Microsoft KB Archive/818200

From BetaArchive Wiki
Knowledge Base


An attacker with physical access to a computer may be able to access files and other data

Article ID: 818200

Article Last Modified on 12/3/2007


APPLIES TO

  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Starter
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
    • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
    • Microsoft Windows Server 2003 R2 Standard x64 Edition
    • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
    • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows XP Service Pack 2, when used with:
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows XP Tablet PC Edition 2005
  • Microsoft Windows XP Media Center Edition 2005
  • Microsoft Windows 2000 Service Pack 4, when used with:
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
  • Microsoft Small Business Server 2000 Standard Edition


SYMPTOMS

An attacker who has physical access to a computer may be able to start it by using another operating system. Then, the attacker may be able to access files and other data. For example, an attacker who has physical access to a computer may be able to use any of the following methods:

  • Remove the hard disk, and then attach it to another computer.
  • Use a Microsoft Windows CD or a third-party operating system CD to start the computer, and then access the hard disk or perform a parallel installation.
  • Use an MS-DOS startup disk or a Microsoft Windows 98 startup disk to start the computer. If the drives are formatted with the NTFS file system, the attacker may be able to use a driver that mounts NTFS volumes to access files on the drives.
  • Use a Microsoft Windows 2000 CD to start a computer that is running Windows Vista or Microsoft Windows XP, and then run the Windows 2000 Recovery Console. Because the security accounts manager (SAM) database format has changed in Windows XP and in Windows Vista, you are not prompted for an administrator password when you run the Windows 2000 Recovery Console on a computer that is running Windows XP or Windows Vista.


CAUSE

An administrator can use the methods that are described in the "Symptoms" section to perform system recovery. However, without physical security controls or data protection features such as file encryption and volume encryption, these methods can also be used by an attacker to access files and other data. For example, some recovery console operations require an administrator password. However, this requirement does not guarantee that a determined attacker who has physical access to the computer would be unable to gain access to the information. Without suitable physical access controls, and without encryption, a computer has no enforceable security boundary. This issue is not specific to computers that are running a Windows-based operating system.

RESOLUTION

To help prevent an attacker from using the methods that are described in the "Symptoms" section, use data protection features, and implement security measures to restrict physical access to the computer.

We recommend the following methods to help reduce the threat that such attacks pose:

  • Use the System Key tool (Syskey.exe) together with a computer-generated random key that is stored on a floppy disk. This method prevents an unauthorized person from starting Windows. Keep the floppy disk in a secure location. You must insert the floppy disk in a drive when Windows starts for the startup sequence to finish. The System Key tool is included with the following Windows operating systems:
    • Microsoft Windows NT 4.0 Service Pack 3 and later service packs
    • Windows 2000
    • Windows XP
    • Microsoft Windows Server 2003
    • Windows Vista

    For more information about how to use System Key, click the following article number to view the article in the Microsoft Knowledge Base:

    143475 Windows NT System Key permits strong encryption of the SAM

  • Use the NTFS file system, and encrypt files by using the Encrypting File System (EFS) feature. EFS is a feature of the NTFS file system in Windows 2000, in Windows XP, in Windows Server 2003, and in Windows Vista. You can use EFS to encrypt files, folders, or whole data drives. EFS uses industry-standard algorithms and public key cryptography to help keep encrypted files confidential even if an attacker gains unrestricted access to the files. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    308989 How to encrypt a folder in Windows XP

    Note Windows XP, Windows Server 2003, and Windows Vista do not require a default recovery agent before you can use EFS. This behavior is unlike Windows NT. In Windows XP, in Windows Server 2003, and in Windows Vista, an attacker cannot access EFS-encrypted files even if the attacker overwrites an administrator's password and gains administrative access to the computer.
  • Use BitLocker Drive Encryption to encrypt all the data on a system volume. This method prevents unauthorized users from starting the computer by using a different operating system. This method also prevents unauthorized users from swapping the drive to a different computer to read the data. BitLocker is included with the Enterprise and Ultimate editions of Windows Vista. You can use BitLocker together with System Key and the Encrypting File System. For more information about BitLocker, visit the following Microsoft Web sites:

    Windows Vista Security Guide, Chapter 3: Protect Sensitive Data
    http://www.microsoft.com/technet/windowsvista/security/protect_sensitive_data.mspx

    BitLocker Drive Encryption
    http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx

    For information about data protection on Mobile PCs, visit the following Microsoft Web site:

    Data Encryption Toolkit for Mobile PCs documentation
    http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/default.mspx


MORE INFORMATION

For more information, visit the following Microsoft Web sites:

Windows XP Professional Resource Kit documentation
http://technet.microsoft.com/en-us/windowsxp/bb264775.aspx

Data Encryption Toolkit for Mobile PCs documentation
http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/default.mspx

5-Minute Security Advisor - The Road Warrior's Guide to Laptop Protection
http://www.microsoft.com/technet/archive/community/columns/security/5min/5min-205.mspx

10 Immutable Laws of Security Administration
http://www.microsoft.com/technet/archive/community/columns/security/essays/10salaws.mspx

TechNet Security Center
http://www.microsoft.com/technet/security/default.mspx

Definition of a Security Vulnerability
http://www.microsoft.com/technet/archive/community/columns/security/essays/vulnrbl.mspx


Keywords: kbprb KB818200



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/818200&oldid=194516
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki