Crack Windows XP With... Windows 2000

An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."

Not a big deal!

[Longinus]

You can do the same thing to Linux with a boot floppy. Also, Ars is carrying this story, but with the follow observations from readers:

"Update: Some posters in the discussion thread point out this report may not be valid. One said that booting from a 2K CD did ask them for an administrator password and didnt let them in without it. Unfortunately, I dont have XP installed here to test it out before I posted."

Either way I don't find this to be terribly upsetting because a) root access can be gained in a similar manner with Linux and b) if one is worried about security, they shouldn't being using Windows to begin with.

Goodbye NTFS encryption?

[GraZZ]

This sounds particularly bad, as I'm assuming that it allows you to get by the NTFS filesystem-level encryption. This feature is *supposed* to allow you to encrypt files, and make it impossible for others to decrypt, even if they steal your drive, reinstall Windows on it, etc.

If you can just get Administrator access without reinstalling the OS (and killing the old UID tables), then this data suddenly becomes vulnurable!

umm no..

[Suppafly]

An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password.

Speaking from experience, the win2k recovery console makes you enter the admin password before it will let you do anything, unless they are using some version of the recovery console other than the one that comes with windows 2000 professional.

Err...

[Wakko+Warner]

Why not just use one of *several* NT password recovery disks? They work on XP, as well. I've used this one to bust into several Win2k Pro machines we'd forgotten the password for.

- A.P.

Physical access

[Tyreth]

I know that physical access makes a machine vulnerable in most cases. But that is because people don't password their bootloader, don't password their bios and disable boot disks.

Take these precautions and you can be fairly secure with physical access. Add an encrypted file system so that if someone steals your hard disk you are safe. Then padlock the PC.

Those are reasonable steps for a Linux machine (and I may have missed some, please let me know if i did). Now with a windows xp machine it looks like you also need to disable cdrom access. An unreasonable step.

But am I misunderstanding this? Does this mean that there is a way for programs to be made to bypass Administrator password? If so why would this be limited to a windows 2000 disk? What's stopping someone from making a program that enters into Recovery Console, removing the need to be physically present or have a windows 2000 CD. Unless you actually have to boot from CD, but the article makes it sound like you can use the CD after the PC boots.

Re:Knoppix

[Proc6]

And let me be the first to say, Praise Jesus for Knoppix. I had a pair of mirrored disks created in Win2K Server. After the server exploded I put them into an XP Box (NTFS is NTFS right? Wrong.) - I used XP's disk admin to "reactivate disks", as soon as I did that, they became completely unreadable with either XP, or even in a different 2000 server at that point. Many various attempts at various things basically left me with NTFS disks I simply couldnt read with Win2000 or XP.

I booted Knoppix. It saw the NTFS partitions fine. The disks appeared on the Knoppix desktop. I opened an FTP connection to another machine, copied off the important files, and was done.

I will ALWAYS have a copy of Knoppix around.

Wannabe slashdot lawyers

Have you -read- the DMCA? Do you think the primary purpose of Windows 2000 was to be a circumvention device of Windows XP (which wasn't even released yet?)

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--

`(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

`(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

`(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

Encrypting your SAM key

[scubacuda]

I have not done this, but according to this article you can secure your SAM key on XP:

You can encrypt your SAM file with SYSKEY and selecting the option to store the encrypted key on a floppy disk. Keep in mind that the floppy disk will be required during the system boot phase. Storing the encrypted key on the local drive is not as secure, since there are utilities available to manipulate the password hash. Make a backup of the floppy disk and store in a safe, in case your original floppy disk gets damaged.

Equally important to protecting your SAM file, is having an understanding of the services you are running. Make sure that you disable unnecessary services for security reasons and to free up system resources. I've included below some of the services that I would disable by default. Keep a configuration file or maintenance log of the changes made to each host in your peer-to-peer network.

NOTE: Make sure you make a full backup of your system before making changes.

Services to disable:

• Application Layer Gateway Service ? if not using Internet Sharing
• Automatic Updates ? this can work for you or against you; at some point, someone will hack this process to propagate an attack on your system
• Background Intelligent Transfer Service ? used by Windows Update
• Error Reporting Service ? self explanatory
• Internet Connection Firewall ? unless you are sharing Internet
• NetMeeting Remote Desktop Sharing ? enable when you need it
• Remote Access Auto Connection Manager ? unless sharing Internet
• Remote Desktop Help Session Manager ? enable when you need it
• Remote Access Connection Manager ? unless sharing Internet
• Routing and Remote Access ? unless sharing Internet
• TCP NetBIOS Helper Service ? used for WINS
• Terminal Services ? enable when you need it
• Upload Manager
• WebClient

Re:So what?

[slaker]

Tried it this afternoon on one of my 2000 Servers and an XP Pro disc. I was greeted by a password prompt.

The default local security policy on every XP box I have access to seems to require authentication, but at the same time, more than half of the XP boxes I have access to also have an admin-level account that does NOT have a password on it, at all.

No, No, NO!!!

[alexburke]

No, No, No.

NO!

You can launch the Recovery Console from CD (or hard drive -- hell, I have it installed on all my machines (winnt32 /cmdcons /unattend), but from within the Recovery Console you can ONLY log on to a Windows installation as Administrator (or whatever account was originally called Administrator if it was renamed), and you *do* require the password for it. NO OTHER ACCOUNT WILL WORK. (You are not even prompted for the user to log in as.)

If you're stupid enough to leave the Administrator password blank on your box, then yes, you can just press Enter at the prompt and you're in -- however copying to a floppy, and access to directories Administrator doesn't have rights to access, are DISABLED by default unless you enable "Recovery Console: Allow floppy copy and access to all drives and all folders" (Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options). Note this doesn't remove the login requirement -- it only adds more access once you've logged into the Recovery Console.

It's a moot point anyway -- even if you have the Welcome Screen enabled (where Administrator doesn't appear unless there are no other accounts defined), you can just hit Ctrl+Alt+Del twice to blow right past the Welcome Screen and pop up the normal GINA logon dialog, where you can log on as Administrator (or whoever), and whatever password (or blank, if you don't specify one during installation -- thank God Windows Server 2003 warns against an insecure Administrator password during Setup).

...

Okay, I've somewhat calmed down now.

Even though I'll bet 75% of posts to Slashdot are made from Windows machines, I find it unbelievable that trash like this makes the front page, let alone goes unrefuted for this long.

Sheesh...

*sigh*

Old News

[SLASHAttitude]

Unless this can be done remotely this is very old news. Every NT/2k/.net admin worth his salt has known this since nt4 if not before. It is the something if you have a slack or gentoo cd and have local access to linux box. There is not much that can be done if you have local access. In my mind this is what is wrong with the security world today. A lot of people taking shit like this to far. This is not an exploit and should not be treated as such. You should note it and not let just anyone have physical access to your network.

An OS -can- know it's phys sec was breeched...

[ivi]

As early as Compaq's Deskpro 4000, there was:

- a software-controlled case-lock &
- a case-opened sensor

The box's firmware could be setup to use the
sensed indications that the case had been opened
(with or without use of the s-w-cont'd case-lock)

By the way, has anybody got code that can access
case-opened indicator and/or s-w-cont'd lock, eg
for us in an Open Source OS?

TIA