Skip to comments.
XP passwords rendered useless
Brian's Buzz ^
Posted on 02/15/2003 2:52:07 PM PST by per loin
By Brian Livingston
Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.
Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:
- Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
- Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
- The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.
- Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.
This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.
I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an official response. There's no Knowledge Base article about it, and there may not even be a good solution to the problem.
When I've spoken with Microsoft security pros about similar problems in the past, they've referred me to a company policy that says, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."
That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with an old CD to get password-free access, and Windows XP does.
My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one more thing for the good guys to protect against.
To send me more information about this, or to send me a tip on any other subject, e-mail me at Brian@BriansBuzz.com with "tip" in the subject.
TOPICS: News/Current Events
KEYWORDS: computersecurityin
Navigation: use the links below to view more comments.
first 1-20, 21-28 next last
1
posted on
02/15/2003 2:52:07 PM PST
by
per loin
To: per loin
Wow. (Don't know why I'm surprised, but this must rank right up there with Microsoft security flaws.)
2
posted on
02/15/2003 3:02:48 PM PST
by
NYS_Eric
To: NYS_Eric
"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."
I have to admit, they have a point. If you don't have physical security you don't have any security at all...
3
posted on
02/15/2003 3:10:53 PM PST
by
TSgt
("Put out my hand and touched the face of God.")
To: NYS_Eric
Back in the old days of Unix, you could book up a machine in single user mode, rahter than multi user, the machine came up sans password, you had access to all the ect/passwd (?) files. Came in handy if you were a field service tech working on a machine who wasn't an admin. You physically have to secure a machine to protect the security.
Many corporate boxes, have no floppy or cd, to prevent this sort of thing, of course USB ports....
4
posted on
02/15/2003 3:21:38 PM PST
by
Leto
To: MikeWUSAF
This will not let them on your network, either. The best they could get is administrator of the local machine.
To: per loin
Just goes to show you that nothing's ever truly secure.
As a network admin, I'm more worried about people breaking through my firewall than breaking into my building. But that's what alarm systems are for...
6
posted on
02/15/2003 3:21:48 PM PST
by
Jinjelsnaps
("Time flies like an arrow, fruit flies like a banana" - Groucho Marx)
To: per loin
I'm no lawyer . . .
But as I understand it . . .
Microsoft advertised XP as the MOST SECURE EVER etc.
In fact, it's not.
Sounds like grounds for a class action suit, to me.
Would love to see that one go forward with great gusto.
I normally hate such suits. But MS has certainly earned this one.
Aren't there some hungry atny's out there? Shoot, I'd sign on as part of the class!
7
posted on
02/15/2003 3:26:15 PM PST
by
Quix
(FREEPCARDS additions will be delayed until after birthday and Albuquerque trip)
To: *Computer Security In
To: Jinjelsnaps
Just goes to show you that nothing's ever truly secure. Uhhhh . . . try the arms of Jesus.
. . . though the boot camp training can get interesting. The eternal rewards are considered more than worth it.
Otherwise, I'd agree with you.
9
posted on
02/15/2003 3:29:06 PM PST
by
Quix
(FREEPCARDS additions will be delayed until after birthday and Albuquerque trip)
To: per loin
If you have physical access to the box you can almost do anything.
How to get around a windows 2000 box.
1) Remove the hard drive from your target machine
2) Put it into another windows 2000 box that you control and have admin acess to.
3) Boot the system and it is reconized as another drive which you have FULL access to.
10
posted on
02/15/2003 3:31:18 PM PST
by
Centurion2000
(Chance favors the prepared mind.)
To: Centurion2000
If you need that much security ... encrypt your drive.
11
posted on
02/15/2003 3:32:27 PM PST
by
Centurion2000
(Chance favors the prepared mind.)
To: Quix
This is a silly article.
There isn't an OS that is secure against someone with physical access to the machine, who can boot it on another OS of their own. System Admins are usually glad for this. I know I am. I carry some NT cracking boot disks for just such a situation.
12
posted on
02/15/2003 3:37:31 PM PST
by
Ramius
To: per loin
"the most secure version ever," I believe this is a meaningless statement and there is really no specific claim being made that is actionable. This is like saying the 2003 Taurus is the best car ever made. Without specific there is no claim being made.
If Microsoft said "password protected from any unwanted intrusion" then you might have a case to make.
To think that Microsoft would leave themselves open to a lawsuit is a silly as believing that password systems are fool proof.
13
posted on
02/15/2003 3:51:39 PM PST
by
VRWC_minion
( Opinions posted on Free Republic are those of the individual posters and most are right)
To: Quix
Uhhhh . . . try the arms of Jesus. I thought that was Allah or Buddha or Jehova...
14
posted on
02/15/2003 4:07:21 PM PST
by
glorgau
Comment #15 Removed by Moderator
To: Quix
Nicely layed out, Quix :)
To: per loin
The passwords refereed to are for multiple accts on the same computer and are internal, not internet related.
All he could get into is the private desk top of the individual. Good for in house spying, but I do not live in a cubical and anyone knows not to store private stuff on a company computer. Or do you?
Sheesh
To: Libertina
THANKS FOR YOUR KIND REPLY.
I guess "the most" kinds of statements tend to get me going.
18
posted on
02/15/2003 6:49:11 PM PST
by
Quix
(FREEPCARDS additions will be delayed until after birthday and Albuquerque trip)
To: MikeWUSAF
I have to admit, they have a point. If you don't have physical security you don't have any security at all... which is why books on computer security discuss this issue before even moving on to the technical aspects of securing whatever os you have.
To: per loin
This is stupid. If a person has physical access to a machine. Its all over with for a number of reasons. I carry my own hard drives around just for this reason of saving peoples data when a OS goes belly up.
Mount said secure drive as slave reboot off of your ntfs admin drive and take control of all the content. EOS
20
posted on
02/15/2003 7:15:20 PM PST
by
ezo4
Navigation: use the links below to view more comments.
first 1-20, 21-28 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson