[23597] in bugtraq
RE: Windows XP security concerns
daemon@ATHENA.MIT.EDU (Geoff Sweet)
Fri Dec 21 15:14:41 2001
Reply-To: <gsweet@worldvision.org>
From: "Geoff Sweet" <gsweet@worldvision.org>
To: "'Tomasz Polus'" <Tomasz_Polus@bsi.net.pl>, <bugtraq@securityfocus.com>
Date: Thu, 20 Dec 2001 10:42:13 -0800
Message-ID: <000d01c18986$0aef1c30$37014659@dw8yw01>
MIME-Version: 1.0
In-Reply-To: <99C34176CB8C0D42B632CA573A49184D0618C8@dune.bsi.net.pl>
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01C18942.FCCBDC30"
------=_NextPart_000_000E_01C18942.FCCBDC30
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset="iso-8859-2"
Commenting on the loss of user data below: I don't think this is a critical
issue. By default Win2K/XP adds the local Administrator as a Encrypted Data
Recovery Agent. So while the pain-in-the-arse factor is there of needing to
reset the password via the admin account, any encrypted data won't be lost
due to loss of private key. The Administrator can still recover the data,
then the user can re-encrypt it with his/her new credentials.
Geoff Sweet
Systems Engineer
World Vision (www.worldvision.org)
II. Problem with reset password disk
Windows XP introduced a new feature - "Password Reset Disk", which can
be used
to recover user account and personalized computer settings if a user
forgets
his password.
The problem is that in certain conditions (Minimum password age <> 0)
user may not be able to reset his password using above mentioned disk
and the only solution is the reset password feature available to the
Administrator.
First, make sure the "Minimum password age" policy is set to a value
other than 0.
Now, supposing the user forgets his password before it's age expires,
he will not be able to reset it with the disk until the password
expires.
What's more, changing password by an Admnistrator using MMC or control
panel
(in other words - GUI) leads to user data loss (i.e. EFS files)
because of
private key loss.
The only solution seems to be "net user" command issued by an
administrator.
------=_NextPart_000_000E_01C18942.FCCBDC30--
