How to prevent Employee from Bypass / Bridge Administrator Password to Install unauthorized software & Torrenting?

[DaveMedan]

So, apparently 2 of our employee manage to bypass our Admin password and install torrent software to Company's PC.

There are two local user:

1. Administrator with password - they supposedly don't know.  

2. User with password - they use this one.

 

Even though they already sign the User Agreement for company PC.

They confess that they ask 3rd party (outside of our organization) : ex employee and their kids to do it.

Either they know the Admin password or they find a way to bypass it.

From Google Search this what I found:

https://itoolab.com/windows-password/how-to-bypass-admin-password-windows-10/#:~:text=Method 1%3A Bypass Admin Password Windows 10 Using Lusrmgr&text=msc” in the Run bar,admin account without any software

 

How to prevent them next time from doing it again?

Should we just use M365 Business Account to log them?

 

Thanks

 

 

 

 

[lieder1987]

You mean ex employees?

[Blqckqut]

fire them or tell em to not do it lol

[Vishera]

A lot of corporations use Employee Monitoring Software to deal with such issues.

After all it's a corporate computer - not a personal one.

 

The Best Employee Monitoring Software for 2023:

https://www.pcmag.com/picks/the-best-employee-monitoring-software

[DaveMedan]

On 3/23/2023 at 7:06 PM, Blqckqut said:

fire them or tell em to not do it lol

We made them sign the NDA, the GDPR treatment, and security paper work for them to sign. 

The other way that we haven't tried is to implement Login using Microsoft 365 Business or Enterprise account (we might plan to subs)

[DaveMedan]

On 3/23/2023 at 9:24 PM, Vishera said:

A lot of corporations use Employee Monitoring Software to deal with such issues.

After all it's a corporate computer - not a personal one.

 

The Best Employee Monitoring Software for 2023:

https://www.pcmag.com/picks/the-best-employee-monitoring-software

We don't want to monitor them too much, we want to give them flexibility for productivity. We want more toward their self awareness

[Alan G]

On 3/23/2023 at 8:06 AM, Blqckqut said:

fire them or tell em to not do it lol

It's harsh, but it's more or less standard procedure to outline employee responsibilities with corporate supplied computers as to what is allowed.  This was the case where I worked (been retired for a while now).  We were not permitted to install any software on a corporate PC other than a web browser of choice.  Certainly what the OP describes would have resulted in a firing for violating company policies.

[tech.guru]

So the best way?   *

1. go into bios; set password
2. lock down boot options disable cdrom and usb boot
3. turn on Secure Boot
4. enable TPM module
5. Setup GPO to turn on credential guard / Security Features
6. Enable bitlocker and encrypt drive
7. Change password; consider LAPS for unique admin per machine

First:

Bios options prevent cold boot attacks. Typical linux boot cdroms mount file system offline and rely on boot options being changed.

 

Second: Credential Guard 

Prevents secrets discovered in memory. Seperates credentual processes in a harded isolation env using hyperv

 

Third: Encryption 

Prevents someone taking disk drive out and mounting the SAM hive to reset the password 

Disk can only be read with TPM secrets stored on same workstation

 

Fourth:LAPS

Makes local admin passwords unique and temporary so if somehow password gets known can not be used by another machine. Sometimes local passwords get discovered or leaked by your admins.

 

Hope this helps

 

[tech.guru]

This only prevents admin accounts access not unauthorized programs from running.

Most torrents programs run without admin permissions 

 

Consider using in addition applocker to either

   Best: whitelist only approved programs

   Better: deny known unauthorized programs (like bit torrent programs)

 

Consider also only allowing programs with code signing signatures

These steps will also help prevent malware and ransomware

[DaveMedan]

5 hours ago, tech.guru said:

So the best way?   *

1. go into bios; set password
2. lock down boot options disable cdrom and usb boot
3. turn on Secure Boot
4. enable TPM module
5. Setup GPO to turn on credential guard / Security Features
6. Enable bitlocker and encrypt drive
7. Change password; consider LAPS for unique admin per machine

First:

Bios options prevent cold boot attacks. Typical linux boot cdroms mount file system offline and rely on boot options being changed.

 

Second: Credential Guard 

Prevents secrets discovered in memory. Seperates credentual processes in a harded isolation env using hyperv

 

Third: Encryption 

Prevents someone taking disk drive out and mounting the SAM hive to reset the password 

Disk can only be read with TPM secrets stored on same workstation

 

Fourth:LAPS

Makes local admin passwords unique and temporary so if somehow password gets known can not be used by another machine. Sometimes local passwords get discovered or leaked by your admins.

 

Hope this helps

 

I see

[DaveMedan]

5 hours ago, tech.guru said:

This only prevents admin accounts access not unauthorized programs from running.

Most torrents programs run without admin permissions 

 

Consider using in addition applocker to either

   Best: whitelist only approved programs

   Better: deny known unauthorized programs (like bit torrent programs)

 

Consider also only allowing programs with code signing signatures

These steps will also help prevent malware and ransomware

Interesting, Will try this one