|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NT Screen Saver Password Protect Bug
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: NT Screen Saver Password Protect Bug
- From: peter riegersperger <rickSALZBURG.CO.AT>
- Date: Wed, 25 Mar 1998 12:05:27 +0100
- Comments: To: Paul Leach <paulleMICROSOFT.COM>
- Reply-To: peter riegersperger <rickSALZBURG.CO.AT>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
At 18:27 24.03.98 -0800, Paul Leach wrote: [...] >> As to whether or not this is yet another example of what an Admin can >> do, Christopher provides one example how someone not authorized to go >> through the screen saver password screen, can, and thereby become logged >> on as a higher privileged user. This is by no means the only way, but it >> is, again, another way. >> >The supposedly unauthorized person in Christophers example was an admin of >the workstation being attacked. > >The mistake was the Domain admin thinking that the machine was safe to use >AT ALL. The local admin could have installed a GINA (or a trojan >screensaver) to steal his password, for crying out loud. > >There is no fix for this. We can't even write code to warn the Domain admin >they're loggin on to an insecure machine -- the rogue local admin would >disable or replace it. You are right, because everyone is talking about a properly configured workstation. As far as I can tell, these are rare (but YMMW :), since most sysops have not the time or just not the information necessary or (mostly, I think) not the proper attitude towards system security. (And yes, true, some of them are just plainly naive) They do secure their servers (at least if they are in the open) but leave their workstations wide open since a lot of people consider the restrictions necessary to secure a windowsNT installation annoying when they meet them on their desktop. So this problem has no theoretical impact, but surely a practical one. So, what's Microsoft supposed to do ? Maybe nothing, your point makes sense. Probably don't distribute password-protected screen savers at all with the next release of WindowsNT to make this discussion purely academical ;) But there is some weight in this bug, since users get some sense of security that is missing if the rest of their workstation is not strictly secured. The bottom line might be: "If you don't secure your workstation as Microsoft [and a lot of other people] suggest, you should definitely not use password-protected screensavers because it causes the opening of another security hole." Thus, I think, it was correct to publish the facts and call them a bug, and people should be told about it, even if MS is not supposed to do anything. (Yeah, true, when a bug will not be fixed there can be other company responses than 'it's not a bug -- it's a feature !" <g>) One thing the mentioned SysOps could learn about this incident is that an unsecured computer (regardless of the OS) imposes a lot of security riks - not just the obvious ones. So I think they should be told. Just my two cents, greetings, rick peter riegersperger <rick
- Prev by Date: Re: NT Screen Saver Password Protect Bug
- Next by Date: Re: NT Screen Saver Password Protect Bug
- Prev by thread: Re: NT Screen Saver Password Protect Bug
- Next by thread: Re: NT Screen Saver Password Protect Bug
- Index(es):