-
May 8th, 2007, 10:55 PM
#11
i did briefly read that one could access such data/passwords that were just recently stored on those machines, not using admin account. files created for the specific user was meant to hasten access time to that user, because it takes much longer to talk to network server everytime and would slow down the network if server kept getting spammed by old users.
That is incorrect. XP holds the last 10 login/passwords by default. The idea is that users can still log in even if the domain controller or ADS tree cannot be found.
The question of recovering a password would depend on how the machine was accessed. If you want to stop it you have to make sure that the machine is locked down and locked up (physically). If people can boot from live CDs you won't be able to stop it.
-
May 8th, 2007, 11:06 PM
#12
Originally Posted by nihil
The question of recovering a password would depend on how the machine was accessed.
what do u mean here?
-
May 9th, 2007, 12:22 AM
#13
I am referring to the fact that if a user can access the BIOS set up or if the machine will boot from a CD, DVD, USB drive, floppy or whatever, they can bypass the Windows boot process and its security settings, and extract the password hashes.
You can lock the BIOS and thus the boot sequence, but you would need to lock the device physically to prevent the BIOS from being reset or reflashed
This is a typical security problem in the type of public environment that you describe. The more you lock down the machines the less functional they become. On the other hand the more functionality you allow users, the more exposed you are.
-
May 9th, 2007, 09:51 AM
#14
e><ius,
It seems to me that it would be useful if we defined the particular environment you are concerned with?
My understanding is that it is a college or PRIVATE library scenario, where you do have an identifiable authorised user community?
In effect, users can move around the premises and use various machines to access servers to which they are authorised, and which authenticate them as bona fide users?
Because there are numerous users, the same machines can be used by a number of people?
Your problem is that Windows NT systems store the last 10 login credentials (including the password hash), and you are concerned that a malicious user could retrieve these?
My suggestion is that there is no real benefit in storing the logins on local machines anyway?
Please check these instructions for preventing the local storage of login credentials (set the value to zero):
http://www.windowsnetworking.com/nt/.../rtips36.shtml
If they are not stored, they cannot be retrieved and abused
OK, if your servers go down then your users will not be able to login to their profiles, but that is the price you have to pay.............. well, they have to pay, to be precise
-
May 9th, 2007, 11:14 AM
#15
well, if the server is down theres not a lot you can do anyway. No home area.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
-
May 9th, 2007, 11:35 AM
#16
That is true, I was thinking more of commercial and administrative environments where you may want a local "thick client" capability.
That should not be a problem as these areas would normally have much better physical security than student labs and libraries.
Similar Threads
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By Isellcrack4FBI in forum AntiOnline's General Chit Chat
Replies: 2
Last Post: July 4th, 2002, 02:40 PM
-
By E5C4P3 in forum The Security Tutorials Forum
Replies: 10
Last Post: June 12th, 2002, 04:54 PM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
-
By s0nIc in forum Network Security Discussions
Replies: 0
Last Post: February 18th, 2002, 12:53 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|