Windows XP Security hole.

[Christian]

Chances are some of you didn't see this yet.

Quote:

From http://www.briansbuzz.com
XP passwords rendered useless

By Brian Livingston

Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:

- Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.

- Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.

- The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.

- Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.

This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)

Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.

I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an official response. There's no Knowledge Base article about it, and there may not even be a good solution to the problem.

When I've spoken with Microsoft security pros about similar problems in the past, they've referred me to a company policy that says, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with an old CD to get password-free access, and Windows XP does.

My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one more thing for the good guys to protect against.

[Atamur]

Yea yea. Anybody who stores sensitive data on a machine that a potential intruder might walk up to deserves what's coming to him. Without physical security, any system is inherently vulnerable.

[Cyp]

Quote:

Originally posted by Atamur
Yea yea. Anybody who stores sensitive data on a machine that a potential intruder might walk up to deserves what's coming to him. Without physical security, any system is inherently vulnerable.

A potential intruder might walk up to a computer with sensitive data, after killing all the guards and using explosives to remove the steel door that was blocking the path to the computer.

Putting sensitive PGP-encrypted data on a public computer would probably be safer than putting non-encrypted data in a bunker, at least, until useful quantum computers are developed, or new algorithms. (Although that could be tommow, or last year even...)

[Gayle29uk]

This is the dumbest 'security hole' ever reported. Console access will ALWAYS get you in, that's why physical security > patches.

Linux does the same, reboot in single user mode and there you are. Solaris I believe is the same as is NT4 and probably VMS.

[meglamaniac]

The article has been on The Register for a while.

Anyone with enough time to target a specific machine, boot off a CD to the prompt, and know exactly what they're looking for (unless they LIKE trawling through god only knows how many folders with no equivilant of my favourite linux command, locate, available) is probably going to have better means available.

Anyway, you can completely override the windows NTFS security model using an of the 'ready to run' CD based linux distros with NTFS support, since the linux NTFS module completely ignores the file privilages etc (and doesn't have access to window's SAM databases anyway so couldn't impliment the security if it wanted to).
The only thing it can't do is bypass NTFS encryption.

[Christian]

Well, I found a use for it. Now I've - again - got all the logins and passwords of every student and teacher at my collage. Not that I'll be using their accounts for anything, but this could have been a large company instead of just a collage.

Physical security is quite hard to obtain these days.

***

This reminds me, I need a good linux OS that can run on from a floppy, or a CD. In other words, I need a distro that can just run directly of one of those mediés. I'll just plug it in, tell it to boot, and it will work. Is there such a thing ?

[JetLinus]

Quote:

Originally posted by Christian
This reminds me, I need a good linux OS that can run on from a floppy, or a CD. In other words, I need a distro that can just run directly of one of those mediés. I'll just plug it in, tell it to boot, and it will work. Is there such a thing ?

Ever tried Knoppix on disc? If I remember right you'll find it on sourceforge.net. It's a bootable CD Image

[Gayle29uk]

Quote:

Originally posted by Christian
Well, I found a use for it. Now I've - again - got all the logins and passwords of every student and teacher at my collage. Not that I'll be using their accounts for anything, but this could have been a large company instead of just a collage.

Really? DO tell, I'm sure we're all very curious.

What OS do the servers run? Where did you get the passwords? What authentication service do they use? We're all REALLY curious how you managed this incredible feat from an XP workstation.

Or could that smell be bull****? Thought so.

[Epcylon]

Tbh... if you allow free access to boot from CD/floppy on a comp that sits in a public place... you're asking for trouble anyway...

99% of all comps can set bootorder to something like "HD only".

[meglamaniac]

Quote:

Originally posted by Gayle29uk
Really? DO tell, I'm sure we're all very curious.

What OS do the servers run? Where did you get the passwords? What authentication service do they use? We're all REALLY curious how you managed this incredible feat from an XP workstation.

Or could that smell be bull****? Thought so.

Unless someone's been hunting through the password list files?
I'm not sure if XP even uses them though, tbh. It was quite possible to get the passwords of everyone who had logged on recently at my old secondary school (it used windows 98 for it's workstations) by nicking a copy of the machine's registry and all the password list files on the machine, then running a brute force program over them.

[MT]

At our uni, if a computer crashes, is turned off, rebooted or otherwise disappears from the network for a period of more than 1 second, a security guard is sent to the relevant computer room.

Otherwise it would be a simple job of booting to single user mode, copying off /etc/shadow , and setting jtr to work at its own leisure at home.

[Atamur]

Quote:

Originally posted by Cyp
A potential intruder might walk up to a computer with sensitive data, after killing all the guards and using explosives to remove the steel door that was blocking the path to the computer.

Any form of security - computer or otherwise - is only valid as long as the expense of circumventing it exceeds the value of the secured possetions. If your data is valuable enough for somebody to hire 5 commandos to obtain then you would presumably have 25 commandos guarding it.

Quote:

Putting sensitive PGP-encrypted data on a public computer would probably be safer than putting non-encrypted data in a bunker [snip]

Encryption in itself doesn't buy security. Where would you store those PGP keys? How would you authenticate a user without physical security? passwords can be social-engineered, coersed away, found on post-it notes on people's monitors, stolen through spoofing attacks, etc. hardware keys can be stolen or borrowed.

[JammyJim]

The answer is 'Antec' or 'Chieftec'


Or infact any other case which allows you to lock the front door which then locks 'potential threats' out of the cd bays etc...


its a useful feature ive never used. However the keys look funky on my keychain! :-)

[Cyp]

Quote:

Originally posted by Atamur
Any form of security - computer or otherwise - is only valid as long as the expense of circumventing it exceeds the value of the secured possetions. If your data is valuable enough for somebody to hire 5 commandos to obtain then you would presumably have 25 commandos guarding it.



Encryption in itself doesn't buy security. Where would you store those PGP keys? How would you authenticate a user without physical security? passwords can be social-engineered, coersed away, found on post-it notes on people's monitors, stolen through spoofing attacks, etc. hardware keys can be stolen or borrowed.

Well, you could just not write the password down, and not tell anyone. (If you aren't the only person who should have access, the not telling anyone part might not be usable.) As far as I know, the PGP secret keys are password-encrypted, so could be stored anywhere.

Anyway, windows security is annoying... A single file was corrupted, stopping the computer from booting up, and it wasn't possible to replace it, even though there was a backup copy on another drive. Using the boot cd thingy, had to chose which drive to access, and it refused to let me access any other drive than the one I chose. That is, it wouldn't let me copy a file from one drive to another. Common sense says it should at least be possible to copy via a floppy disk. However, it wasn't possible to use the emergency recovery console the second/third time, as it claimed I got the password wrong. As there wasn't any password set, I couldn't have gotten it wrong. And no password had worked 5 minutes ago on the same drive. Had to create a new hard drive partition, and install a new copy of windows. (The new copy of windows could access all drives, the only thing that ever thought it needed a password was the recovery console.)

[Supernova9]

Quote:

Originally posted by JammyJim
The answer is 'Antec' or 'Chieftec'


Or infact any other case which allows you to lock the front door which then locks 'potential threats' out of the cd bays etc...


its a useful feature ive never used. However the keys look funky on my keychain! :-)

Though wouldn't anyone with enough time with physical access to the machine just snap off the (probably) plastic front door and proceed as normal?

[Gayle29uk]

Quote:

Originally posted by meglamaniac
Unless someone's been hunting through the password list files?
I'm not sure if XP even uses them though, tbh. It was quite possible to get the passwords of everyone who had logged on recently at my old secondary school (it used windows 98 for it's workstations) by nicking a copy of the machine's registry and all the password list files on the machine, then running a brute force program over them.

Quote:

Now I've - again - got all the logins and passwords of every student and teacher at my collage.

It's a college so it's reasonable to assume a domain server is handling the login authorisation, local admin isn't (as you well know :P) the same as domain admin and despite it's many vulnerabilities XP is actually a pretty secure client OS.

I highlighted the words 'every' and 'all' because that further implies a server based login, a local system would only store local passwords (is any college really going to set up l/p for every student/teacher on each and every XP machine it has individually?) not network l/p

[Gayle29uk]

Quote:

Originally posted by Supernova9
Though wouldn't anyone with enough time with physical access to the machine just snap off the (probably) plastic front door and proceed as normal?

As local admin use is fairly pointless (all our workstations store locally is the OS and apps, fileservers for everything else) the physical aspect (cages, lockable cases) is fairly pointless.

File servers on our smaller remote sites have lockable cases locked inside cages to prevent physical access and the security on the server room where I work is kinda serious! Of course there is several million pounds worth of kit in there so you'd kind of expect it

[pablissimo]

The only reason I can see for case-locks is to hinder, not prevent theft of data/intruder activity.

If your company keeps all its boxes locked then it would be much harder for someone in an office to wander casually up to the PC and fiddle with it using a bootdisk, and prevent the 'old line' of 'I'm from Tech Support, don't worry' as they'd have to cunningly explain why a tech support engineer needed to pull the front of the case off with the aid of a screwdriver.

[Coffee]

A boot CD/floppy with a NTFS driver will have virtually the same effect. Once you've lost physical security, encryption is the only sensible line of defense.

[Supernova9]

Quote:

Originally posted by Gayle29uk
File servers on our smaller remote sites have lockable cases locked inside cages to prevent physical access and the security on the server room where I work is kinda serious! Of course there is several million pounds worth of kit in there so you'd kind of expect it

Well, sounds just like the file servers at my office (holiday job), the company that's contracted to run all the IT requirements of the Met Police - security was everywhere, there were even keypad locks on the toilet doors ffs. Which was a real cnut if you forgot the code and were in a hurry :/

[Christian]

Quote:

Originally posted by Gayle29uk
Or could that smell be bull****? Thought so.

We have several workstations avalible to us. These have been standing there about for quite a long time. But, the "secret" was this combinded with admin powers..

[Gayle29uk]

Quote:

Originally posted by Christian
We have several workstations avalible to us. These have been standing there about for quite a long time. But, the "secret" was this combinded with admin powers..

If they don't use system keys to secure the SAM files they really need a kick up the arse

[Christian]

Most public system admins do.

Edit: Really need a kick in the arse, that is.

[Starbucks]

our uni is pretty locked down

so its hard to access anything

the fact is it is using novell netware, if you look up the security exploits of netware, its less than both linux and windows

problem is its really ****ty at handling roaming profiles

[Laze]

Quote:

Originally posted by Starbucks
our uni is pretty locked down

so its hard to access anything

the fact is it is using novell netware, if you look up the security exploits of netware, its less than both linux and windows

problem is its really ****ty at handling roaming profiles

I take it netware has improved a lot since I was at uni. Netware 3.11 and 3.12 were not that I would call secure !

[meglamaniac]

Our uni (well, in the CS labs) has secured thier systems using Novell under windows, and has done a very good job of securing Redhat by making it so that whenever you try and log on in Gnome, the X server bombs out and restarts.
I don't know what the hell they did to it over xmas, but now it's console logins only under linux till they pull out thier finger and fix it.

Very odd.

[Gayle29uk]

Quote:

Originally posted by Laze
I take it netware has improved a lot since I was at uni. Netware 3.11 and 3.12 were not that I would call secure !

3.11 took security to a new low, 3.12 was 3.11 with preinstalled patches, and the new versions are more secure than either Win2k or Linux servers. Still weak to someone with console access but I don't know of an OS that isn't.

[Intrepid00]

Why do you people act so surprised. You can do the same exact thing to linux and any other OS. In fact. I don't even need to do that. I just remove the HD and use my tools to remove the files.