Problem: The policy "smart card removal behaviour" is not
                    enforced when screensaver has started.
Platform: Windows 2000 SP0 and SP1
Risk: Low
Remote exploitable: No
Damage: A user who know that his/hers workstation is locked
                    when the smart card is removed, can unknowingly
                    leave his/her workstation unlocked and unsecure.

Description:
When the following conditions is fulfilled, the workstation is not locked or
logged off, despite the policy:
- the policy "Smart Card Removal Behaviour" (Group Policy-> Security->) is
set to "Lock Workstation" or "Force Logoff",
- the screensaver kicks in without "password protected" checked and
- the smart card is removed

Workaround:
Make sure "password protected" is checked. This can be done via a group
policy, found under User Settings-> Administrative Templates-> Control
Panel-> Display.

Vendor status:
Microsoft has been informed, tracking number msrc 628sc. Thanks to Russ
Cooper.

Comments:
The indication of this bug was found by an accident. An administrator was on
the phone talking, letting his mouse fall to the floor and after a while the
screensaver kicked in, not password protected. When he finished the call, he
removed his smart card and ran to a meeting. I picked up his mouse and put
it on the table and the desktop came right
up, much to my surprise.

First, we were angry with the administrator that he hadn't removed his card,
but when we checked, the card had in fact been removed.

Some may be arguing that not having a password-protected screensaver and
relying on users removing their smart cards is unsafe, since the user may
not care to remove the smart card. We are trying to assure this by using the
same card to operate doors in our building. Since we can't get through the
doors without the smart card and we can't ID ourself to for
example a guard (the smart card is our visual ID-card), we are in quite a
bit of trouble. That way a user may forget his/her smart card once or twice,
but then the lesson is learned.

Oh, by the way, there has been a discussion about this being a bug or
vulnerability. I don't know what to think, I just want it fixed, preferably
yesterday... *grin*

The Swedish Post:
Posten AB, http://www.posten.se, has been involved in information delivery
since the seventeenth century, thus being a Trusted Third Party.

Posten AB, which became a limited liability company in March 1994, offers
message transmission, parcel forwarding, payments transmission and various
financial services.

Posten AB is the largest Certification Authoritiy in Sweden and is issuering
both physical and smart card-based electronical ID's to the Swedish market.

This vulnerability was found and reported in a joined effort by Stefan
Jacobsson and John Allberg, Posten AB.

----------------------------------------------------------------------------
Delivery co-sponsored by BindView Corporation
============================================================================
Are your security practices adequate enough to protect you from hackers and
crackers? How do you provide remote access to your users, enable e-mail
messaging, Internet sites and e-commerce activity, and at the same time
maintain security? Can you implement and administer the effective security
measures you need without doing battle with the people who need access to
your network?

Download FREE the latest Hurwitz Group Report, Management Controls:
Security Impact of IT Administration at <http://www.bindview.com/hurwitz3>
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]