XP Security is worthless

Tommy Boomfiger · 02-15-2003, 04:28 PM

Quote:

XP passwords rendered useless

By Brian Livingston

Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:
Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.

Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.

The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.

Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.
This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)

Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.

I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an official response. There's no Knowledge Base article about it, and there may not even be a good solution to the problem.

When I've spoken with Microsoft security pros about similar problems in the past, they've referred me to a company policy that says, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with an old CD to get password-free access, and Windows XP does.

My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one more thing for the good guys to protect against.

OC · 02-15-2003, 05:01 PM

Heh - I was just on my way in here to post that very thing.

Bone-headed is right.

-OC

Cubsfan · 02-15-2003, 08:53 PM

Anyone in security will generally tell you that if someone has physical access to your machine, you're screwed anyway. Just for one, look at:
http://www.winternals.com/products/r...mander2002.asp

I can walk up to anyone's Windows PC and reset the password to whatever I want. Much easier. I've actually used this one, and it is REALLY slick.

Plus, just searching on the web, there's half a dozen other ones that will do the same thing and are actually free..

(Ok, just noticed that the article says the same thing that my first point was

) Anyway, You give someone physical access to your Linux, Solaris, AIX, HPUX, etc... box, and they'll get what they want. I've personally done things like this for Linux, Windows, and HPUX (people at work always forget their passwords!

)

Joshua · 02-16-2003, 01:43 PM

Nice post, I'm off to crack into my boss' machine to see the salaries of all my coworkers.

Just kidding.

mojo · 02-16-2003, 02:41 PM

Quote:

Originally posted by Cubsfan
Anyone in security will generally tell you that if someone has physical access to your machine, you're screwed anyway.

yup. if they're at the box, it's game over. not a major flaw so much as the way it is.

skynet · 02-16-2003, 05:15 PM

I definatly would not say XP security is worthless.

If I had access to the box I could snag the drive out of the machine and get the data, or just plain old destroy the box.

I think XP is great, I have had no problems with it and I don't think there is a better solution out there for me right now.

02-15-2003, 05:01 PM	#2
OC the admiral formerly known as overclocked Join Date: Aug 2000 Location: Outside the mainstream Posts: 5,922	Heh - I was just on my way in here to post that very thing. Bone-headed is right. -OC __________________ But what is adulthood except a delayed end-run around our parents' better judgment? -- Peter Egan cough

02-16-2003, 01:43 PM	#4
Joshua Rear Admiral Upper Half Join Date: Jan 2001 Location: Long Island, NY Posts: 3,390	Nice post, I'm off to crack into my boss' machine to see the salaries of all my coworkers. Just kidding. __________________ The Apexer formerly known as SnotRocket. "Like I **ing said, "Ok, so I hear it may be a repost. Blah But I had never seen it, so..." ** you Canta." -Jenny 12/4/2003

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

02-15-2003, 08:53 PM	#3
Cubsfan Rear Admiral Lower Half Join Date: Jul 2001 Location: Colorado Posts: 2,743	Anyone in security will generally tell you that if someone has physical access to your machine, you're screwed anyway. Just for one, look at: http://www.winternals.com/products/r...mander2002.asp I can walk up to anyone's Windows PC and reset the password to whatever I want. Much easier. I've actually used this one, and it is REALLY slick. Plus, just searching on the web, there's half a dozen other ones that will do the same thing and are actually free.. (Ok, just noticed that the article says the same thing that my first point was ) Anyway, You give someone physical access to your Linux, Solaris, AIX, HPUX, etc... box, and they'll get what they want. I've personally done things like this for Linux, Windows, and HPUX (people at work always forget their passwords! )

02-16-2003, 05:15 PM	#6
skynet Lieutenant Commander Join Date: Oct 2001 Posts: 523	I definatly would not say XP security is worthless. If I had access to the box I could snag the drive out of the machine and get the data, or just plain old destroy the box. I think XP is great, I have had no problems with it and I don't think there is a better solution out there for me right now.

User Name
Password
Remember Me?