|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Windows XP User Name/Full Name security hole
From: James Prairie Yada (j_horton
PRAIRIEGROUP.COM)
Date: Sat Jan 24 2004 - 19:02:28 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In Windows XP Professional, Windows allows you to log in under either the
'User Name' or the 'Full Name' fields when the user is added to the system.
Often, these two fields are the same, but the 'Full Name' field can be
either blank or can be duplicate, ie. several users can have, say "user" in
the Full Name field. If left blank, this makes logon possible by password
only, making dictionary attacks much easier, since if any or all users have
a blank in the fullname field, the first hit on any password gets you in.
I have not tested this with Active Directory in Server 2003, but the
behaviour exists in standalone and peer networks in XP Professional.
--Jim
-----
Editor's Note: The 43rd Most Powerful Person in Networking says...
Out of Office replies to list messages cause you to be unsubscribed automatically. Either subscribe a Public Folder, or ensure your rules are set to ensure list messages are filtered prior to your Out of Office reply. Such automatic replies are a bane to posters, and cause us to have fewer researchers post to NTBugtraq.
-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]