RE: Windows XP security concerns

From: Geoff Sweet (gsweet@worldvision.org)
Date: 12/20/01 

From: "Geoff Sweet" <gsweet@worldvision.org>
To: "'Tomasz Polus'" <Tomasz_Polus@bsi.net.pl>, <bugtraq@securityfocus.com>
Date: Thu, 20 Dec 2001 10:42:13 -0800

Commenting on the loss of user data below: I don't think this is a critical
issue. By default Win2K/XP adds the local Administrator as a Encrypted Data
Recovery Agent. So while the pain-in-the-arse factor is there of needing to
reset the password via the admin account, any encrypted data won't be lost
due to loss of private key. The Administrator can still recover the data,
then the user can re-encrypt it with his/her new credentials.

Geoff Sweet
Systems Engineer
World Vision (www.worldvision.org)

II. Problem with reset password disk

Windows XP introduced a new feature - "Password Reset Disk", which can
be used
to recover user account and personalized computer settings if a user
forgets
his password.

The problem is that in certain conditions (Minimum password age <> 0)
user may not be able to reset his password using above mentioned disk
and the only solution is the reset password feature available to the
Administrator.
First, make sure the "Minimum password age" policy is set to a value
other than 0.
Now, supposing the user forgets his password before it's age expires,
he will not be able to reset it with the disk until the password
expires.

What's more, changing password by an Admnistrator using MMC or control
panel
(in other words - GUI) leads to user data loss (i.e. EFS files)
because of
private key loss.
The only solution seems to be "net user" command issued by an
administrator.

Relevant Pages

  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... Take a look around - God is everywhere - His Creation is AWESOME... ... Administrator access in Directory Services Restore Safe Mode. ... This reset the local policy back to ... That pretty much makes running from a CD boot not an option. ...
    (microsoft.public.win2000.security)
  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... After installing a parallel copy of WIN2K SERVER, ... Administrator access in Directory Services Restore Safe Mode. ... This reset the local policy back to ... manual security reset. ...
    (microsoft.public.win2000.security)
  • Re: Windows Password
    ... this will enable you to reset any system password on an NT class ... Select Administrator and it will log you on as administrator without a password ... >> (Most likely a password wasn't created in this hidden account during setup). ... >> How to Log On to Windows XP If You Forget Your Password or Your Password Expires ...
    (microsoft.public.windowsxp.accessibility)
  • Re: WinXP Pro - Lost admin pwd
    ... L0pht Crack or John the ripper can crack the password for you so that ... A more preferable method would be to reset it to something you know, ... go to users and pick the Administrator ... In the user account type administrator, ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Administrator password unavailable
    ... >> I have done both of those, but I did not see an option to reset the ... > administrator account on the computer, or if the original administrator ...
    (comp.sys.mac.system)