[Nettime-bold] so much about xp security...

[". __ ." <mail_box@gmx.net>]

TOP STORY - info you need to make Windows work

XP passwords rendered useless

By Brian Livingston

Windows XP, which has been marketed by Microsoft as "the most secure 
version ever," has been found to have a flaw so bone-headed that it renders 
passwords ineffective as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators 
of Windows XP machines should immediately take to heart:
    * Anyone with a Windows 2000 CD can boot up a Windows XP box and start 
the Windows 2000 Recovery Console, a troubleshooting program.
    * Windows XP then allows the visitor to operate as Administrator 
without a password, even if the Administrator account has a strong password.
    * The visitor can also operate in any of the other user accounts that 
may be present on the XP machine, even if those accounts have passwords.
    * Unbelievably, the visitor can copy files from the hard disk to a 
floppy disk or other removable media - something even an Administrator is 
normally prevented from doing when using the Recovery Console.
This problem is unrelated to a feature of XP that allows an Administrator 
to set up automatic logon when the Recovery Console is used. Even without 
the Registry entry that enables this, XP is vulnerable. (For info on that 
feature, see 
<http://support.microsoft.com/?scid=kb;en-us;312149>support.microsoft.com/?scid=kb;en-us;312149.)

Windows 2000, of course, doesn't allow Recovery Console users to access a 
hard drive without a password, if one previously existed.

I notified four Microsoft executives of the XP flaw weeks ago, but haven't 
yet received an official response. There's no Knowledge Base article about 
it, and there may not even be a good solution to the problem.

When I've spoken with Microsoft security pros about similar problems in the 
past, they've referred me to a company policy that says, "If a bad guy has 
unrestricted physical access to your computer, it's not your computer 
anymore."

That's all well and good - but the fact remains that Windows 2000 doesn't 
allow anyone with an old CD to get password-free access, and Windows XP does.

My recommendation: If you use XP machines in open spaces, put the PCs 
behind a locked door or put a lock on the PCs themselves. The bad guys know 
about this flaw, and it's just one more thing for the good guys to protect 
against.

To send me more information about this, or to send me a tip on any other 
subject, e-mail me at <mailto:Brian@BriansBuzz.com>Brian@BriansBuzz.com 
with "tip" in the subject.
in 

---
Outgoing mail is certified Virus Free. This Anti-Virus Program seems to be very good, However, I cannot be held responsible for any damages caused by Viruses which evaded the scan.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.455 / Virus Database: 255 - Release Date: 13.02.03