by Bruce Garlock
We recently had a situation, where someone "hacked into" one of our Win98 machines, and displayed the saved passwords in Mozilla, which happened to be a users network password as well. As most people know, you can simply press escape to get past the network logon screen in Win98, and gain some access to the PC. Of course, you cannot browse any network resources, but since Mozilla was installed on this PC, and the user had told Mozilla to save their passwords, so they did not have to retype them. Most of our Intranet resources are protected with Apache Basic authentication, and those passwords are the same as their domain logon passwords, to keep things easy for the user.
Well, someone had some free time, and decided to go searching for passwords, and see what he could find. All he did was press escape at the Windows domain logon screen, lauch Mozilla, and display the password manager, press show passwords, and voila! There was the users password. There is also a master password that can be set in Mozilla to prevent people from viewing the saved passwords in Mozilla, but this was not used.
My main concern is how easy it is to get past the logon screen in Windows 98. Sure, Windows XP is a little bit tougher, but we do not have the $$ to replace all of our PC's with brand new XP machines. I have a few questions for people out there:
1) Is there a way to disable, and require a person to have a password to logon to a Win98 machine?
2) Other than a product like Norton Bootlock, is there an opensource equivalent to a program like that, to disable booting from a floppy, or CDROM, without a password? It would be easy for someone to boot into a Win98 system, and run l0pht crack on those .PWL files, which are a joke for encrypting passwords.
3) What other methods are there for protecting a PC against someone who has some idea of what they are doing, and how can we further password protect the machine from having people install software or running password cracking programs?
Thanks for any insight. I really do not want to install Norton BootLock on all of our machines, to safeguard against booting with a boot CD, floppy or other removable media device.
We have since required all employees to disable password saving in Mozilla, and set a master password on each machine in case they do enable password saving.
Personally, I cannot wait until other means of ways of securing a machine, and network resources is available, like fingerprint scanning, retina scanning, or what ever. Having to retype passwords is cumbersome, and if you did get someones password, it is all too easy to take over their identity, and make it look like they were the one accessing the resources, instead of the hacker.
What other options are there?
Got something to add? Send me email.
More Articles by bruceg © 2009-11-07 bruceg
Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it? (Brian Kernighan)