lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 28 Jul 2008 07:26:02 +1000
From: "Greg" <bugtraq1@...andyman.com.au>
To: <bugtraq@...urityfocus.com>
Subject: RE: Windows Vista Power Management & Local Security Policy



-----Original Message-----
From: Abe Getchell [mailto:me@...getchell.com] 
Sent: Friday, 18 July 2008 12:39 PM
To: bugtraq@...urityfocus.com
Subject: Windows Vista Power Management & Local Security Policy

> When the security option "Shutdown: Allow system to be shutdown without
having to log on" (in the local security policy) is set to "Disable", and
> the power management setting "When I press the power button" is set to
"Shut Down", it is possible for an unauthenticated user to press the power 
> button at the Windows logon screen and gracefully shutdown the system. The
explanation of this security option, taken from the local security policy,
> is as follows:

I came into this late but I just had to comment on the above - apologies if
it already happened.

Since Win ME, you have been able to push the power button to gracefully shut
down the computer (note I am not talking about servers that may have been
altered by people with a clue but just home computers, terminals in an
office that don't have someone looking after them who knows what they are
doing etc). In some cases where, for whatever reason, the computer goes
crappy and loses contact with the keyboard and mouse, this has been the way
to shut it down without risking data by turning the power off or hitting the
reset button.

Personally, I don't feel that scenario is a risk because the person is there
to begin with to press the button. There comes a point where the person to
blame for a security issue must be the person who hired the one pushing the
button to shut the machine down. Not everyone is honest but if you hire
staff you have to assume they are going to do something stupid, even if
accidentally, from time to time. I would prefer someone able to shut the
machine down by pushing the button. I can't see why I would have to get up
and drive 90 minutes to do that to a machine that is playing up when the
person reporting that problem to me is presumably standing in front of it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ