XP passwords rendered useless

ToshiroOC · Feb 15, 2003, 07:02 AM

Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:

* Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.

* Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.

* The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.

* Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.

This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)

--By Brian Livingston, source: "Brian's Buzz on Windows"

Article can be read here.

nForcer · Feb 15, 2003, 04:55 PM

Well DUH if you boot from something outside of Windows, and it can see NTFS partitions of course you will get full access to the machine. Thats like leaving your keys in your car on the dashboard and locking it with a spare set. If someone sees the keys thru the glass, then BREAKS the glass..then your security is broken. Where do these people come up with this obvious crap?

Desert_Siege · Feb 15, 2003, 05:42 PM

but maybe I am just a noob. So you think your all set and locked up tight with a 24 digit alpha numeric password and turn off your machine and walk away. Someone comes by with a Windows 2000 CD, boots to the recovery console using the CD and renders your password useless, logs in and deletes all the accounts on the machine just for sh@ts and giggles and gets rid of that pesky documents folder too. Nothing in there anyone could want. Yeah I can see where that wouldn't be any big deal. Big dummies, shame on them for reporting something so insignificant as being able to log on as an admin on a machine without the password and change and delete files as you please. You got system recovery right? Doesn't it fix everything....heh.

Feb 15, 2003, 07:02 AM	#1
ToshiroOC Unbiased. Join Date: Jun 2002 Posts: 4,812 Rep Power: 0	XP passwords rendered useless Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC. Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart: * Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program. * Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password. * The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords. * Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console. This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.) --By Brian Livingston, source: "Brian's Buzz on Windows" Article can be read here.

Feb 15, 2003, 05:42 PM	#3
Desert_Siege Professional Slacker Join Date: Jun 2002 Location: KY Posts: 274 Rep Power: 0	That seems pretty serious to me.... but maybe I am just a noob. So you think your all set and locked up tight with a 24 digit alpha numeric password and turn off your machine and walk away. Someone comes by with a Windows 2000 CD, boots to the recovery console using the CD and renders your password useless, logs in and deletes all the accounts on the machine just for sh@ts and giggles and gets rid of that pesky documents folder too. Nothing in there anyone could want. Yeah I can see where that wouldn't be any big deal. Big dummies, shame on them for reporting something so insignificant as being able to log on as an admin on a machine without the password and change and delete files as you please. You got system recovery right? Doesn't it fix everything....heh.

Feb 15, 2003, 04:55 PM	#2
nForcer Twice the fun! Join Date: Jul 2002 Posts: 1,404 Rep Power: 0	Well DUH if you boot from something outside of Windows, and it can see NTFS partitions of course you will get full access to the machine. Thats like leaving your keys in your car on the dashboard and locking it with a spare set. If someone sees the keys thru the glass, then BREAKS the glass..then your security is broken. Where do these people come up with this obvious crap?