Windows XP security concerns

• Previous message: Bil Corry: "Windows Critical Update"
• Next in thread: David LeBlanc: "Re: Windows XP security concerns"
• Reply: David LeBlanc: "Re: Windows XP security concerns"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 19 Dec 2001 17:51:32 +0100
From: Tomasz Polus <Tomasz_Polus@BSI.NET.PL>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello ntbugtraq subscribers,

Below is a description of three security problems
with Windows XP Professional, which we think are
bugs - not features. We are actually writing a book
about Windows XP security and need to clarify these concerns.
Please express you opinions and let us know if you find these
problems important to Windows XP security.

System affected: Windows XP Professional in a workgroup.

I. Problem with account locking due to fast user switching

Fast user switching is a new Windows XP feature,
which allows simultaneous loging on of more than one user.
It is based on Terminal Services technology and runs unique
user sessions that enable each user's data to be entirely separated.
Fast User Switching is enabled by default on a stand-alone
or workgroup-connected computer. It is not available in domains.

While extensively using this new feature, we found that it locks
out accounts on our machine.
Please try this on your Windows XP computers:

        1. Set the account lockout threshold to 3 attempts.
        2. Create 10 user accounts with user level privileges (User1 -
User10).
        3. Logon using User1 account.
        4. Using fast user switching, logon using User2 account.
        5. Use fast switching to change from User1 to User2 3 times.
        6. Attempt to logon using User3 account.

At this point, every account on the machine would be locked out
(except Administrator account of course).
Security Log would now show logon failure (ID529) and account locked
(ID539)
entries. Please see attached ZIP file with event log entries.
We have also found, that there is no need to switch between _two_
users.
Even switching between _one_ user (logging on and logging off using
fast
user switching) results in all acounts being locked out.

We notified Microsoft on December the 5th, 2001 and received the
following
reply from Microsoft Security Response Center:

From: Microsoft Security Response Center [mailto:secure@microsoft.com]

Sent: Wednesday, December 12, 2001 10:54 PM
To: Tomasz Polus
Cc: Microsoft Security Response Center
Subject: RE: Fast User Switching blocks user accounts [cb]
[...] "Fast User Switching is a feature that's designed primarily for
home users.
One thing that Fast User Switching does is to check local accounts for
blank
passwords to determine if a prompt should be provided for a particular
user or not.
Users who have elected to maintain blank passwords are not shown the
prompt
for their account when they switch accounts. Because of this, if
account lockouts
are enabled in conjunction with Fast User Switching, it is possible
for this
feature to inadvertently lockout accounts.
If you want to enable the account lockout feature, it's recommended
that you
not use the Fast User Switching feature.
I hope this is helpful in clarifying what you are seeing.
Please let us know if you have any questions or concerns." [...]

As you can see, Microsoft admitted this to be a problem and
recommended
not to use fast user switching in conjunction with Account Lockout.
We see this as a significant limitation on the new feature,
and/or a forced downgrading of security settings.

2. Problem with reset password disk

Windows XP introduced a new feature - "Password Reset Disk", which can
be used
to recover user account and personalized computer settings if a user
forgets his
password.

The problem is that in certain conditions (Minimum password age <> 0)
user may not be able to reset his password using above mentioned disk
and the only solution is the reset password feature available to the
Administrator.
First, make sure the "Minimum password age" policy is set to a value
other than 0.
Now, supposing the user forgets his password before it's age expires,
he will not be able to reset it with the disk until the password
expires.

What's more, changing password by an Admnistrator using MMC or control
panel
(in other words - GUI) leads to user data loss (i.e. EFS files)
because of private
key loss.
The only solution seems to be "net user" command issued by an
administrator.

3. Remote Desktop sends recently used username in plaintext

This problem was first detected by Szymon Nowak - we made the tests
and drew
the final conclusions.

Remote Desktop client remembers account name which has been used
recently
to establish RD session with another machine.
When sniffing the network, Szymon found that RD client has send login
to the other
computer in plain text. We clarified that what was actually sent is
not a user account name
on the destination machine, but username which has been used recently
to logon with RD client.
However, assuming that the logon is made to the same computer as
recently,
RD client sends in clear text user account name present on the
destination computer.
In some cases, this can pose a big security risk. For example, if RD
client is used
by users connecting to a terminal server, the attacker can sniff all
the TS user accounts.

We're very interested in your opinions about all these problems.
Please try this at your machines and let us now if these are common,
so we could find versions affected.

Regards,

-- 
Tomasz Polus
tpolus@bsi.net.pl
BSI Sp. z o.o. <http://www.bsi.net.pl>
======================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
======================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security.  Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
======================================

• Previous message: Bil Corry: "Windows Critical Update"
• Next in thread: David LeBlanc: "Re: Windows XP security concerns"
• Reply: David LeBlanc: "Re: Windows XP security concerns"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Windows XP security concerns ... about Windows XP security and need to clarify these concerns. ... Problem with account locking due to fast user switching ... While extensively using this new feature, ... every account on the machine would be locked out ... (Bugtraq) [NT] Windows XP Security Concerns (Fast Switch, Password Reset, Remote Desktop) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Fast user switching is a new Windows XP feature, ... Set the account lockout threshold to 3 attempts. ... (Securiteam) Re: Windows XP security concerns ... > using fast user switching) results in all acounts being locked out. ... Setting account lockout in general is a bit of a nuisance which normally ... > and/or a forced downgrading of security settings. ... (NT-Bugtraq) Re: all accounts locked out ... If your built-in Administrator account is locked out from ... Fast User Switching blocks user accounts "Fast User Switching is a feature that's designed primarily for ... feature to inadvertently lockout accounts. ... (microsoft.public.windowsxp.security_admin) Re: Enabling ctrl+alt+del to lock screen in windows xp ... ok so it took me a while to get this account, ... off both fast user switching, and the welcome screen, then go to run ... and enter "control userpasswords2" and the advanced tab is right there, ... > Is it possible to use this feature in XP? ... (microsoft.public.windowsxp.basics)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint