Windows XP Login Hack

[nihil]

Yes, it does assume trust. I believe that there are third party applications that will improve the security by ensuring that the original session remains locked, and requires a user password to reactivate access.

In response to AObaba's request for a "workaround":

I suspect that the hotkey that will bring up the user switching uses the "Windows Key". You can disable this in the Registry if you want:

http://www.intelliadmin.com/blog/200...s-hotkeys.html

Another approach would be to select your own hotkey sequence rather than the default

I do not accept that this is a "security breach", as it is how fast user switching is supposed to work. I have no use for FUS so I have it turned off.

I can't remember but I think that it is "on" by default? I also seem to recall that the default hotkey might be WinKey + S.

It could be a security issue, however, if your machine is used by other persons whilst unattended. But, I would consider this to be a user created problem, just as if you left your workstation logged on and unattended. The obvious solution is to logout.

I would also point out that fast user switching is supported by Mac OSX and some of the latest Linux distros, but I do not know if they behave the same as Windows.

[AOBaba]

Yes by master admin I do mean the default admin. I know this story seems out of it and I to would not believe it if it hadn't happenned to me.

My purpose of this post was not to listen to others ridicule me. If someone has any knowledge of this then please enlighen the rest of us.

I got this website from a post that I found regarding a very similar incident. I tried to dig up the original post but it was old and removed. I was hoping that my post may refresh someones memory.

Please if you have any knowledge on this subject share or please keep your comments to yourselves. I respect websites like this where people share thier knowledge and help others in thier computer related problems. There is enough crap in this world, don't let it spread here .

[nihil]

If you bother to read my last two posts you will see a full explanation.

FUS is working entirely as intended and designed. If you don't believe me, just Google for "Fast User Switching" and read the Microsoft knowledgebase articles about it, particularly the one about its architecture.

It is intended to allow two people to share a single computer without the need for one of them to log off. Obviously this means that the user of the second session can restore the first session with all the rights of that user. This is because it was legitimately opened and hasn't been closed.

There is no rocket science, no hidden agenda, no conspiracy theory.................. that is how FUS works, period.

The feature is designed to make things easier for people in a home environment who need to be able to share a computer at short notice. If you do not believe this, please explain to me why you cannot run FUS on an XP pro box that is part of a Windows 2000 Server domain???????????

The very concept of FUS in a corporate network is a security breach. You might as well have the box running Windows 98SE.

In your case, this breach is compounded by the fact that you seem to log on with the default administrator account If you are going to use FUS, you should never leave an account with administrator rights open. In fact the general, collective wisdom is that you should ONLY log in as administrator when you absolutely need to; and then log off as soon as you are done.

[ Please check out the "run as" functionality if this is a problem]

As for "ridicule"............. you ought to know by now that to go to an internet forum requires you to have a pachydermal personality.

Also "crying wolf" is likely to get you a less than sympathetic reaction.

Your cousin spun you a bullshit yarn, and you bought it....... I found that rather amusing......... he pulled your chain and you fell for it

Just look at it realistically? if you are a professional developer you don't leave systems with gaping security holes in them; and if you did, you sure as hell wouldn't mouth off about it. Unless, of course, you had ambitions of flipping burgers or throwing trash for the rest of your life.

[Computernerd22]

In your case, this breach is compounded by the fact that *you* seem to log on with the default administrator account If you are going to use FUS, you should never leave an account with administrator rights open. In fact the general, collective wisdom is that you should ONLY log in as administrator when you absolutely need to; and then log off as soon as you are done.

Exactly.

By default, the name Administrator is given to the account with full control over the computer.

To increase security, start by renaming the Administrator account and then creating an account named Administrator without any permissions. That way, even if your cousin is able to log on as Administrator, he won't be able to access any system resources.

Your cousin spun you a bullshit yarn, and you bought it....... I found that rather amusing......... he pulled your chain and you fell for it

He fell for it hook, line and sinker! I bet your cousin was laughing his ass off at you. I know I was.

Cheers, CN22

[acidtone]

http://seclists.org/vuln-dev/2001/Dec/0239.html

*Near the bottom of the page, the person talks about a fake logon screen}

This one {trojan} was usable not long after XP came out, but i'm pretty sure that sp2 had a patch that fixed that one. so me thinks you need to updatez ur box ya'h?
ohh and tell your cousin he's dreaming..

[nihil]

CN22, I take the point, and whilst you are at it, I would also recommend disabling the "Guest" account that is a default in XP. Do not delete it, but allow it to be found as useless? If you need one, create another of your own and call it something different.

The danger there is that the account seems reassuringly incompetent, but is a known access portal, and could be used in conjunction with an escalation of privileges exploit?

To return to the original theme of the thread: It seems to be rather a matter of understanding your own personal "security model" and tailoring your system to comply with this?

For example, this is a stand alone box that my wife sometimes uses. She has another box with software more suited to herself that we also both use. We use a common logon because this is what I would call a "trusted environment" that is physically secure. I have turned off all services that are not required such as file sharing, networking and printer sharing, although we do share a printer by means of a simple physical switching box.

The fundamental principles as I see them are:

1. If you don't use a service, disable it.
2. If you don't use an application ALL the time don't let it load at startup.

This seems to make good sense to me from a security angle because it minimises the targets for exploit. Also, if you are running a service that you do not need or use, you are unlikely to understand how it works, or to keep an eye on security issues relating to it.

From another angle, the less you have running, the fewer resources you are using, so your system should run better? Speed, contention, conflicts and so on?

With specific reference to "Fast User Switching" (FUS):

This is a utility to allow several people to use the same desktop hardware at the same time; whilst retaining their own personal identities and settings, and their current logged in session.

In effect, it is an attempt to make NT systems work somewhat like the old "home user" OSes Microsoft sold.

It should be noted that it is intended for a trusted environment, and is fundamentally insecure. This insecurity would be exacerbated if one of the logged on accounts had administrator rights.

In any eventuality, one is able to traverse through the logged in sessions and restart them as if you were the user who originally started the session.

This is by design, it is not a weakness, unless you allow it to become one.

If you REALLY DO have a need for this Windows facility, I would strongly recommend that you look at third party solutions that permit retaining ongoing sessions whilst requiring original user login credentials to reactivate the session.

Otherwise, you should logout of any session that has enhanced privileges.

If you want an audit trail, then you can get physical token systems from third parties.

[JPnyc]

Yes, and it also improves performance by not allowing valuable ram to be wasted on services/programs that aren't being used.

[nihil]

Hi JPnyc, to avoid taking this thread too far off its tracks, I have started a new thread here:

http://antionline.com/showthread.php?t=275359

I think that it is an interesting enough side topic to discuss how people handle the security requirements of multiple users needing differentially authorised access to a shared hardware resource.

We obviously agree that performance issues run side by side with security here................. in fact I find it a big grey (gray) area when systems instability gets involved. I am thinking of the potential security implications of destabilising a system?

[jockey0109]

I agree with all senior members here. After reading all the posts till, now, I am speechless. Of course I too think that this is one of those several lies which many users (even experienced ones) start believing in that it is true! Now there is something called as 'over the shoulder hack' where a person can look up the keys pressed by a user while he was entering the password.

If AOBaba is not sure about if it has never happened to him, I think this is what would have happened.

Another small point which I think you could ask to your cousin: "Which portion of Windows did his 'former Microsoft developer' work upon?"

I think if your cousin takes too much time to answer that question, in most probabilities, he may be lying. I do not have anything more to say as all of what I could think has already been discussed.

Of course if your computer is really patched with all latest updates, it is very unusual that such a hack exists. Even if it would have exitsed, it must not have gone unseen in the 6 year lifetime of windows by any hacker, developer all over the world!

[not_it]

Vulnerability in IBM Windows XP default hidden Administrator account allows local Administrator access
http://www.secnap.com/alerts.php?pg=5

Windows Vista vulnerable to Sticky Keys exploit
http://www.avertlabs.com/research/blog/?p=218