I downloaded software from http://ebcd.pcministry.com that allowed me to gain
Administrator access to my PC by blanking the administrator password. I
could also use this software to change the password of any user that has a
local account on the computer. The software does this by modifying the
password hashes in the SAM hive of the registry.

I have set policies that require complex passwords, and passwords must be at
least eight characters. However, this seems to only affect creating or
setting passwords within Windows. Apparently, these settings aren't applied
when at the logon prompt, so anyone who has physical access to the computer
using this software could gain complete access to the system.

This is a definite weakness in the Windows security model and should be
corrected. Ideally, the logon process should not allow a user to enter a
password that doesn't meet the policies set in Local Computer Policy, even if
the password is the valid password for the account.

stephen-robertson wrote:
Physical access + time + know-how, no matter the operating system - is
owning the machine and all non-encrypted data within fairly easily. That's
why the first rule in system security is still physical security.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

stephen-robertson wrote:
Shenan Stanley wrote:
Thought other links might interest you...

Hack your password:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Another:
http://www.thomasmathiesen.com/itak/html/software.html

LCP
http://www.lcpsoft.com/english/

John the Ripper
http://www.openwall.com/john/

L0phtCrack is/was popular as well - but I couldn't find the link quickly
(Symantec owns it.)

How to create and use a password reset disk for a computer that is not a
domain member in Windows XP
http://support.microsoft.com/kb/305478

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

"Shenan Stanley" wrote:

I agree that physical security must be the first priority. However, what
happens when your laptop is stolen and someone is then able to gain access to
the system? Even if the laptop has a BIOS password set, those are still easy
to bypass. Would you want your data at risk because Microsoft has a flawed
security model? I don't.

Stephen

stephen-robertson wrote:
Shenan Stanley wrote:
Shenan Stanley wrote:
stephen-robertson wrote:
If you lose your laptop, leave a door unlocked, whatever - it doesn't matter
WHAT OS you have - any unencrypted data is owned if the person wants it, has
time and some know-how. *nix, MacOS, Windows - doesn't matter. If you did
not take steps beyond the logon password to protect your data from prying
eyes - and lapsed on physical security or lost your laptop/thumb
drive/whatever - then you are digging your own grave. Passwords never have
been more than a nuisance to a hacker unless they are associated with some
form of data encryption as well.

*You* have to be responsible for the safety of your data.
Encrypt it. That's pretty much the safest method these days for situation
like you describe.
Be sure you understand the encryption model you use (and how to
backup/restore the keys, certificates, etc.)
Windows XP Professional and supersets thereof has this ability built in.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

"Shenan Stanley" wrote:

I do encrypt my data, and I did not create any Designated Recovery Agent for
EFS. Otherwise, if I did lose the laptop and someone gained Administrator
access to the system, that person could then decrypt my data. Even if the
Administrator account is not a Designated Recovery Agent, someone could
simply change the passwords of every user account on the system, log in to
each one, and attempt to decrypt the data. If another user account was a
Designated Recovery Agent, eventually the encrypted data would become
accessible.

Stephen

"Shenan Stanley" wrote:

I also agree that passwords provide a false sense of security. However,
most people only rely on passwords for security and don't use any type of
encryption. When was the last time you heard Microsoft advertising data
encryption as a feature of their operating systems? Microsoft's file
encryption implementation almost guarantees that only advanced users would
take advantage of it. Otherwise, it wouldn't be "hidden" in the Advanced
properties page for files or folders.

My point is that Microsofts's security model fails when someone can gain
unauthorized physical access to a computer, and Microsoft needs to design for
that.

Stephen

stephen-robertson wrote:
Shenan Stanley wrote:
Shenan Stanley wrote:
stephen-robertson wrote:
Shenan Stanley wrote:
stephen-robertson wrote:
stephen-robertson wrote:
You **should** back up the recovery agent Encrypting File
System (EFS) private key if you are using EFS. It just *should be
done*. Unless you do it in a stupid manner - your data is still
safe..

How to back up the recovery agent Encrypting File System (EFS)
private key in Windows Server 2003, in Windows 2000, and in
Windows XP
http://support.microsoft.com/kb/241201/

Notice this part:
"Important - After you export the private key to a floppy disk
or other removable media , store the floppy disk or media in
a secure location. If someone gains access to your EFS private
key, that person can gain access to your encrypted data."

So yeah - if you store said media with the machine - sure, the
person who now has your laptop/control of your physical computer
will have an easier time of recovering your data.

Perhaps you should read this document:

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/

As it seems like you are not following the best practices at
all.. particularly:

"Teach users to export their certificates and private keys
to removable media and store the media securely when it is
not in use. For the greatest possible security, the private
key must be removed from the computer whenever the computer
is not in use. This protects against attackers who physically
obtain the computer and try to access the private key. When
the encrypted files must be accessed, the private key can
easily be imported from the removable media."

You have to know how to use the tools properly before they
become useful. EFS is advertised in Windows XP Professional.
It is indeed listed as one of the differences in almost all
comparison charts I have seen. It's dangerous - because most
people do not bother to read the best practices guide or even
the built-in help on the subject before using it - end up
losing data because they have no backup agent - didn't know
you even should have one and redo their system and can no
longer (ever) access their data. You can search the Internet
for the stories of people who have done this - and THEN
learned how to properly use the tools.

Someone gains physical access to your data and it is not
encrypted and/or you did not follow the best practices for
encryption - then it's theirs.. No matter who designed the
operating system. When you lose your wallet - everything
in there is the finders'. That's probably why you are more
careful with your wallet and follow some common sense rules
when you have large amounts of cash in it. Same thing with
your computer security.

When does the design of better protection end and the use of
more common sense and education of the end-user begin?
A good method of protection without learning its proper usage
is almost as worthless as using no protection at all.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

stephen-robertson wrote:
Stephen, you're completely missing the point because you don't
understand about computer security. As Shenan told you, any computer
running *any* operating system can be gotten into by someone with:

1) physical access; 2) time; 3) skill; 4) tools.

A better solution for laptops is to look at what a company like Lenovo
(formerly IBM) provides at a *hardware* level. If one uses the full
protection available, it doesn't matter *what* operating system is in
use - the laptop will not be accessible even with a new hard drive and
the hard drive will not be accessible even in a different computer.

This is not an operating system issue.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Hi,

login password can be reset using Active@ Password Changer tool. That
is a really useful tool that never failed me before and worked simply
great. It literally saved me before in a situation when the password
was lost or forgotten.

http://www.password-changer.com/

"Shenan Stanley" wrote:

Thanks for the information. I did export my certificate and private key,
and I checked the box that says to delete the private key if export is
successful. However, will I need to have the removable media containing the
certificate and private key available every time I want to access my
encrypted files?

Stephen

Stephen wrote:
They are backups - not what it uses all the time.
It's in case something happens (like you password gets changed through
unconventional means, machine gets wiped, etc.) - then you can use the
backup to recover access to your data (if you have it.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

That was true in Windows 2000 but not in Windows XP. If a local user account
password is reset an attacker will NOT be able to logon with the reset
password and access the EFS encrypted files. Now an attacker could logon as
an administrator, install a password hash cracking program to try and
recover a user's password and then logon with the correct password to access
the files. If you use complex passphrase of at least 15 characters [which
also disables it from being stored with lm hash] then it will become almost
impossible to recover your password. If you export and delete your EFS
private key and assuming non other can decrypt the files then the files are
safe from opening and the only possibility would be to try and brute force
AES 256 encryption which is not going to happen anytime soon. Ideally for
maximum confidentiality you want to run cipher /w after deleting the EFS
private key to overwrite free diskspace to eliminate any traces of the
private key or clear copies of the EFS files if any existed. Users that
logon with cached domain credentials have there passwords stored very
securely and they are not stored in the local sam. I have yet to hear of a
verified successful attempt to recover such though an atacker could resort
to simple guessing and maybe get lucky. --- Steve



"stephen-robertson" <stephenrobertson@discussions.microsoft.com> wrote in
message news6EE89C6-5E5E-4620-A269-DB0DFD39E4FE@microsoft.com...

stephen-robertson wrote:

And yet, you don't seem to understand the concept.



It means that *your* security model was flawed.... Nothing whatsoever
to do with Microsoft or any other operating system maker.





--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Is life so dear or peace so sweet as to be purchased at the price of
chains and slavery? .... I know not what course others may take, but as
for me, give me liberty, or give me death! -Patrick Henry

"stephen-robertson" <stephen-robertson@discussions.microsoft.com> wrote in
message news:596BDB25-2F97-45B2-8B41-F737DB7FFB04@microsoft.com...
Like others have said, encryption and/or physical security is the only way
to protect your data.

That said, there is room to improve this. Microsoft is working on a new
feature in the next version of Windows (Vista) so that using encryption is
more seamless and easier to use.

http://www.microsoft.com/technet/win...4d762cf31.mspx


Another interesting article:
http://www.microsoft.com/technet/arc.../10imlaws.mspx

--
Colin Nash
Microsoft MVP
Windows Shell/User