I worked today with our teacher who logged me into a computer as admin. We had a task that required admin rights. A few seconds later he was talking to other students in our classroom, but I was able to reset the administrator password with lusrmgr.

1. Was the teacher right to do this (is it a critical problem)?


2. If he was not right, what could be a better option?

Was the teacher right to do this?

Yes and no. One might be tempted to say that giving a student administrative rights is highly problematic, and leaving them unattended even more so. And to some degree, I even agree with it. You may have added a new administrative user, changed the admin credentials, installed a rootkit or more.

But...

Acting maliciously would not have been without consequence to you. It's very likely that the teacher recalls giving you specifically administrative rights, and at what time. If in this very specific time window, something were to happen to that computer, the school can easily identify you as the malicious actor.

What consequences could there be? That depends entirely on what you did. Changing the local admin credentials could be considered a mere prank, and could probably be reversed by the domain admin. The damage would not be too high, but you could face detention.

If you were, for instance, to install a rootkit, then the school could claim you acted maliciously, with an intent to circumvent their security and to damage their systems. Arguing against that, when you installed what is essentially malware on their system, is going to be very difficult. It could be considered willful damaging of school property, and you could be expelled from school.

If you were to act even more destructive, by running malware designed to damage the hardware (e.g. hypothetically by overclocking the CPU to 12 GHz and disabling any self-preserving safety measures), then the school may even sue you for damages, in addition to expelling you.

Doesn't this imply that the teacher is at fault for providing me admin rights?

No. The teacher gave you administrative authorization to perform a very specific task. That does not give you the right to perform any task, even if you technically had the capability to do so.

If my friend were to give me the key to his house to watch over his dog, this does not authorize me to take anything from his house, or to install cameras everywhere - even if I was technically capable of doing so.

Can this not be considered a penetration test?

"I was just testing the security of my school's computer systems."

No, it's not a penetration test. A penetration test requires the entity, who owns the system, to explicitly consent to the penetration test. A teacher providing you with administrative access to fulfill a specific task is not explicit consent for a penetration test.

What could the teacher have done differently?

Depending on the length of the task you were supposed to carry out, the teacher could have stayed with you and revoked your administrative access after you were done.

Given what was stated above, the teacher had a reasonable expectation that you would not act maliciously, which seems to have been misplaced.

The teacher logged me in as administrator for doing a short task, is the whole system now compromised?

No.

but I was able to reset the administrator password with lusrmgr.

Now it is, congratulations, you have performed a criminal activity.

Was the teacher right to do this (is it a critical problem)?

You haven't stated what the task was that you were supposed to perform, so no one can tell you this. If you're looking for validation or an excuse for your behaviour, then no, you decided to betray this teacher's trust. In normal circumstances it should be possible to trust a student and you have proven you can't be trusted.

If he was not right, what could be a better option?

It's always better to not give access if it's not necessary, but when it is necessary then it should be given to someone who can be trusted. This teacher apparently trusted you. You have betrayed that trust and you are wrong here. If I need to fix a bug in my company's software and I need database access for that, it will be given to me in good faith. If I decide to destroy the database, or even just change the password, than I am the one in the wrong, not the person who gave me access.

Not that I would call what you did hacking, but I want to borrow some terms from the hacking scene. There are white hats, gray hats and black hats. White hat hackers are penetration testers, they provide a service to a company that they are getting paid for by that company. It is their job to try and break into a system and they will log any paths they find, they work with the intent to improve the system's security. You are not a white hat hacker.

Gray hat hackers do something similar, but without the company's knowledge. They will find exploits and security breaches on their own using a regular user's interface. Often they report anything they find to the relevant companies, sometimes they threaten to release their findings to the public. They still want to protect users but they don't do it with the company's consent. You are not a gray hat hacker.

Black hat hackers are criminals, they break into systems with malicious intent, they try to steal data or they think it's funny to destroy a company's system. These people don't care about users, they don't care about the company, they care about themselves. If what you did could be called hacking, you would be a black hat hacker.

I would recommend you think about what exactly it is you wanted to accomplish. Did you want to test the school's security? Was your intent to expose this teacher's security practices? In that case you are still in the wrong because of your approach, but you might find it interesting to start reading up on penetration testing as a career, clearly you get a kick out of it. If your intent was malicious, I really don't know what to tell you except grow up, what you did was wrong and no amount of mental gymnastics is going to make the teacher the bad guy. You took an action that is not allowed, you abused the trust put in you and you are the one in trouble if anyone finds out.

It's a mix of many factors, and two main ones are trust and responsibility.

1. Teacher did valuable amount of trust to you as a partner to perform that job. This is nothing exceptional. Let say, staff from consulting company (A) can be granted with admin rights on a server(s) belonging to another company (B) if business situation requires it (even an access to classified info, like Edward Snowden had). However, usually companies formalize such trust relations with NDA and all other legal staff to share responsibilities in case of a malicious act.


2. Your intended responsibility was to do the job and nothing more. Stepping out of the scope moves us to ethical problems. Changing passwords, even snooping over the file structure - this is all about ethics in this situation. "Blame me once - shame on you."

And stepping back to your title question: yes, the system to be assumed as compromised even if you had tweaked nothing.

What could the teacher have done differently?

The obvious answer is that the teacher should have used elevated permissions/user access management to run only what needed to run with elevated permissions, rather than logging in with an admin account. It's not foolproof*, but done correctly it would have limited the amount of damage you could do.

It's also just a good all around practice that everyone should do. With modern operating systems, there's not much reason to ever login with an admin account.

*Not foolproof: If you get someone to run a command line with elevated privileges, you can do quite a lot of damage. So you do still have to apply critical thinking to what you're doing, rather than automatically running things elevated.

You should really divide your question into two parts:

I worked today with our teacher who logged me into a computer as
admin. We had a task that required admin rights. [removed]

1. Was the teacher right to do this (is it a critical problem)?


2. If he was not right, what could be a better option?

You already have answers on what to do (two possibilities: either he trusted you and let you run the relevant commands and, again, trusted you to log off; or watch you doing this (maybe not because he was not trusting you, but because you were not experienced enough).

Which brings us to ...

A few seconds later he was talking to other students in our classroom,
but I was able to reset the administrator password with lusrmgr.

Sorry for the wording, but this is a dick move. You just shown that you are not mature enough to be entrusted with anything serious.

He trusted you, you tried to be "smart" and now you are done.

Please save yourself some shame and just plainly apologize. Please, do not bring on the table reasons such as "penetration testing" (except if you were hired to do one, but then the fact you are asking the question shows that the choice was a bad one))