|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NT Screen Saver Password Protect Bug
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: NT Screen Saver Password Protect Bug
- From: Stewart Berman <Stewart.BermanBANKERSTRUST.COM>
- Date: Thu, 26 Mar 1998 11:05:48 -0500
- Reply-To: Stewart Berman <Stewart.BermanBANKERSTRUST.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
There appears to be a problem here that is being overlooked. The ability of an admin to use someone else's identity without leaving any traces. Admin's have always had the ability to reset a user's password and logon as that user. However, the user would always know that their password was changed. IOW, their was a trace left. In addition, the admin would not have passwords for sensitive applications. Breaking into to a logged on user by renaming the screen saver allows an admin to assume the user's identity without leaving a trace -- assuming they renamed the screen save back to its original name later. Furthermore, the ability to get into an active session increases the risk since the user could have sensitive applications (with their own security checks) running. It is not unusual for a user to rely on a screen saver to avoid having to close and re-open a half-dozen applications every time they leave their desk -- including, unfortunately, overnight. Stu
- Prev by Date: Re: More MS Y2K non-compliance... (fwd)
- Next by Date: Re: NT Screen Saver Password Protect Bug
- Prev by thread: Re: NT Screen Saver Password Protect Bug
- Next by thread: Re: NT Screen Saver Password Protect Bug
- Index(es):