Dear,

To prevent the lost of this information we make a copy of it

--------------------------------------------------------------------------------
FEB. 13, 2003 - Issue 1

Thanks for signing up to receive the information in Brian's Buzz on Windows.
This monthly newsletter is one of the two new projects I mentioned recently
in InfoWorld. The other is WinFind, which is described below in my Windows
Gizmos section.

XP passwords rendered useless

By Brian Livingston

Windows XP, which has been marketed by Microsoft as "the most secure version ever,"
has been found to have a flaw so bone-headed that it renders passwords ineffective
as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows
XP machines should immediately take to heart:
  • Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows
    2000 Recovery Console, a troubleshooting program.
  • Windows XP then allows the visitor to operate as Administrator without a password,
    even if the Administrator account has a strong password.
  • The visitor can also operate in any of the other user accounts that may be present
    on the XP machine, even if those accounts have passwords.
  • Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other
    removable media - something even an Administrator is normally prevented from doing when
    using the Recovery Console.
This problem is unrelated to a feature of XP that allows an Administrator to set up auto-
matic logon when the Recovery Console is used. Even without the Registry entry that enables
this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive with-
out a password, if one previously existed.

I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an
official response. There's no Knowledge Base article about it, and there may not even be a
good solution to the problem.

When I've spoken with Microsoft security pros about similar problems in the past, they've
referred me to a company policy that says, "If a bad guy has unrestricted physical access
to your computer, it's not your computer anymore."

That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with
an old CD to get password-free access, and Windows XP does.

My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door
or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one
more thing for the good guys to protect against.
--------------------------------------------------------------------------------

greetings.

[ 20. February 2003, 04:03: Message edited by: MCA ]
_________________________
email scripting@wanadoo.nl homepage scripting@wanadoo.nl | Links | Summary of Site Site KiXforms FAQ kixtart.org library collection mirror MCA | FAQ & UDF help file UDF kixtart.org library collection mirror MCA | mirror USA | mirror europe UDF scriptlogic library collection UDFs | mirror MCA