COMMAND

    locking.... and unlocking

SYSTEMS AFFECTED

    Win NT, 2000

PROBLEM

    Jaiden discovered what  appears to be  a security flaw  in Windows
    2000 Pro SP1 machines  running Novell's Client 4.71.20000313.   He
    had  no  way  to  verify  whether  or  not  this  extends to other
    versions.  Greg Riedesel tested it  on WinNT SP6a and it works  as
    well.

    Example:

        - The win 2000 pro workstation is a member of the domain.
        - The  user  is  logged  into  the  workstation  as  a  domain
          administrator.
        - The user is logged into NDS as Guest.
        - The user locks their workstation by hitting  control-alt-del
          and hitting the "lock workstation" button.

    Now,  the  guest  password  can  unlock  a domain admin's machine.
    There appears to be no way to lock the workstation securely.

    Locking/unlocking the  workstation uses  security from  an outside
    source (NDS)  which is  potentially insecure,  particulary in this
    specific example.

    Greg  tested  this  one,  and  it  still  applies to WinNT4.0 SP6a
    running Novell's Client 4.70.  When unlocking the station you  are
    given  the  choice  of  supplying  the  "NDS"  (Novell   Directory
    Services) or  "WinNT/2000" credentials.   Either one  will  unlock
    the  station.   In  addition,  if  you  are  logged in to multiple
    domains, any one of the domain logins can unlock the station.

    When locking the station you do  not get a choice of which  set of
    credentials to  lock the  station with.   It seems  to be Novell's
    security assumption that all legitimately logged in users to  that
    station can be used to unlock it.

    Unfortunately, it  seems that  Windows will  attempt to  log in to
    NDS/Novell as Guest if there  is no matching user-account for  the
    user attempting to use resources.  Since all it takes is one  icon
    in the  Start Menu  to cause  Windows to  attempt to  attach to  a
    server, these connections can  be made 'invisibly'.   Therefore it
    is possible  that an  administrator may  be logged  in as guest to
    NDS and not know it.

SOLUTION

    Win 2000  pro should  always use  the locally  logged in  user (or
    domain user if a member of the domain) for this purpose.

    There are a couple of ways around this:

        * Disable Guest in NDS (Novell recommends it this anyway).
        * Make sure  an account exists  in NDS whose  name matches the
          Domain Admin account.
        * Make sure you 'Login  As...' to your Novell resource  before
          attempting to lock your workstation.

    Note that Guest does not  exist in a pure NDS  environment, unless
    the tree  was an  upgrade from  NetWare 3  to 4  or 5.  Any decent
    Novell setup (as well as NT) should have Guest disabled.