InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
New problems in password protection revealed in Windows 95, 98, Me, and 2000

MICROSOFT HAS ANNOUNCED that its consumer products -- Windows 95, 98, and Me -- are vulnerable to a utility available on the Internet that allows a person to get into password-protected file shares without knowing the entire password. This makes it easier for an unauthorized person to open or delete files.

The problem affects only Windows 9x and Me. Windows NT and Windows 2000 use a different password scheme and are not open to this utility, but there's a separate problem in Windows 2000, described later in this column.

The weakness in Windows 9x and Me concerns only "share-level security." It does not affect "user-level security," such as the access controls available if a Windows 9x machine is part of a Windows NT or Windows 2000 domain.

As of press time, Microsoft has released patches that can be run on Windows Me and Windows 98 Second Edition to correct the weakness. By the time you read this, Microsoft also should have a solution for Windows 95 and the original Windows 98.

To get the patches, go to www.microsoft.com/technet/security/bulletin/ms00072.asp.

Of course, the fix won't cure the inherent weaknesses of Windows 9x's password scheme. Please see reader Ken Oden's comments within the following section for more information on this.

Locking Windows 2000 and 9x

In my Oct. 9 column (see "A quick and easy way to secure a Windows 9x/2000, NT machine, and a new TweakUI"), I warned that a password-protected screen saver doesn't password-protect Windows 2000 if the saver is launched manually, such as from a command line.

I recommended Microsoft article Q262646 on this subject. You can find it on the Microsoft Web site at support.microsoft.com/support/kb/articles/Q262/6/46.ASP. You should also read article Q228160, which you can jump to from this article.

I provided a command for people who want to protect their Windows 2000 workstation with a single keystroke when walking away (instead of allowing 15 minutes or whatever for a preprogrammed delay to kick in). Unfortunately, an editing error at InfoWorld.com caused an extra space to be inserted into that command line, which I stressed was "space-and case-sensitive." The corrected Windows 2000 command line is rundll32user32 .dll,LockWorkStation.

I noted that this command could be placed on an unused numeric keypad key. Tapping the keypad's Minus key, for example, would password-protect a Windows 2000 workstation more quickly than the finger-twisting Ctrl+Alt+Delete combo, followed by Enter.

Reader John Wagner commented that a time delay is enough for most of his company's users. "For others who wish to lock down every time they leave their computer," he writes, "the Ctrl+Alt+Delete and Enter doesn't seem to be a problem."

Except for me -- every time I'm walking away from my Windows 2000 workstation one of my hands is already occupied with a briefcase, paper, or whatever. Because Ctrl+Alt+Delete by design requires two hands, I might skip the lockdown step. The resulting 15-minute screen saver delay is when employees would be tempted to start looking for each other's salaries and other irresistible factoids. If this doesn't worry you, fine.

Judging from other comments I received, some readers misread the fact that there are different password-protection behaviors in Windows 95/98/2000 and Windows NT. The problem with manually launching a screen saver affects only Windows 2000, as my column stated.

I've written many times that Windows 2000's security features are far superior to those of Windows 95/98. Ken Oden thought I didn't stress that point enough in my Oct. 9 article.

"Your article may have given people the impression that their Win 95/98 machine is protected by the screen saver password," Oden wrote. "Not true! A reboot will get you into this person's PC." It won't get you onto their network, just into their files on the local hard drive.

Oden recommends shareware called Password. This $10 program allows you to click an icon in the Windows 95/98 system tray to get password-protected workstation locking.

To get the program, go to www.infoworld.com/downloads/psswordw.zip.

Readers Wagner and Oden will receive a free copy of Windows Me Secrets for being the first to submit comments I have chosen to print.

Have lunch with me in Portland

Readers in the Portland, Ore., area may be interested in having lunch with me while I'm visiting there. The date is Oct. 31, which is, of course, Halloween. That means there's no dress code -- you can be as formal or informal as you like. Attendance is limited, however, so be sure to call (206)356-Brian before Oct. 31 to register.




RELATED SUBJECTS

Operating Systems

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Download the J.D. Edwards CRM white paper. Visit jdedwards.com/crmpaper
Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!
Click here to receive a FREE Success Kit from Oracle.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2001 InfoWorld Media Group, Inc.