Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Winxp Multi-user cross-accessing info/pw/etc?

  1. #11
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    i did briefly read that one could access such data/passwords that were just recently stored on those machines, not using admin account. files created for the specific user was meant to hasten access time to that user, because it takes much longer to talk to network server everytime and would slow down the network if server kept getting spammed by old users.
    That is incorrect. XP holds the last 10 login/passwords by default. The idea is that users can still log in even if the domain controller or ADS tree cannot be found.

    The question of recovering a password would depend on how the machine was accessed. If you want to stop it you have to make sure that the machine is locked down and locked up (physically). If people can boot from live CDs you won't be able to stop it.

  2. #12
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    Quote Originally Posted by nihil
    The question of recovering a password would depend on how the machine was accessed.
    what do u mean here?

  3. #13
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I am referring to the fact that if a user can access the BIOS set up or if the machine will boot from a CD, DVD, USB drive, floppy or whatever, they can bypass the Windows boot process and its security settings, and extract the password hashes.

    You can lock the BIOS and thus the boot sequence, but you would need to lock the device physically to prevent the BIOS from being reset or reflashed

    This is a typical security problem in the type of public environment that you describe. The more you lock down the machines the less functional they become. On the other hand the more functionality you allow users, the more exposed you are.

  4. #14
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    e><ius,

    It seems to me that it would be useful if we defined the particular environment you are concerned with?

    My understanding is that it is a college or PRIVATE library scenario, where you do have an identifiable authorised user community?

    In effect, users can move around the premises and use various machines to access servers to which they are authorised, and which authenticate them as bona fide users?

    Because there are numerous users, the same machines can be used by a number of people?

    Your problem is that Windows NT systems store the last 10 login credentials (including the password hash), and you are concerned that a malicious user could retrieve these?

    My suggestion is that there is no real benefit in storing the logins on local machines anyway?

    Please check these instructions for preventing the local storage of login credentials (set the value to zero):

    http://www.windowsnetworking.com/nt/.../rtips36.shtml

    If they are not stored, they cannot be retrieved and abused

    OK, if your servers go down then your users will not be able to login to their profiles, but that is the price you have to pay.............. well, they have to pay, to be precise

  5. #15
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    well, if the server is down theres not a lot you can do anyway. No home area.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  6. #16
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    That is true, I was thinking more of commercial and administrative environments where you may want a local "thick client" capability.

    That should not be a problem as these areas would normally have much better physical security than student labs and libraries.


Similar Threads

  1. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  2. The Ultimate Social Engineering tutorial!
    By Isellcrack4FBI in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: July 4th, 2002, 02:40 PM
  3. Securing Your Windows PC
    By E5C4P3 in forum The Security Tutorials Forum
    Replies: 10
    Last Post: June 12th, 2002, 04:54 PM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Vulneravility: DCP-Portal User Details Cross Site Scripting
    By s0nIc in forum Network Security Discussions
    Replies: 0
    Last Post: February 18th, 2002, 12:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •