|
Nope that ain't no joke ;) and if it's a shocker to you, then you haven't heard,
so read on and find out why.
There have always been ways to access the file system on a password protected
Windows NT, 2000 and XP computer, but most of these ways involve third party
utilities and don't always work (i.e., if the file system is NTFS and file permissions
are set, access can be more difficult). Using a Linux disk is a common no cost
way to bypass an Administrator password and often succeeds, but can be problematic
depending on the system configuration and hardware. The easiest third party
utility way that I tested on XP was not free—and not cheap either—but
it proved how easy it was to gain full logon to a password protected XP system
by revealing the Administrators user name and then allowing you to change the
password. Anyone who has the intent—malicious or not—can find ways
to get to your data and it really isn’t very dificult at all.
If you are in an environment where data security is essential, the only real
security is to physically lock the computer and prevent access to it.
But this article is not about third party utilities to hack Windows, but about
a major security hole that exists ONLY in Windows XP, that makes it possible
for someone to access and manipulate your personal data, and it involves nothing
more than Microsoft's own software. It's all because of a major oversight (or
if not a oversight, then a cover up by Microsoft) in the design of Windows XP.
In my testing, this hole made it possible for me to access the file system of
a Windows XP machine with an NTFS file system—no DOS was needed! And
it didn't matter how cryptic the Administrator made the logon password or what
folder and file restrictions were placed on the data. I got in and the files
were accessible.
Windows 9x versus XP
We all know that Windows 9x has non existent security by default (anyone can
just hit cancel to abort the password requirement at logon time), but there
are ways to increase the security in Windows 9x by forcing a logon as I wrote
about in this ABC article http://personal-computer-tutor.com/abc2/v16/vic16.
Of course, this doesn't make Windows 9x more secure than Windows XP, but with
the forced Windows 9x logon implemented, Windows 9x and Windows XP share a common
denominator when it comes to the ease of accessing the files system of each
OS. Shocking, right? No, I can hear ya—you're saying BULL!
To be fair, remember that Windows 9x was never built or pushed with security
features being a priority but Windows XP was. Therefore, the weak security is
most disturbing in Windows XP, because of Microsoft's intense promotion of XP
as the most secure Windows operating system. As it stands now, Windows 2000
is the most secure Windows OS (though that really isn't saying much).
So What is This XP Flaw?
Well, what is it in Windows 9x when forced logon is enabled? It's that anyone
can use a boot disk and access the file system in DOS. In XP it's similar! The
flaw is that someone can gain access to your Windows XP data by using the Windows
2000 Recovery console. This allows access to the file system whether the disk
is FAT or NTFS. All you need to gain access to a password protected Windows
XP operating system, is the Windows 2000 boot disk set, which anyone can download
free from the net, or if the person has a Windows 2000 CD, the disks can be
easily made directly from the CD, without even having to do an install. The
Windows XP system is booted with the Windows 2000 floppy disks and then the
Windows 2000 Recovery Console is used to access the XP operating system. The
most amazing and disturbing fact about this method is:
NO PASSWORD IS NEEDED!
Normally, only the Administrator can access the Recovery Console, but to do
so, he must enter the right password (unless he enabled auto logon to the Recovery
Console). With this method any password used is rendered totally USELESS—it
doesn't matter how difficult or cryptic the Administrator made the password,
because it simply is not required. The person gets instant access to the system
and can carry out whatever his mission was—to pry/steal data or to corrupt/delete
it. This major flaw then makes all the below possible
- Access to Personal Folders
By default, with the Windows XP Recovery Console, the security level is set
so that the Administrator's access to the hard drive is limited—to only
the root folder, Windows folder and Cmdcons folder. You cannot, by default,
access other folders such as Documents and Settings which contains User folders,
your Desktop, etc. or any personal folders. Try it and you will see—an
access denied message will result (unless the Administrator changed the setting).
But with the Windows 2000 Recovery Console method, this XP security setting
becomes useless. The entire hard drive becomes an open book—any folder
can be accessed.
- Copy to Floppy
Also by default , the Administrator isn't allowed to copy any files from
the hard drive to a floppy disk—an access denied message will result
here too, if you try. But not a problem for anyone who breaks into your system
using Win2K! Copying to a floppy or any other partition on the hard drive
is effortless. In the event, an access denied message does result, all the
hacker has to do is use the Set command to enable copying to removable media
by setting it to TRUE.
Incidentally, I should take a moment here to make it clear to you that though
Microsoft states that both the above activities (folder access and floppy
copy) are not allowed when using the Windows XP Recovery, it does not mean
it is not possible to do this.
I find the following statement by Microsoft misleading by the nature of it's
omission:
"When you use the Windows Recovery
Console, you can use only the following folders:
"The root folder
"The %SystemRoot% folder and the
subfolders of the Windows installation that you are currently logged on to
"The Cmdcons folder...
"If you try to obtain access to other
folders, you receive an "Access Denied" error message.
"Also, while you are using the Windows
Recovery Console, you cannot copy a file from the
"local hard disk to a floppy disk."
The truth is that in both Windows XP Pro and Home, both floppy copy and full
directory access can be easily allowed using the the registry or Policy Editor—gpedit
(registry only in XP Home)
Of course, if security is an issue, you wouldn't allow the above.
- Access to NTFS Protected Data
Truly amazing and disturbing, is the fact that not even setting NTFS file
permissions makes a difference in a hack like this. You can set full restrictions
on your personal folders, and also set them to hidden and read only, but none
of that will deny access of your data to the hacker. Your files can be read,
copied, renamed, and even DELETED. Just like it doesn't matter how difficult
the password was made, it doesn't matter what NTFS restrictions you placed.
Both become useless as a preventive measure against this type of intrusion.
As I said earlier, I used Windows XP PRO with a NTFS file system to test this
hack. I also created a desktop folder which I filled with a variety of different
file types, and then after setting the attributes to read only and hidden, I
set the restrictions to full denial by Administrator and all users. I booted
the computer with my Windows 2000 disks, and at the blue Options screen, pressed
R (F10 works too), and then C to enter the Recovery console (the
instructions are right on the screen). The XP partition was listed, I chose
it and that's all I had to do. I now had access to the password protected
Windows XP operating system and all partitions, without needing to enter an
Administrator password or any password at all. I could read, copy, rename and
delete files from anywhere on the hard drive. I tried copying files from the
restricted desktop folder to other partitions and to a floppy disk, and it was
no problem to do both. If I was a malicious person, I could have even formatted
the disk. Yup, this is a scary one and a most serious one especially in corporate
environments where data security is very important. But more vulnerable to this
type of intrusion than large corporations are the small businesses, offices
and even home situations where more advanced security measures are less likely
to be taken or known (if the impression is that Windows XP is secure, why take
extra security measures?)
This isn't the only security flaw with XP. There is also a screensaver trick,
which is probably the second easiest method of accessing a protected Windows
XP system, without the use of third party utilities. With this screensaver method,
which I also tested and which also works in Windows 2000, the hacker has the
chance of gaining full Windows logon to your system, but, it's important to
note here, that EVEN WITHOUT LOGON SUCCESS, the hacker still obtains extensive
access to the file system and can make changes to your system.
Without a successful logon, I was still able to browse the system and even
access the registry, gpedit, and the Internet, but most seriously, I was able
to view, copy, delete and move files or folders right in colorful Windows (not
the command line) However, I was not able to access NTFS restricted folders,
whereas with the 2k Recovery Console, I was. But regardless, I shouldn't have
been able to do this at all, if this was a secure system I was dealing with.
The way this trick works is based on the behavior of the Windows 2000 and XP
logon. If there is no keyboard activities for about 10 minutes after the logon
password screen appears, the screensaver—logon.scr—is loaded. Based
on this knowledge, the hacker can use the Windows 2000 Recovery Console method
to delete the original logon.scr and rename cmd.exe to logon.scr. He then reboots
the system which ends up loading an unprotected command line—cmd.exe—instead
of the screensaver, where he can try changing the Administrators password by
using the net user command.
For example, if the Administrator's name is Steve and he wanted to change his
password to letmein, he would simply type:
net user Steve letmein
He would then be able to logon fully to the system using the new password,
with the username Steve.
However, contrary to what you might have heard on the net, this is not at all
foolproof and did not work in my tests—the net user commands resulted in
an access denied message. So, I can't say who it works for. But as I already
stated, this, by no means, prevents access to the file system. You just enter
explorer.exe at the command prompt and the desktop loads and you have
the ability to browse the XP system and open folders and files, as well as copy,
move or delete them. You can also enter other app names at the command line
and they will load too, such as regedit.exe, iexplore.exe control.exe, and many
more. Access isn't full, but more than enough for a corporate or home hacker
to gain access to your personal or sensitive files and folders and to make system
changes.
For example, I was able to access the registry and remove the requirement for
an Administrators password to access the Windows XP Recovery Console and the
restriction set on copying to floppies. It was incredibly easy and it worked.
There is so much a hacker can do with this method—it all depends on his
knowledge—but fortunately this type of access is much easier to prevent.
To make your system less vulnerable to this type of hack, you should disable
logon.scr from loading at bootup. This can be done with a registry edit:
HKEY_USERS\.DEFAULT\Control Panel\Desktop
For the value screensaver.exe, change it to none and set the
value ScreenSaverActive to No.
The main stumbling block for a hacker using this method, is gaining access
to the system to make the changes necessary (renaming cmd.exe to logon.scr)
for this to work. Using all NTFS would help here, but with this new security
hole, the Windows 2000 Recovery Console can now be used to make the changes.
It just makes the other hack easier to achieve.
For me, the Windows 2000 Recovery Console access method was the most disturbing
security flaw in Windows XP. It throws Windows XP image of being so much more
secure than other Windows operating systems, right out the "window"—pun
intended.
Note: this was the subject of an article by Brian Livingston (author
of the Windows Secrets books). He was made aware of it by a reader. So don't
just take MY word for it.
However, in his article a Windows 2000 CD was used to do this. In my testing,
a Windows 2000 CD didn't work—probably because it was an upgrade CD and
thus I received the message that Windows setup couldn't continue due to the
existence of a more updated version of Windows on the computer. I have no reason
to believe that it wouldn't work with a full version CD or a bootable Windows
2000 CD, but if anyone wants to test this out, feel free to submit your results
as feeback. If a CD works as stated in the Brian Livingston article, it magnifies
the seriousness of this XP flaw. Though physically locking the computers would
prevent accesss, that is not always possible and even if it was, it could be
highly inconvenient depending on the office or building. For example, in academic
open concept layouts where all the computers have CD-ROMs. Anyone can just pop
in a Windows 2000 CD and to take measures to prevent that can be quite a challenge
and headache.
Here is the original article for anyone interested:
XP Passwords Rendered Useless
by Brian Livingston
"Windows XP, which has been marketed by Microsoft as "the most
secure version ever," has been found to have a flaw so bone-headed that
it renders passwords ineffective as a means of keeping people out of your
PC.
"Reader Tony DeMartino alerted me to the problem, which all administrators
of Windows XP machines should immediately take to heart:
'Anyone with a Windows 2000 CD can boot up a Windows XP box and start the
Windows 2000 Recovery Console, a troubleshooting program.
'Windows XP then allows the visitor to operate as Administrator without
a password, even if the Administrator account has a strong password.
'The visitor can also operate in any of the other user accounts that may
be present on the XP machine, even if those accounts have passwords.
'Unbelievably, the visitor can copy files from the hard disk to a floppy
disk or other removable media—something even an Administrator is normally
prevented from doing when using the Recovery Console.'
"This problem is unrelated to a feature of XP that allows an Administrator
to set up automatic logon when the Recovery Console is used. Even without
the Registry entry that enables this, XP is vulnerable. (For info on that
feature, see http://support.microsoft.com/?scid=kb;en-us;312149.)
"Windows 2000, of course, doesn't allow Recovery Console users to access
a hard drive without a password, if one previously existed.
"I notified four Microsoft executives of the XP flaw weeks ago, but
haven't yet received an official response. There's no Knowledge Base article
about it, and there may not even be a good solution to the problem.
"When I've spoken with Microsoft security pros about similar problems
in the past, they've referred me to a company policy that says, "If a
bad guy has unrestricted physical access to your computer, it's not your computer
anymore."
"That's all well and good—but the fact remains that Windows 2000
doesn't allow anyone with an old CD to get password-free access, and Windows
XP does.
"My recommendation: If you use XP machines in open spaces, put the PCs
behind a locked door or put a lock on the PCs themselves. The bad guys know
about this flaw, and it's just one more thing for the good guys to protect
against."
For more info on Windows file security in general, see my article,
Windows File and Folder Security
http://personal-computer-tutor.com/abc2/v14/vic14.htm
If you're using Windows 95/98/Me, you may also want to check out my Lock&Hide
Program:
http://download.com.com/3000-2092-10111735.html?tag=lst-0-1
|
