OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: NT Screen Saver Password Protect Bug
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NT Screen Saver Password Protect Bug

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: NT Screen Saver Password Protect Bug
  • From: Paul Leach <paulleMICROSOFT.COM>
  • Date: Tue, 24 Mar 1998 18:27:36 -0800
  • Comments: To: Russ <Russ.CooperRC.ON.CA>
  • Reply-To: Paul Leach <paulleMICROSOFT.COM>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
> ----------
> From:         Russ[SMTP:Russ.CooperRC.ON.CA]
> Reply To:     Russ
> Sent:         Tuesday, March 24, 1998 6:35 AM
> To:   NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject:      Re: NT Screen Saver Password Protect Bug
>
> There have been a number of messages submitted pointing out that to
> properly lock your workstation/server when away from it, you should use
> "Lock Workstation", and not a screen saver (of any kind from any
> company).
>
> This is the best advice, but Christopher's message about how easily the
> password mechanism in screen savers can be by-passed should not be
> discounted, and instead ear-marked as yet another data point on the list
> of securing an NT box. If screen savers with password features are going
> to be shipped with NT, then they should fail securely, rather than fail
> wide open, IMO. This was, I believe, Christopher's point.
>
And just how do they fail "securely"? Not let anyone in (require a hard
reboot)? Only let in local admins? (Get the joke?)

> As to whether or not this is yet another example of what an Admin can
> do, Christopher provides one example how someone not authorized to go
> through the screen saver password screen, can, and thereby become logged
> on as a higher privileged user. This is by no means the only way, but it
> is, again, another way.
>
The supposedly unauthorized person in Christophers example was an admin of
the workstation being attacked.

The mistake was the Domain admin thinking that the machine was safe to use
AT ALL. The local admin could have installed a GINA (or a trojan
screensaver) to steal his password, for crying out loud.

There is no fix for this. We can't even write code to warn the Domain admin
they're loggin on to an insecure machine -- the rogue local admin would
disable or replace it.

Paul