[cspackler]

"Well, yes. Physical access to any machine is pretty much the same as complete access. Mostly."

"I don't see it, even with the "mostly" caveat tossed in."

If you can get physical access to a windows machine, there are some cute tools to crack every password on the system. The only guard against these is to enforce complex passwords that have no patterns. Simple passwords can be cracked in seconds, complex take forever. The beauty of Windows...

[Southack]

"The only guard against these is to enforce complex passwords that have no patterns."

Nonsense. Bank account holders are protected by a simple 4 digit PIN for a password, yet gaining full physical access to an ATM won't help you crack open and debit all the account holders of the entire bank.

Hmmm... Simple password, but secure system. Wow, that must be an **architectural** solution to a security problem as opposed to a simple tactical solution!

To paraphrase Star Wars, "Use the network, Luke"! Secure the network. Put critical data on your secure system. Put worthless or trivial data on your vulnerable PC's.

Get the picture?!

[Ramius]

I have a tool that, if you can boot on it, will crack all the passwords complex or otherwise on a windows, NT, 2K or XP box. That's why we don't rely on local windows hashes to protect networks.

Network managers need those tools though, to get *back* into machines when the @#$%@#$ user has flummoxed the whole thing up while they were drunk in their hotel room.

And just for the record... give anybody worth their salt physical access to a unix or linux box and they'll own that one too. It ain't a windows thing. It's a computer thing. Systems Security doesn't mean cutting off all possible access once you have physical control of the box. You wouldn't want that, even if you could get it.