[Dshield] Security Issue with XP
vancel at winfreeacademy.com
Fri Apr 30 14:40:47 GMT 2004
As everyone else has mentioned, this becomes a physical layer of
security. When a company has sensitive information on certain boxes,
network security can only go so far. I've worked for companies that
implement various levels of physical security such as electronic ID
badges, front desk security guards, biometric hand scanners, etc. The
trick is to make both network and physical security strong enough that
neither is likely to be breached. The reason I say "likely" is because
no security is 100% effective, but the tighter it is, the less likely a
casual intruder will get past it. Now that I think about it, I take
back the comment about "no security is 100% effective" but the problem
comes where (as in the cement example) 100% security also renders the
machine useless for legitimate purposes.
In the end, security is all about a trade-off. Easier for users is
easier for hackers, and you have to consider what your users are willing
to endure for security. If you're lucky, you will have the power to
dictate security, but I know that I have never been able to just tell
everyone what they're going to do to be more secure.
securityguy at dslextreme.com wrote:
>Has anyone else seen this?
>Just a heads up on XP, I got this from a users group.
># View Group Archive: http://ITtoolbox.com/hrd.asp?i=955
>Unless microsoft has fixed it and I havn't seen it there is a security
>flaw you can use. Brian's Buzz sent out the following:
>Reader Tony DeMartino alerted me to the problem, which all administrators
>of Windows XP machines should immediately take to heart:
>Anyone with a Windows 2000 CD can boot up a Windows XP box and start the
>Windows 2000 Recovery Console, a troubleshooting program.
>Windows XP then allows the visitor to operate as Administrator without a
>password, even if the Administrator account has a strong password.
>The visitor can also operate in any of the other user accounts that may be
>present on the XP machine, even if those accounts have passwords.
>Unbelievably, the visitor can copy files from the hard disk to a floppy
>disk or other removable media - something even an Administrator is
>normally prevented from doing when using the Recovery Console.
>list mailing list
>list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Winfree Academy Charter Schools, Data-Business Office
1711 W. Irving Blvd. Ste 310
Irving, Tx 75061
More information about the list