Solved windows firewall rules

[readysteady101]

Hello. Im attending college and all students have admin rights on windows 7 pc's. Some people are abusing this by accessing others machines and wreaking havoc. It started out as a bit of fun but the joke is getting old. What rules in Windows firewall can be used to block unwanted access given that all have admin rights. Thanks for help

 

[Jacee]

Windows 7 Firewall Guide 70-680 Study Guide: Configure Windows Firewall

 

[readysteady101]

Hello Jacee, and thanks for your reply. I know how to set rules...but I dont know what rules to set. Im not trying to block a programme, just interference from other people with the same admin rights in the same domain, your tutorial doesnt go anywhere near this but thanks all the same.

 

[Jacee]

You might want to discuss this with your College IT person.

Let them know what's going on in the Domain you're connected to. No one has the right to by-pass a firewall and snoop in your computer.

 

[readysteady101]

Hello again...that was quick. Other users changing, renaming and rearranging things in other peoples operating systems. Incredibly childish and really annoying. Windows Firewall is on with "recommended settings" in all cases, but its not doing the trick. Again, all have admin rights which I suppose is part of the problem, so, is it possible to tighten security on local machine against external interference? Thanks again.
EDIT: Two ways this is being achieved (that I know of). Under "Network" in explorer, all machines are listed, can access some by typing "\c$" after machine name, also, in regedit, file\connect to remote registry. These are just two ways of exploit. Can Windows Firewall block these? Thanks again

 

[Jacee]

I may have found the answer ... read this Block Co-Workers from Seeing Your Computer Files Remotely

 

[Alejandro85]

One point to note here. If you set the firewall rules and another user enters the computer as an admin (locally, not though the network), he will effectively be able to disable whatever protection you may place if the know how to do so, since admins can change the rules you set or disable the firewall. With standard users that won't be possible.

 

[Jacee]

@Alejandro85, since I'm not familiar with Domain Network access (with all users as Administrators), would a password be possible to set up on this computer to prevent others from manipulating it?

 

[readysteady101]

@Jacee, thanks for digging that up, may well be useful, but I have questions regarding this service. If its stopped, will it allow tutors to still place live questionaires on my machine? They do this for the whole group. @Alejandro. Thanks for advise, we do change passwords and account names regularly, but need to change back to standard issued ones to gain access to shares and the remote questionaires...I know this is a flaw and leaves us open to abuse by what I think is a couple of idiots....but there is more than a little knowledge of hacking here. I talked to one student who is quite in to this but am convinced she is not the culprit...problem is, she likes to brag about the hows and means to gain access and in my opinion thats where the problem lies. One more question. Ive spent a little time looking into "netstat", is there any way to record netstat output over a period of time...it seems to me it could be useful, but only if its activated at precisely the right time of access...if you know what I mean. Disabling the server service might be of use as long as it isnt too restrictive. Thanks once again to you both.

EDIT: I am still very reluctant to bring this to an instructor as it may actually result in people being thrown out of the course...would much rather keep that as a last resort, so, was looking at netstat to try and gain proof and maybe confront the person or persons responsible informally and hopefully put an end to it amicably. Thanks again.

 

[UsernameIssues]

@Jacee, thanks for digging that up, may well be useful, but I have questions regarding this service. If its stopped, will it allow tutors to still place live questionaires on my machine?......

Yes, it would stop tutors from being able to place files, links, whatever on "your machine". Is the computer that you are seeking to protect your personal property or is the computer owned by the school?

....@Alejandro. Thanks for advise, we do change passwords and account names regularly, but need to change back to standard issued ones to gain access to shares and the remote questionaires.....

You can gain access to files on a share that requires your domain username and domain password (domain credentials) without signing onto your computer with those same domain credentials. But, signing on to your computer with a different set of credentials does absolutely nothing to prevent the types of remote connections you are having trouble with. The best protection is to take the computer out of the domain >>> but doing so will prevent tutors from being able to place files, links, whatever on "your machine".

.........One more question. Ive spent a little time looking into "netstat", is there any way to record netstat output over a period of time...it seems to me it could be useful, but only if its activated at precisely the right time of access...if you know what I mean.....

If you mention "exploits" like you did in post #5, then that makes it easy for people to find this info and play tricks on other users. It could be argued that the two things that you mentioned are well known... but it is hard to discuss stopping pranksters without giving out at least some info on how to pull off the prank. (See item 6 here.)

~~~
EDIT: I am still very reluctant to bring this to an instructor as it may actually result in people being thrown out of the course...would much rather keep that as a last resort, so, was looking at netstat to try and gain proof and maybe confront the person or persons responsible informally and hopefully put an end to it amicably. Thanks again.

There are tools that could shut this activity down, but you would have to know so much about your network and the things that you need to allow to happen that it just is not worth your time. You are better off asking IT to look into things for you. They should have a record of every computer and username that connected to any other computer using the domain credentials.


If you are correct...
...if there is a domain group for students
...and that domain group has been added to the local admin group on your computer
...then you have a big problem!

But it is also possible that the other students are not admins on the computer that you use. It could be that the computer is simply not secured for the type of network that it is on. Again, it is a problem for us to try and tell you how best to secure the computer, because doing so could break some process that your school needs to have happen (like putting files on the computer). You can set your network type to Public (if you have not already done so). This will not keep admins out, but it would be a start toward securing your computer.

 

[readysteady101]

Hello UsernameIssues, and thanks for givinig this your time. Firtly would like to apologise for menitioning "exploits", wasnt aware of rules so my bad and hope no damage done. We dont have issues with people logging in locally on the pc's, just across the network, although it wouldnt be a problem for anyone as all credentials are the same. And yes they are all school machines. Everybody in the class is in the manually activated admin accounts with same username and passwords....for convenience. So yes, a real headache. Not ready to escalate this to the next level yet, would really like to nail down some absolute proof and take it from there. Stopping the server service, as metioned by Alejandro might not be the worst idea if there is no better solution, as we could activate/deactivate service with a batch file....does that make sense? Im pretty sure we're on a Domain Network, so changing those settings may be difficult. When I started this thread I was, maybe naively, hoping there might be a simple Firewall setting or failing that an appropriate way to log unwanted connections but its starting to seem a little bit more complicated than that. Thanks again for your time

 

[UsernameIssues]

....We dont have issues with people logging in locally on the pc's, just across the network....

Just to make sure that you understand. If you log on using a local user account and a locally stored password, the pranks from a remote computer can still occur. Even if you create a new local user account and a new local password, the pranks can still occur.

...And yes they are all school machines...

Then that makes much more sense. The school IT staff can do whatever they want with the school's computers. You could get in trouble by installing stuff to prevent connections because you might prevent good connections too.

....although it wouldnt be a problem for anyone as all credentials are the same....

Having the local credentials be the same is not that unusual for computers joined to a domain, but hopefully each student has a unique domain username and password.

......Stopping the server service, as metioned by Alejandro might not be the worst idea if there is no better solution, as we could activate/deactivate service with a batch file....does that make sense?...

There are lots of good things that the server service is used for on a domain. If you know when tutors need to put files on the computer, then I guess that you could turn it back on for a while. But you need to understand that there will be a record of when you turned it off. And depending on what all is being checked by compliance scripts, that record of the service being turned off might be sent to a server.

...Not ready to escalate this to the next level yet, would really like to nail down some absolute proof and take it from there....

If you stop the server service, you won't be able to know what other computer connected... well, at least not without some real geeky tools.

....Im pretty sure we're on a Domain Network, so changing those settings may be difficult....

It does not matter much to the pranksters if you are on a domain or not. If students know the local admin account passwords, then this kind of stuff will continue to happen. It does not sound like the IT staff has too much locked down. You can probably disable the service (which will disable other services automatically). I just would not risk doing it to a computer that I did not own.

...Not ready to escalate this to the next level yet, would really like to nail down some absolute proof and take it from there. ~~~~~~~ When I started this thread I was, maybe naively, hoping there might be a simple Firewall setting or failing that an appropriate way to log unwanted connections but its starting to seem a little bit more complicated than that...

Yes, it is pretty hard to track stuff back to a student when everyone knows local admin credentials.

....... Thanks again for your time

You are welcome.

Out of curiosity:
Do these computers have the network type set to Public?


You might want to put this onto a USB flash drive and do a quick scan of a computer before using it.

 

[readysteady101]

Hello again. The first thing I wanted to get straight was yes, all students do have the exact login name and password. I know it seems ridiculous but there you have it....its just asking for trouble. This is why my hopes are more about tracing...I would like to be able to block, but that doesnt seem realistic...or is it? Would setting firewall to public be of use? Anyway, thanks again, input is very much appreciated.

 

[UsernameIssues]

Setting the network type to Public should make it a bit harder on the pranksters:
http://www.sevenforums.com/tutorials/43629-network-location-set-home-work-public-network.html
As you noted, that automatically changes which firewall rules are in effect.

Since everyone has the same log in credentials, then remove that one account from the local admin group and it back when you know tutors need access.

 

[readysteady101]

Thanks again UsernameIssues. Just got this now. Im interested in your comment about "removing from local admin group", so without real knowledge have googled this, but only seem to find results relating to removing the account altogether, Im pretty sure this is not what you mean? Can you point me to a tutorial? Thanks again, and sorry for extra request.

 

[UsernameIssues]

No, you don't want to remove the account, just change its membership. That said, you really need to know what you are doing before making such changes. I had hoped that you would ask IT for help doing this. It should stop the remote pranks... at least the ones that require admin rights.

I can tell you how to remove this student group account from the local admin group - that is easy. It is putting the account back in that might not be so easy. I don't know enough about your school's network to give you those steps.

Again, it is best that you ask IT if you can make these changes. Then let them show you how to make them. They might ask why, so just tell them. You don't have to mention any names of students. Just tell them that you want the pranks to stop. You will probably find that most things work just fine on the school computer(s) that you are using without being an admin.

 

[readysteady101]

Hello again and thanks for sticking with it. It seems I was not the only person looking for a solution to this issue, and today, IT removed three user accounts fromt the domain, which effectively removed three students from the course for "inappropriate behaviour on the network". The girl I mentioned earlier who had some hacking knowledge but, in my opinion, not the mischievous streak was not among the three and Im really glad about that, but very surprised at two of the others. It seems you dont really know people, or how they will act when they think they can remain anonymous, and although still sorry to see them go, they were acting like jerks of the their own free will. So, I would like to wrap up this thread by thanking you UsernamiIssues, Alejandro and of course Jacee for all your time and support. Best of luck to you all and thankyou, Readysteady