XP passwords rendered useless

Brian's Buzz ^

[per loin]

By Brian Livingston

Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:

• Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
  

• Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
  

• The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.
  

• Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.

This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)

Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.

I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an official response. There's no Knowledge Base article about it, and there may not even be a good solution to the problem.

When I've spoken with Microsoft security pros about similar problems in the past, they've referred me to a company policy that says, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with an old CD to get password-free access, and Windows XP does.

My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one more thing for the good guys to protect against.

To send me more information about this, or to send me a tip on any other subject, e-mail me at Brian@BriansBuzz.com with "tip" in the subject.

---

[NYS_Eric]

Wow. (Don't know why I'm surprised, but this must rank right up there with Microsoft security flaws.)

[TSgt]

"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

I have to admit, they have a point. If you don't have physical security you don't have any security at all...

[Leto]

Back in the old days of Unix, you could book up a machine in single user mode, rahter than multi user, the machine came up sans password, you had access to all the ect/passwd (?) files. Came in handy if you were a field service tech working on a machine who wasn't an admin. You physically have to secure a machine to protect the security.

Many corporate boxes, have no floppy or cd, to prevent this sort of thing, of course USB ports....

[Britton J Wingfield]

This will not let them on your network, either. The best they could get is administrator of the local machine.

[Jinjelsnaps]

Just goes to show you that nothing's ever truly secure.

As a network admin, I'm more worried about people breaking through my firewall than breaking into my building. But that's what alarm systems are for...

[Quix]

I'm no lawyer . . .

But as I understand it . . .

Microsoft advertised XP as the MOST SECURE EVER etc.

In fact, it's not.

Sounds like grounds for a class action suit, to me.

Would love to see that one go forward with great gusto.

I normally hate such suits. But MS has certainly earned this one.

Aren't there some hungry atny's out there? Shoot, I'd sign on as part of the class!

[Libertarianize the GOP]

http://www.freerepublic.com/perl/bump-list

[Quix]

Just goes to show you that nothing's ever truly secure.

Uhhhh . . . try the arms of Jesus.

. . . though the boot camp training can get interesting. The eternal rewards are considered more than worth it.

Otherwise, I'd agree with you.

[Centurion2000]

If you have physical access to the box you can almost do anything.

How to get around a windows 2000 box.
1) Remove the hard drive from your target machine
2) Put it into another windows 2000 box that you control and have admin acess to.

3) Boot the system and it is reconized as another drive which you have FULL access to.

[Centurion2000]

If you need that much security ... encrypt your drive.

[Ramius]

This is a silly article.

There isn't an OS that is secure against someone with physical access to the machine, who can boot it on another OS of their own. System Admins are usually glad for this. I know I am. I carry some NT cracking boot disks for just such a situation.

[VRWC_minion]

"the most secure version ever,"

I believe this is a meaningless statement and there is really no specific claim being made that is actionable. This is like saying the 2003 Taurus is the best car ever made. Without specific there is no claim being made.

If Microsoft said "password protected from any unwanted intrusion" then you might have a case to make.

To think that Microsoft would leave themselves open to a lawsuit is a silly as believing that password systems are fool proof.

[glorgau]

Uhhhh . . . try the arms of Jesus.

I thought that was Allah or Buddha or Jehova...

[Libertina]

Nicely layed out, Quix :)

[Cold Heat]

The passwords refereed to are for multiple accts on the same computer and are internal, not internet related.

All he could get into is the private desk top of the individual. Good for in house spying, but I do not live in a cubical and anyone knows not to store private stuff on a company computer. Or do you?

Sheesh

[Quix]

THANKS FOR YOUR KIND REPLY.

I guess "the most" kinds of statements tend to get me going.

[danelectro]

I have to admit, they have a point. If you don't have physical security you don't have any security at all...

which is why books on computer security discuss this issue before even moving on to the technical aspects of securing whatever os you have.

[ezo4]

This is stupid. If a person has physical access to a machine. Its all over with for a number of reasons. I carry my own hard drives around just for this reason of saving peoples data when a OS goes belly up.

Mount said secure drive as slave reboot off of your ntfs admin drive and take control of all the content. EOS