XP passwords rendered useless

Brian's Buzz ^

[per loin]

By Brian Livingston

Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:

• Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
  

• Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
  

• The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.
  

• Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.

This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)

Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.

I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an official response. There's no Knowledge Base article about it, and there may not even be a good solution to the problem.

When I've spoken with Microsoft security pros about similar problems in the past, they've referred me to a company policy that says, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with an old CD to get password-free access, and Windows XP does.

My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one more thing for the good guys to protect against.

To send me more information about this, or to send me a tip on any other subject, e-mail me at Brian@BriansBuzz.com with "tip" in the subject.

---

[glorgau]

Nutball religionists...
Please keep me off your fairy tale ping list.

[DouglasKC]

When I've spoken with Microsoft security pros about similar problems in the past, they've referred me to a company policy that says, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

This is so true. It's like saying a vault in a bank isn't secure because a bad guy might go in, find the combination written down somewhere, and then unlock the safe.

Give anyone who halfway knows what they're doing access to any system for any length of time and you're data is gone.

[Quix]

Hey, oh Hallowed BRILLIANT one . . .

You NEVER WERE on my ping list.

You just happened to have written the msg I was replying to. Sorry that taxed you overmuch to figure out.

And if you make another sweeping statement that pushes one of my buttons, I'll be happy to reply again.

I was merely having some fun that I expected some of similar persuasion would enjoy--which they've noted to me privately they have.

It's not a great biggy what you think.

From my perspective, you made a sweeping statement that wasn't true in my perceptions, experiences or perspective. So, I felt somewhat duty bound to respond. And I had good fun doing so.

[Quix]

BTW, I DEPLORE religion.

Relationship is where it's at.

IF it's not relationship, it's not worth bothering about.

[anniegetyourgun]

Marvel not, bretheren, that the world hate you. Remember, they hated Him (and therefore, the truth) first.

[Quix]

GOOD REMINDER.

THANKS MUCH.

I mostly want to be able to face my Lord knowing I took about every opportunity I could to state the Truth in Love.

. . . to be His heart and hands extended . . .

. . . even at the risk of appearing/being obnoxious to some. . .

As you said . . . certain . . . uhhhh mentalities, perspectives, characters stuck on themselves as their own 'god;' their own fierce exclusive, rigid, legalistic-form-over-substance religion unto themselves--such characters had strong feelings about Him, too.

They couldn't bear the risk and vulnerability of a RELATIONSHIP with him. Selfish pride does that to a soul, a mind, a spirit, a heart--an individual.

But you know all this. Thanks for your kind comment.

[Irish Eyes]

Quix, PLEASE take me off you Prayer ping list. Thank you, Irish

[SauronOfMordor]

I have to admit, they have a point. If you don't have physical security you don't have any security at all...

Most people don't know how vulnerable they are to late-night cleaning people who might be more than they appear to be