Strange hole in security

bimmaman · 28 Nov 2009

Hi

I have recently installed Windows 7 on my PC, which is used by myself and the kids. I set myself up as administrator, and the kids account as standard user. Now I am used to Windows XP (never had anything to do with Vista), where the administrators files are private, but the administrator can see all files of all users. Win 7 doesn't seem to do this tho, but even more worryingly I found the weirdest security hole (or should I say my 12 year old daughter did).

If logged on as kids (standard user) they can go to the user accounts settings in control panel, and change my password for administrator (without entering any password). Then they just log in as me, and change their account to administrator

... Strangely though, if I wish to change my own password, I have to enter my current password.

This cant be right can it??

Sorry for waffling, but this had got me completely miffed

logicearth · 28 Nov 2009

Sounds more like a configuration error. Was UAC on? Did your user account have a password to begin with? Seems awfully strange, I'll look into it on some test machines.

mushroomboy · 28 Nov 2009

Seems as somebody make themself an admin! If your an admin you can change any password without using one, that's why your admin. So whoever is admin can do whatever, it's done so if a person changes their password but can't remember an admin can still change it. And that applies to other admins, I know but think of any admin account as the ultimate user. You should change user settings and set restrictions, although if your kids can burn a CD they can get admin rights no matter what.

3 Ways to Reset Forgotten Windows Administrator Password

It's just that easy. What do you do? You put in a password for bios settings and disable the ability to boot from any external source other than HDD.

Lordbob75 · 28 Nov 2009

I also recommend Parental Controls. Use them.

~Lordbob

bimmaman · 30 Nov 2009

Thanks for the replys!

I finally got to the bottom of the problem - I had disabled the UAC completely - I hate it when it pops up asking if I want to do something, when I obviously do. Anyway, I enabled it again, and now if someone tries to change my password, it asks for my password :)

Sorted!

Jacee · 30 Nov 2009

Sometimes you have to live with the UAC setting if you want to keep your computer 'clean' and free of other users changing your settings

It's really all good.

Barman58 · 30 Nov 2009

If I am performing a lot of system configurations and installations I will turn off the UAC, (temporarily and after disconnecting from the Network/Internet).

Otherwise I run with it on the default, (one down from top), and find that it is not too intrusive.

I also switch to maximum setting if I am leaving the machines in the use of someone else

AngelProcesser · 30 Nov 2009

My guess in that the changes were done by knowing your password and/or if you shared the files in question and in doing so gave users access, they have access. I am sure that even when the UAC prompt is set to it's lowest level that a user cannot change an admin password unless they know your current password or have had physical access to your account (like when you walked away when logged in for a minute). To prevent this (it's more common than parents want to realize) use MS Key + L always when you have to walk away for a minute to lock your account and do not allow user switching. This is good when you want to limit users use of he PC also.

bimmaman · 15 Dec 2009

Swanson Photos said:

My guess in that the changes were done by knowing your password and/or if you shared the files in question and in doing so gave users access, they have access.

Nope, there were 2 user accounts - my own, and "kids" but when the kids logged on, they could access the user accounts set up, and change my password. It never prompted them even to enter my old password first! Anyway, it's all sorted now, so I'm a happy bunny :)