lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAnPQpmkc/vBG8Jfb3ldblgcKAAAAQAAAAtJa3PVSM7kCcGxoCbmy6BQEAAAAA@yahoo.com>
Date: Fri, 14 Mar 2003 21:31:01 +0200
From: "Eitan Caspi" <eitancaspi@...oo.com>
To: <bugtraq@...urityfocus.com>
Subject: Re: [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the local administrators group


Hello Andrew,

1. Thanks a lot for your note about the way to remove users from the
"welcome screen".

I am sorry I was not aware of this workaround when the advisory was
published.
It is a shame MS don't add this procedure to its KB (as far as I
searched there).

I have tested this and, as promised... - it works fine on both normal
boot and "safe mode" boot.

So, this is a very good workaround until MS will fix this permanently.

Applying this to all local users with administrative privileges will be
a good practice, although it will force them to do a CTRL+ALT+DEL with
each logon. A bit annoying, but we do it all for security...


2. Regarding the "flaw" in my report: my report concentrated on Windows
XP and the "welcome screen" only (thus referring to local access only) -
so I didn't see any reason to mention any non-directly-related issues.


Again, I wish to thank you for bringing this workaround to my (and to
the other subscribers of this list) attention.


Regards,

Eitan Caspi ( eitancaspi@...oo.com )
Israel


Direct solution: 
> No direct solution at this time.
> 
>  
> Workaround:
> Avoid using the welcome screen and use only the normal logon screen.
> 

http://www.kellys-korner-xp.com/xp_wel_screen.htm
or 
http://www.google.com/search?q=%2BSpecialAccounts+%2BWindows+%2BXP

Wellknown and supported way to remove/hide users from Welcome screen.

Also I would like to note that there is a flaw in your report.
Any user can retrive lists or users and shares in default configuration 
for NT4 and W2K using "null sessions". XP has some changes.
This was already discussed  in
http://cert.uni-stuttgart.de/archive/focus-ms/2002/03/msg00088.html

Just wanna everything will be clear,
--
Andrew G. Tereschenko
TAG Software Research Lab
Odessa, Ukraine




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ