An Attacker with Physical Access to Your Computer May Be Able to Access Your Files and Other Data (818200)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP 64-Bit Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows NT Server, Enterprise Edition
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

SYMPTOMS

An attacker who has physical access to your computer may be able to start your computer by using another operating system to obtain access to your files and other data. For example, an attacker who has physical access to your computer may be able to use any of the following methods to access files and other data on your computer:
  • Remove your hard disk and attach it to another computer.
  • Start your computer by using a Microsoft Windows or a third-party operating system CD-ROM to access your hard disk or to perform a "parallel" installation.
  • Start your computer with an MS-DOS or Windows 98 Startup disk. If your drives are formatted with the NTFS file system, the attacker may be able to use a driver that mounts NTFS volumes to gain access to files on the NTFS volume.
  • Start your Windows XP-based computer by using a Windows 2000 CD-ROM and then running Recovery Console. Because the security accounts manager (SAM) database format has changed in Windows XP, you are not prompted for an administrator password when you run Windows 2000 Recovery Console on a Windows XP-based computer.

CAUSE

An administrator can use the methods that are described in the "Symptoms" section of this article to perform disaster recovery on a computer. However, without physical security controls, these methods can also be used by an attacker to access files or other data on your computer. This issue is not specific to computers that are running a Windows NT-based operating system. Therefore, security experts do not consider such attacks to be computer security vulnerabilities.

RESOLUTION

To help prevent an attacker from using the methods that are described in the "Symptoms" section of this article, implement appropriate security measures to restrict physical access to your computer. For information about basic physical security best practices, visit the following Microsoft Web site:

http://www.microsoft.com/technet/archive/community/columns/security/5min/5min-203.mspx

Microsoft also recommends the following methods that can help to reduce the threat that is posed by such attacks:
  • Configure the system and startup password features in your computer's BIOS (or CMOS) setup utility. A system and startup password may help to prevent an unauthorized person from starting your computer. See the documentation that is included with your computer, or contact your computer manufacturer for information about how to configure a system and startup password in the BIOS.
  • Disable the options to start your computer from the CD-ROM drive or floppy disk drive in your computer's BIOS. This can help to prevent an unauthorized person from starting your computer with another operating system. See the documentation that is included with your computer, or contact your computer manufacturer for information about how to disable the options to start the computer from the CD-ROM drive or floppy disk drive in your computer.
  • Use the System Key tool (Syskey.exe) with a computer-generated random key that is stored on a floppy disk to prevent Windows from being started by an unauthorized person. Keep the floppy disk in a secure location. The floppy disk must be inserted in a drive during Windows startup for the startup sequence to complete. The System Key tool is included with Windows NT 4.0 Service Pack 3 and later, Windows 2000, Windows XP, and Windows Server 2003. For additional information about how to use the System Key tool, click the following article number to view the article in the Microsoft Knowledge Base:

    143475 Windows NT System Key Permits Strong Encryption of the SAM

  • Use the NTFS file system and encrypt your files by using the Encrypting File System (EFS) feature. EFS is a feature of the NTFS file system in Windows 2000, Windows XP, and Windows Server 2003. You can use EFS to encrypt files, folders, or whole data drives. EFS uses industry-standard algorithms and public key cryptography to help keep encrypted files confidential even if an attacker gains unrestricted access to the encrypted files or folders.

    308989 HOW TO: Encrypt a Folder in Windows XP

    Note In Windows XP, there is no default recovery agent for EFS. Even an attacker who gains administrative access to a Windows XP-based computer cannot gain access to EFS-encrypted files on the computer.

MORE INFORMATION

For more information, visit the following Microsoft Web sites:
Modification Type:MajorLast Reviewed:10/9/2006
Keywords:kbprb KB818200
©2004 Microsoft Corporation. All rights reserved.