored on a bootable CD. Insert the CD and restart the computer, which loads Linux and disables Windows, which would otherwise block all the operations needed to beat its security. Linux can now view, and alter, files on the disk containing Windows. (In a pinch, any CD-bootable Linux distribution, including Knoppix and and DSL Linux, can access Windows data on your hard drive, though it won't reset the Windows password.)

Password recovery disks, however, differ from standard Linux distributions in that they contain a utility that finds Windows account names and password files. You're prompted as to which account you want to change, and it overwrites the relevant files with new ones, containing a new password you select. You never learn the original password, which is in an unreadable form, but then you don't need it.

About the only downside here for the potential spook is that the password is, in fact, changed, and the original user will know something fishy is going on when the old password doesn't work. Some of these programs, however, can stealthily back up the original password data, then restore it after their user does his thing, thus removing all electronic fingerprints.

There's a lovely little monster at www.loginrecovery.com that will actually crack the password. You download a file to disk from the site, then insert it into the target computer, then reboot the computer.  The program does its thing, and extracts the relevant password files, which you then load back up to the loginrecovery site  for decryption.   I'll leave it to your imagination what that firm could do with the information you've sent them.  

As for the disk based stuff, Dan Petri has the definitive list at http://www.petri.co.il/forgot_administrator_password.htm.  The official Microsoft method, which assumes your a legit system administrator and have set up a recovery disk,  is here: http://support.microsoft.com/?kbid=321305

I've played with some other programs on my own systems and on those belonging to a professionally administered network.  Astrumi (http://cyti.latgola.lv/ruuni/index_en.html) is kind of neat in that it is a full version of Linux, with scads of network tools as well as a password cracker. With Peter Nordahl's cracker (http://home.eunet.no/~pnordahl/ntpasswd/), once you've downloaded the relevant files and created a boot CD or floppy disk, it takes all of about five minutes to break Windows security. You can then do anything with the computer the original user could, even send out e-mail in your boss' name or transfer funds from the bank if the account number and password have been saved with a cookie, as they often are.

How can you protect yourself from someone using an administrative password reset tool?

One moderate form of protection is to block your PC from starting up with a floppy disk or optical disc. In high-security environments, the paranoid may go as far as physically removing these drives.

More realistically, you can disable the ability to boot from these drives while still allowing read-write access. Go into your BIOS (basic input-output system built into your computer's hardware) as you start your computer, usually by holding down the delete key, or whatever else is specified on your startup screen before Windows loads.

You'll have to fish around the menus to find the appropriate entries. In my Award BIOS they're under Advanced Features. In a rather numbingly nonintuitive menu, there are entries for "First Boot Device," "Second Boot Device," etc. What this does is tell the computer which of your drives to check first for the operating systems on startup. If you set the first boot device as your CD drive, for example, it will be able to start from a password reset CD. If you make your hard drive the only boot device on all possible entries, you're reasonably safe.

What if someone wants to change that setting? You have to lock them out of the BIOS, too. The BIOS should have its own password; again, you'll have to scour the menus to find where to create it. Note that this doesn't affect Windows, only access to the BIOS.

There is, unfortunately, a way around this moderate level of security. Your BIOS has factory default settings, and these are always set to no password; otherwise you could rather easily lock yourself out of your own PC. Every motherboard I've ever owned allows you to return to the factory state by shorting a small jumper on the board. Of course, you have to open the computer case and know where the jumpers are, but it is pretty straightforward otherwise to get rid of the password and into the BIOS.

For a final layer of physical security here - how retro - put a lock on the case.