[NEWS] - WinXP passwords bypass

[CougTek]

Windows guru Brian Livingston reports that inserting a Windows 2000 CD into an XP system allows one to bypass all password protection and manipulate any part of the machine at will. "Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console," says Livingston. The intruder has Administrator privileges even if he or she does not provide a password, and can also assume the identity of any other user of the machine.

"I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an official response," writes Livingston. "There's no Knowledge Base article about it, and there may not even be a good solution to the problem."

 

[sechs]

You're kidding, right?

I could just boot to the Win2k repair console, pick a WinXP install, enter no password, and then have administrator rights?


"Whoops!" might be an understatement....

 

[CougTek]

You're kidding, right?

No. I'm just reporting what the Winblows guru wrote. Since I rarely sell WinbloatXP, I don't have a CD near to try it (I have several Winbloat2K CD lying around - all legal OEM copies).

I would like to know if anyone could confirm.

 

[Groltz]

[quote="CougTekI would like to know if anyone could confirm.[/quote]

http://arstechnica.infopop.net/OpenTopic/page?a=tpc&s=50009562&f=174096756&m=2640996155&r=2640996155

.

 

[CougTek]

Groltz,

I only hope you're not "Preacher Boy" at Ars Technica. He's full of shit.

Thanks for the link.

 

[Groltz]

Groltz,

I only hope you're not "Preacher Boy" at Ars Technica. He's full of shit.

Thanks for the link.

I've never posted there. :bleh:

 

[Mercutio]

Almost every XP machine I've run into already logs into an administrator account without a password.

Complaining about security problems in Windows is like complaining about holes in nets.

 

[blakerwry]

Acording to what the members of Ars said there is a setting in the local policies that allow recovery console to automatically log on under the Admin... just like Merc said with everyday logging into the OS.... by defualt winXP is secure from this "attack" or feature.

 

[Mercutio]

Only if, by "secure" you mean "already compromised".

I didn't start getting regular contact with XP until early this year, but all the machines I'm seeing have user accounts with no passwords set. Most user accounts on XP seem to have been created at install time - all users created at that point get admin rights. In my experience almost no one knows how to set their windows password or how to create users.

 

[SteveC]

In my experience almost no one knows how to set their windows password or how to create users.

I've also seen many XP machines without passwords. Not only do most people not know how to create one, many don't want one. They say that it's annoying, and don't want to spend the 2 seconds it takes to type in a password.

 

[cas]

This is absolute nonsense Coug, and Brian Livingston is obviously no Windows guru.

I am a Windows guru, yet it should be plain to anyone that access control does not automatically encrypt files on disk.

This is true of every major OS is use today.

 

[Cliptin]

I'm in pain from laughing. So, this guy really writes books huh.

 

[mubs]

blakerwry wrote:

Acording to what the members of Ars said there is a setting in the local policies that allow recovery console to automatically log on under the Admin... just like Merc said with everyday logging into the OS.... by defualt winXP is secure from this "attack" or feature.

On my W2k Prof: Admin Tools --> Local Security Policy --> Local Policies --> Security Options:

                                                                         Local-Setting   Effective-Setting
                                                                         -------------   -----------------
Recovery Console: Allow Automatic Administrative Logon..................    Disabled          Disabled
Recovery Console: Allow floppy copy and access to all drives and folders    Enabled           Enabled

IIRC, these are the defaults. I would presume WinXP has similar options and defaults.

 

[blakerwry]

Yes, i checked mine. I have the exact same settings by default.

 

[blakerwry]

I'm using winXP SP1, btw.

 

[zx]

Obviously, there are chances that this is a false alert. Mayeb it's with windows XP home edition?

And yes, most home installations of windows XP are unsecure, so it does not make any difference to the average Joe-WinXP user. However, if this was true, it would be a major hole in windows XP. I would never use an OS that has that security flaw...

But as of right now, it seams to be a false alert .

 

[blakerwry]

Obviously, there are chances that this is a false alert. Mayeb it's with windows XP home edition?

And yes, most home installations of windows XP are unsecure, so it does not make any difference to the average Joe-WinXP user. However, if this was true, it would be a major hole in windows XP. I would never use an OS that has that security flaw...

But as of right now, it seams to be a false alert .

However, if this was true, it would be a major hole in windows XP. I would never use an OS that has that security flaw...

That seems pretty narrow minded. No OS that I know of, certainly not a mainstream one, is secure from somebody who has physical access to the machine by default. Not Windows, not Linux.

There are things that you should do yourself, and should be resposible for, to increase your machine's security after installation if you need the extra levels of security for whatever reason.

 

[Cliptin]

Obviously, there are chances that this is a false alert. Mayeb it's with windows XP home edition?

Yeah. Does the login functions and recovery console work the same for XP home as XP pro? Disregarding the lack of domain capability in XP home of course.

 

[Mercutio]

Yes. The recovery console works the same way from XP Home as Pro.
In fact, I've used 2000's RC on XP, and XP's on 2000. The commands are all the same.

 

[sechs]

Actually that's not true. The WindowsXP RC has the bootcfg command, with Win2k's doesn't. That's of little or no consequence in this discussion, but a case in point.

The fact is, this is a stupid security hole. Of course, we all know that if someone has physical access and is determined, they can get at what's on a computer. The idea is to make it more difficult.

 

[honold]

news: linux passwords bypass

boot off a floppy or cd

AMAZING!

how is this news?

 

[zx]

Obviously, there are chances that this is a false alert. Mayeb it's with windows XP home edition?

And yes, most home installations of windows XP are unsecure, so it does not make any difference to the average Joe-WinXP user. However, if this was true, it would be a major hole in windows XP. I would never use an OS that has that security flaw...

But as of right now, it seams to be a false alert .

However, if this was true, it would be a major hole in windows XP. I would never use an OS that has that security flaw...

That seems pretty narrow minded. No OS that I know of, certainly not a mainstream one, is secure from somebody who has physical access to the machine by default. Not Windows, not Linux.

There are things that you should do yourself, and should be resposible for, to increase your machine's security after installation if you need the extra levels of security for whatever reason.

Then why put an administrator password then? Why secure the computer when you can bypass the admin password! It seems un-logical. Most of the time people have physical access to a machine when using it right? That's why I said that it's a major security issue.

I just thought that there was no way to bypass windows login when it's well set-up. Anyway, if most OS have that kind of "potential security hole", then at least i'll be aware about it... :-?

 

[zx]

news: linux passwords bypass

boot off a floppy or cd

AMAZING!

how is this news?

You can set the BIOS so it boots the HD first, and then set a password in the BIOS. That way the user cannot boot with a cd or a floppy (you must probably arrange the bootloader too).

 

[honold]

zx: openbsd can be bypassed with a boot disk or cd. so can linux. so can freebsd. so can solaris.

this is not even a security issue, much less a platform-specific one.

please wait for some iis exploit to pop out so you can all jump on the hood of your kias making thinly-veiled allegations to the superiority of linux (which, btw, has nothing to do with the apache group)

 

[honold]

You can set the BIOS so it boots the HD first, and then set a password in the BIOS. That way the user cannot boot with a cd or a floppy (you must probably arrange the bootloader too).

you can short the cmos too

this is still not a windows issue

 

[blakerwry]

you can put the computer in a fire safe and swallow the key

 

[honold]

you can put the computer in a fire safe and swallow the key

correct - that is much more secure than your average firewall!

 

[Mercutio]

... but only for a couple days.

<eewwwwww>

 

[zx]

you can put the computer in a fire safe and swallow the key

Why not remove the floppy and CD-ROM drive :lol: .

 

[zx]

zx: openbsd can be bypassed with a boot disk or cd. so can linux. so can freebsd. so can solaris.

this is not even a security issue, much less a platform-specific one.

please wait for some iis exploit to pop out so you can all jump on the hood of your kias making thinly-veiled allegations to the superiority of linux (which, btw, has nothing to do with the apache group)

?!?

Linux superior? I never said that.

It's because I do not know linux (and solaris, freebsd, etc...) that I refered to windows in my first post. I did not realize that it was present in many Oses. In fact, you are right, the linux boot loader can make you boot of a floppy or a CD-ROM. I don't know if it's the default bootl oader thought.

Anyway, is that setting we are talking about in Windows XP that allows to log in without a password in the recovery console enabled by default? Is it the same in windows XP pro and XP home? What about windows 2000?

 

[Mercutio]

It's not on by default. Local security policy on every 2000 or XP machine I can find has it set to "disabled".

Again, the bigger issue is the ungodly number of 2000/XP Pro machines with blank passwords for the admin account.

 

[honold]

as bad as that may be, mercutio, it's usually only the case on home systems and telnet/rdp/filesharing isn't enabled by default. it's a local security issue only.

 

[zx]

It's not on by default. Local security policy on every 2000 or XP machine I can find has it set to "disabled".

Again, the bigger issue is the ungodly number of 2000/XP Pro machines with blank passwords for the admin account.

Most people who actually need to secure their computer have an admin password. The rest are those who do not want to enter a password. The windows 9x type of people .

 

[Mercutio]

You misspelled "idiots", zx.

 

[Cliptin]

Again, the bigger issue is the ungodly number of 2000/XP Pro machines with blank passwords for the admin account.

If they have to be this way, a better way to do it is to specify the password in the registry and make the password NOT BLANK. At least remote entry is detered even if local is not.

 

[zx]

You misspelled "idiots", zx.

:lol:

 

[James]

It's not on by default. Local security policy on every 2000 or XP machine I can find has it set to "disabled".

Again, the bigger issue is the ungodly number of 2000/XP Pro machines with blank passwords for the admin account.

In a corporate environment any system administrator worth their salt makes sure that the deployment image they use for XP not only includes passwords on every account, but also some form of rejection mechanism for overly-simplistic passwords (username, username123, dictionary words, etc.).

 

[double bit CRC error]

true.. that stuff is so easy to do as well.

Setting a 5-10 try lockout can prevent alot problems.. and typically will cause only minor irritations(if any)