RE: [Fwd: FW: XP Screen Saver password uses Old password until logoutor New one is used.]

["Darren W. MacDonald" <darrydoo () aci on ca>]

Actually, Andy...

Changing permissions is a bad example -- because NTFS file, and
registry, permissions change immediately. Group memberships, on the
other hand, require a logoff/logon cycle.

Guess I should read mail more often than once a week...

TTYL
Darren

-----Original Message-----
From: Andy Wood [mailto:snortin_yer_packets () cox net] 
Sent: April 30, 2002 9:41 PM
To: vuln-dev () securityfocus com
Subject: [Fwd: FW: XP Screen Saver password uses Old password until
logoutor New one is used.]

        Passwords aren't cached, it is the Access Tokens that are
cached.  If you change permissions on a folder, from RO to RW for
example, the folder will not be RW until the user logs off then on.
This is important to remember when reducing the privs: If the user is
logged on when a permission change is made they will retain their old
rights until logging off....i.e. They could still delete data after you
set the privs from RW to RO.

        Don't be confused though, this is only a MS feature.  It is
listed to "improve performance".  I, however, am confused as UNIX so far
out performs MS yet is not plagued with the whole needing to logoff
thing.  I guess we should just be thankful.......at least windows
doesn't require a reboot.
 

> -----Original Message-----
> From: Muhammad Faisal Rauf Danka [mailto:mfrd () attitudex com] 
> Sent: Tuesday, April 30, 2002 4:18 PM
> To: Ghazi H. Al Wadi [NGHA-CTC]; vuln-dev () securityfocus com
> Cc: adnan () gem net pk; qazia () gem net pk; root () hack net pk
> Subject: Re: XP Screen Saver password uses Old password until logout
or
> New one is used.
>
>
> Is'nt that the case with all win* since long time?
> Well the password is cached, that's why it verifies from cache, where
it
> should verify it from the actual password location. Lack of routine
> addition in all screensavers I guess. Remember flushing cached
Passwords
> in win* , HEH! =)
>
> P.S. It's not a feature, untill its discovered by Microsoft.
>
> Regards, 
> ---------
> Muhammad Faisal Rauf Danka
>
> Chief Technology Officer
> Gem Internet Services (Pvt) Ltd.
> web: www.gem.net.pk
> voice: 92-021-111-GEMNET
>
> Chief Security Analyst
> Applied Technology Research Center (ATRC)
> web: www.atrc.net.pk
> voice: 92-021-4548323, 92-021-4546077
>
> "Great is the Art of beginning, but Greater is the Art of ending. "
>
> ------BEGIN GEEK CODE BLOCK----
> Version: 3.1
> GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ 
> P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y-
> PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
> ------END GEEK CODE BLOCK------
>
>
> --- "Ghazi H. Al Wadi [NGHA-CTC]" <wadig () ngha med sa> wrote:
> > Hi,
> > Today I have as usual, changed my PC logon password (XP Home
Edition). 
> > When the screen saver started, I dismissed it and by force of habit,
I 
> > typed the old password. To my surprise I was able to unlock the
screen 
> > saver using the old password. I  was able to do that several times, 
> > However, once I logout or use the new password I am unable to use the

> > old password and have to use the new one.
> >
> > The question is , Is this a feature. and from a security point of
view 
> > wouldn't that be a vulnerability. If not is it documented any where. 
> > And last, was this issue addressed before.
> >
> > Kindest regards
> > Ghazi Al Wadi
>
> _____________________________________________________________
> ---------------------------
> [ATTITUDEX.COM]
> http://www.attitudex.com/
> ---------------------------
>
> _____________________________________________________________
> Run a small business? Then you need professional email like
> you () yourbiz com from Everyone.net  http://www.everyone.net?tag
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
>  
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
>