COMMAND

    backup

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Paul  Ashton  posted  following.  With  the  publication of the NT
    password obfuscation  algorithm by  Jeremy Allison,  and the  CIFS
    specification,  the  astute  reader  will  now  realise that an NT
    backup tape (or perhaps  even the recovery diskette)  will contain
    password equivalents  that can  be used  by a  modified client  to
    authenticate  to  any  NT  server  as  *any* user. Compare this to
    Unix, where  the passwd  file can  be used  only as  a basis for a
    dictionary attack and not for authentication.

    You can  also boot  from a  linux boot  floppy and  change any  NT
    password.

    Note that  this vulnerabilty  is pretty  hard to  find because you
    have to  have physical  access to  maschine ant  things like that.
    You better forget that.

SOLUTION

    Encrypt your NT backups and put  a boot password on your BIOS,  or
    you're stuffed. Note that clients will also contain a cached  copy
    of the Administrator's password if they have ever logged in on it.

    When you make  backups with NT  Backup, you can  "Restrict" it so,
    that only  administrators, backup  operators, the  tape owner, and
    people with Restore right can do the restore.

    However,  you  don't  have  to  be  the  administrator of the same
    domain.  So you can steal a tape from some company, take it  home,
    and since you  are the administrator  of your kitchen  domain, you
    can restore this tape, even if it was "restricted".