[Dshield] Security Issue with XP

Laura Vance vancel at winfreeacademy.com
Fri Apr 30 14:40:47 GMT 2004

As everyone else has mentioned, this becomes a physical layer of 
security.  When a company has sensitive information on certain boxes, 
network security can only go so far.  I've worked for companies that 
implement various levels of physical security such as electronic ID 
badges, front desk security guards, biometric hand scanners, etc.  The 
trick is to make both network and physical security strong enough that 
neither is likely to be breached.  The reason I say "likely" is because 
no security is 100% effective, but the tighter it is, the less likely a 
casual intruder will get past it.  Now that I think about it, I take 
back the comment about "no security is 100% effective" but the problem 
comes where (as in the cement example) 100% security also renders the 
machine useless for legitimate purposes.

In the end, security is all about a trade-off.  Easier for users is 
easier for hackers, and you have to consider what your users are willing 
to endure for security.  If you're lucky, you will have the power to 
dictate security, but I know that I have never been able to just tell 
everyone what they're going to do to be more secure.

securityguy at dslextreme.com wrote:

>Has anyone else seen this?
>Just a heads up on XP, I got this from a users group.
># View Group Archive: http://ITtoolbox.com/hrd.asp?i=955
>Unless microsoft has fixed it and I havn't seen it there is a security
>flaw you can use.  Brian's Buzz sent out the following:
>Reader Tony DeMartino alerted me to the problem, which all administrators
>of Windows XP machines should immediately take to heart:
>Anyone with a Windows 2000 CD can boot up a Windows XP box and start the
>Windows 2000 Recovery Console, a troubleshooting program.
>Windows XP then allows the visitor to operate as Administrator without a
>password, even if the Administrator account has a strong password.
>The visitor can also operate in any of the other user accounts that may be
>present on the XP machine, even if those accounts have passwords.
>Unbelievably, the visitor can copy files from the hard disk to a floppy
>disk or other removable media - something even an Administrator is
>normally prevented from doing when using the Recovery Console.
>list mailing list
>list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Laura Vance
Systems Engineer
Winfree Academy Charter Schools, Data-Business Office
1711 W. Irving Blvd. Ste 310
Irving, Tx  75061
Mobile: 469-855-5801
Fax: 972-251-2525
Web: www.winfreeacademy.com

More information about the list mailing list