“Windows XP, which has been marketed by Microsoft as “the most secure version ever,” has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC. Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:” Read Brian’s article at BrianBuzz.com.
Windows XP Passwords Rendered Useless
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
A friend of mine (who works for a company that I shall not mention) says that they have a Linux boot-up floppy that esentially allows them to boot a Win2k box and siphen the Administrator password – this one doesn’t seem to be much different, no ?
FreeBSD: boot -s
Linux: Runlevel 2
…noone gives a crap. But when it’s XP they go crazy.
Umm… I can boot up a linux CD in a WinXP box and mount that windows drive and copy the files. I can do this with.. well.. DOS, FreeBSD and any other OS. This isn’t really a big deal… the point is that the way we think of security is backwards. The security should encrypt the files… not just deny access to the OS.
that’s what MS people say: your box is not secure if anyone can physically access it.
And they’re right.
I’m admin on the ERP of my workplace. Noone can touch my box. I not only “lock” the computer when I leave the room, but also the room….
This is a ridiculas article. Unless you have an encrypted file system (or a proprietary one that no one know how to read perhaps, unlike NTFS) you can do this to almost *any* os.
What an uninspiring article. One aspect of the Windows XP/2000 security is interesting however. Has anyone ever tried to *recover* the administrator password? I had physical access to a Windows 2000 machine (with requesit service pack) and was asked to recover the Administrator password.
While accessing the hard drive was a peice of cake (Use a Linux boot disk with NTFS support), getting the passwords was suprisingly difficult. I spend an evening on it and didn’t have any success. I don’t remember the details of it but I believe actaully *finding* the password file was what made it difficult. The obvious password file was a decoy.
Anyways, this article is just silly.
You cannot acces all the system with root privilege with simply the runlevel 2 in Linux…
If you boot with the rescue in Windows XP, you have all the right to read/write and change everything. So the password no longer work.
Maybe. But it should allow resetting the root password. At least FreeBSDs single user mode allows that, I’d assume Linux’ single user mode acts the same. The ability of changing the root password is enough to subsequently accessing all files.
I’d recommend using Bastille on a fresh linux install. http://www.bastille-linux.org/ Redhat 8.0 users will need http://ftp.silug.org/pub/kspei/add-ons/redhat/8.0/i386/perl-Tk-804…. if they want to use the configuration GUI.
It’s the first thing we learn about (network) security Physical access to a computer is always the biggest danger because they can read what they can…
Would this work if the machine has a boot pssword? I remember trying to boot KNOPPIX on a NT machine once and the boot password prevented me from doing it?
Would there be a workaround that?
“FreeBSD: boot -s”
“Linux: Runlevel 2”
“…noone gives a crap. But when it’s XP they go crazy.”
Except that Apple gives a crap. With the firmware password capability built into Macs, you can have a system that will not boot into single-user mode, off a cd, or anthing. It becomes utterly secure unless you can actually get INSIDE the computer case, and thats pretty damned conspicuous.
Macs the most secure unix boxes? Who knew? Oh yeah, I did. Apple rocks!
Except that Apple gives a crap. With the firmware password capability built into Macs, you can have a system that will not boot into single-user mode, off a cd, or anthing. It becomes utterly secure unless you can actually get INSIDE the computer case, and thats pretty damned conspicuous.
You can do the same thing with Linux/PCs. Just password protect the BIOS so the boot device can’t be changed, and password protect LILO so it can’t be boot into single user mode.
Macs the most secure unix boxes? Who knew? Oh yeah, I did. Apple rocks!
I think back to old RS/6000s, where you changed the runlevel with a physical key on the front of the box. You’re overembellishing here just slightly…
Well considering they have physical access to the machine they can just dipswitch reset the bios. Unless of course the case is actually locked up, then they’d probably have to do some serious and obvious modifications to break into the machine. But still, if a “hacker” is actually able to get to your machine to use this trick in the article, then you have a hell of a lot more problems than worrying about how secure your system is!
There are several ways of accessing NTFS partitions without a password. Boot Windows 98 or DOS (with NTFS drivers), or Linux and you can do the same thing.
You can also put the hd in another computer and then read the files.
The only way around this is to encrypt the partition (often a checkbox during the installation).
Indeed this is silly. If these was through a network they might have a bit more of something. But it being more of a physical hack if you will it’s of little threat. Person could just take your computer at that level. Also I don’t expect there not to be such “holes”. If you got to the point were you had to have a password to do anything it could make somethings difficult. Like maybe formating a harddisk if they got to the point were you couldn’t format one from dos without logining into windows. Also as mentioned it’s easy enough as is to just put the drive in another computer and transfer files over. Maybe i’m forgeting something but could you in win98 just hit cancel at the password prompt and it would still give you access, though maybe not full, but never the less enough to tranfer files off the computer. If you want it to be safe just encrypt them. The best protection isn’t to hide or stop people from something, it’s to make what you have not wanted by them to to it’s unusable. Though a squirrel on crack with rabies next to the computer might help to.
— “You can do the same thing with Linux/PCs. Just password protect the BIOS so the boot device can’t be changed, and password protect LILO so it can’t be boot into single user mode.”
Of course, but for one thing, thats two passwords instead of one, and second, is there a single easy to use GUI app for setting those passwords on all Linux boxes? Technically its just as good in results, but in usability, another important quality for any form of security, its not quite as good.
— “I think back to old RS/6000s, where you changed the runlevel with a physical key on the front of the box. You’re overembellishing here just slightly…”
Those are fairly expensive rackmounts that are designed to be used in the already fairly secure environment of a server room somewhere. My impression was that we were discussing security in a situation where undesirables could get physical access to the computer. Also I think “overembellishing” is a bit too strong a word. Don’t get me wrong here, I never thought Macs were the most secure systems in history! But if you were looking for a new system to serve some need requiring top security and control in a setting where physical access to the computer was not as tightly controled as you might like, a Mac is and excellent choice.
Besides, Im also a bit of an Apple fan-boy and I couldn’t miss the opertunity to plug ’em.
Password GRUB, and encrypt your FS. That was tough.
—“Well considering they have physical access to the machine they can just dipswitch reset the bios.” <snip>
—“Indeed this is silly. If these was through a network they might have a bit more of something. But it being more of a physical hack if you will it’s of little threat.” <snip>
There is a significant difference between being able to walk up to a system and slip a cd or disk in, and having to open the case. Opening a computer case is extreamly conspicuous and unless you had actually stolen the machine and taken it to a priivate location, you would be unlikly to successfully break into someones system that way. On the other hand, just rebooting to a cd or floppy, then rebooting back once you retrieved passwords/installed back doors, is FAR less likly to atract lots of attention, not to mention far less time consuming.
—“Password GRUB, and encrypt your FS. That was tough.”
Until someone boots to a floppy. You forgot to password your BIOS.
I recently aquired an old Apricot MS PC which is protected by internal battery powered movement detectors, a siren, case switches, case lock, security loop, electronic fingerprinting, and Bios level access control.
You have to have a password to start the computer, and it is asked for right when the computer is switched on, even before memory test etc.
Removing the Mobo battery has no effect on the password, (though luckily you can remove the batteries for the siren
.
The only way to get back the fingerprinting password is to contact a certain company and send them a cheque along with many details of the computer. (Serials, name of buyer etc)
With an encrypted file system as well, it’s quite a secure box.
— “I recently aquired an old Apricot MS PC which is protected by internal battery powered movement detectors, a siren, case switches, case lock, security loop, electronic fingerprinting, and Bios level access control.”
Wow! Cool. That must be a fun box to poke around in!
There’s a simple fix to it:
Open the group policy editor (gpedit.msc), then go to:
Local Computer Policy -> Windows Settings -> Local Policies -> Security options -> Recovery console : Allow automatic administrative logon: Change its value to “Disabled”
And the second thing to change is right below it: ‘Allow floppy copy & access to all drives & folders:’ Change its value to “Disabled”
Its THAT simple!
Since when does a physical security breech demonstrate an OS security lapse? If someone gets physical access to your machine, then you loose (unless the file system is encrypted and sssssslllllllooooooowwwwwwww).
It’s a laugh that some here are taking swings at XP because of a poorly though out e-ramble…
The only way to do it is through physical access to your computer, there is no real danger unless you actually give someone the PC. That was a boneheaded article. I have retrieved Windows 2000 files with KNoppix without a Admin password. So Windows 2000 isnt all that secure either. Linux and UNIX have many other exploits that allow users granted with Physical access ways to get files as well. My advice activate the BIOS password thats what I do in my office.
Everyone is telling how he got files from NTFS drives with Linux…
Ever thought that if you have an ext2 driver for NT that you can grab all files from some ext2 partition without any hassle?
It’s no biggie. Security settings are enforced by the filesystem driver. If it choses to ignore the security settings, you have access to all files. That’s what you’re doing with your Linux. It’s nothing special at all.
I’m not too fond of Windows – any version of it – but if someone have physical access to your host with some bootable floppy or CD, he/she have the power to bring it down to its knees.
I don’t know exactly how the Windows passwords are stored and how it can be changed, but is very, very, very easy to remove the root’s password in /etc/passwd once you managed to boot with any media and then mount the root partition.
OpenFirmware and BIOS passwords both suffer from the ability to be reset with physical access to the machine, not just BIOS.
With BIOS there is usually a jumper somewhere. With OpenFirmware you just remove one of the DIMMS and then reset PRAM three times.
Both types of passwords can be retrieved once the machine is booted up given enough privileges (administrator/root.)
Both can be bypassed by simply pulling out the hard drive and moving it somewhere else.
Seriously… unless you encrypt the hard drive and have your boot loader prompt for a password, there is no way someone with physical access to your machine can’t easily get access. Even with encryption, it is only a matter of time before they break in if they are motivated enough.
So don’t worry about it and plan for having to wipe your machines to a clean state from time to time if you are in an environment where thaty sort of thing might happen.
Maybe. But it should allow resetting the root password. At least FreeBSDs single user mode allows that, I’d assume Linux’ single user mode acts the same. The ability of changing the root password is enough to subsequently accessing all files.
I don’t know about *BSD, but if you’re using LILO to boot Linux, you can make it ask for an another password to allow the boot in single mode. Although this password must be entered in plain-text in /etc/lilo.conf, you can make it readable only by root to prevent people for seeing it.
Of course, it might turn useless as well if the attacker use a bootable floppy or CD as stated in the article.
Regards,
DeadFish Man
I didn’t forget. ๐ They are welcome to try booting a floppy though, since there is no cable. The CDROM drives are disconnected as well. ๐
Ever thought that if you have an ext2 driver for NT that you can grab all files from some ext2 partition without any hassle?
That’s true of course, but the difference is this: there are lots of possibilities to boot Linux from floppy or CD and get a fully functional shell, while that’s not possible with NT AFAIK.
This is a bit iffy.
Slashdot hit the same trouble. Kinda worried how it go through really.
The basics?
Unless the machine is off limits its pretty open to being abused through linux boot and other options.
Its only local root/admin anyway that is generally at risk
You could encrypt your fs or whatever.
Bottom line:
Most security IS defeatable. Most measures just raise the difficulty level. In truth I do not favour an unbreakable scheme either. Having a system where if something nasty happens, and NOT being able to recover IS as bad as having a system that is insecure.
Most companies would go bust if they have a disaster, and that might be data loss, non recovery, hacking , and a whole heap of other issues.
Lets keep the discussion adult, but this is not news to me
Sorry
AdmV
Someone made an interesting point.
http://slashdot.org/comments.pl?sid=53998&cid=5310569
The simple fact of the matter is that Mac OS X does not have this problem. By default, on boot-up you have to enter an administrator password to do anything with the machine — whether you boot from a CD or not. Therefore, even if someone gets their hands on your machine they can’t get access to your files (without physically removing the hard disk and then doing a bunch of other stuff). If you forget your administrator password you have to reinstall OS X (and wipe all of your data).
That Windows XP is so easily cracked is shocking.
In my toolbox cd I have a bootable CD with ERD commander
just boot from it into ERD commander, ‘mount’ the registry from c:winnt or whatever and change password’
This feature comes by design in any *n?ux: boot single etc…
With the firmware password capability built into Macs, you can have a system that will not boot into single-user mode, off a cd, or anthing. It becomes utterly secure unless you can actually get INSIDE the computer case, and thats pretty damned conspicuous.
Not even that. Apple denies it, but under certain circumstances you can even get around that. A friend of mine did that to her Powerbook when she forgot her firmware password.
XP is crap when it comes to security anyway. I installed XP Pro the other day and during install it asked me for an Administrator password-great-no problem. It also asked me to enter 4 user names to be used on the system. I entered one. It didnt ask me for a password for this user. When it was all set up and i logged in with this user i discovered it had been created with administrator access and no password. Tell me what the f…k is the point of basing your OS on the NT security model with fine grained access rights when you openly encourage users to create admin users with no password?
MS have completely lost the plot.
At least with win2000 u were asked to enter a admin password and the only other account on the system was the guest account which was disabled anyway
“At least with win2000 u were asked to enter a admin password and the only other account on the system was the guest account which was disabled anyway”
With XP, you can disable the account at installation time
and add user the win2k way OR you can add password to the accounts, force new passwords on them, drop those accounts to regular/limited user group.
XP’s way of add user at installation time qill ensure less tech support calls from win9x users and less apps would break on limited accounts.
In my dorm there was this Bulgarian guy who installed Counter Strike on one of the Windows 2000 lab computers by booting Linux and using it to brute-forcing the Admin password. I think he may have had to hack the BIOS password as well to boot up Linux, I dunno. I remember I forgot my BIOS password to my laptop once, it was just a matter of putting in a disk that had the characters “PASS” at the very beginning of the disk.
Granted, someone hacking and installing Counter Strike isn’t the end of the world.
— “I didn’t forget. ๐ They are welcome to try booting a floppy though, since there is no cable. The CDROM drives are disconnected as well. ;-)”
That would not stop someone from screwing up you BIOS settings or even setting their own BIOS password however, unless you had remembered to set one already.
— “Not even that. Apple denies it, but under certain circumstances you can even get around that. A friend of mine did that to her Powerbook when she forgot her firmware password.”
What she did was remove the stick of ram(or possibly add one) from the externally accessable ram slot and then reset the p-ram, which is exactly the official way to reset the password. If I am wrong, Id sure like to know what this “secret” workaround is! Frankly however, I am certain that I am not.
I didn’t forget meant that there is a setup password. ๐
Well, this is not about recovering, but in case they are lost, you can at least change them with Bluecon by O&O Software. I think it’s available for W2K and XP.
It’s not true! May be it works if system UPGRADED from Win9x. I am never performing upgrades.
But using clean install, this feature turned off by default. Yes, i can go to “Local Security Policy” and turn up auto-login for recovery console and “full disk access” for recovery console BUT by default this feature turned off.
And of cause i cannot protect from “enemy” boot.
One of the primary rules:
there are just too many ways one can get in,
– boot protect the bios > flash it
– get in windows with boot disk
– put the box in an unmonitored network, and you have all the time you want
– put the disk in another box and have access to anything
– ….
if your portable get’s stolen, you can only pray it was for the hardware and not the data
All user files should be public-key encrypted until they are in the RAM of the user’s workstation (and even then…). It is easy to write software to get into any non-encrypted filesystem or network.
That’s what TCPA is about.
Yes, but keys should not be primarily attached to hardware. They should be primarily attached to people.
Encrypted File System is a feature available as early as Win2K that allows users to encrypt any folders on a machine. That way, even if somebody gains access to your machine directly (ie, your laptop is stolen), they cannot read your files without your password, plain and simple.
You don’t even need a boot floppy for Linux — using RH, simply issue a chroot after booting from the install CD! I assume that there is an EFS equivalent for Linux and THAT is the correct way to insure security even with physical access to the machine.
Well of coarse you can access the information using the recovery console. If you want to protect against that stop the machine booting from the CD in the bios and lock it with a password. Even if this route was not in position you could still simply reinstall the os, take ownership of the ntfs files and do what you like with them. If you want to protect your files, use efs. Sometimes it helpt to RTFM