COMMAND

    Screen Saver

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Christopher L Buono found following.  On NT 3.51 SP4, SP5, and  NT
    4.0 SP3  Server and  Workstation screen  saver password protection
    can be disabled simply by renaming the .scr file that is in use by
    the logged on user.  For reproduction purposes follow the steps:

    1) Logon to a network  connected NT workstation or server  and set
       the  screen  saver  for  3D  Text  (or any valid PW protectable
       screen  saver)  with  password  protection  enabled  and with a
       timeout value of one minute greater.
    2) Allow screen saver to activate.
    3) Logon to another network  connected machine and map a  drive to
       the machine referenced in step #1 (C$ or ADMIN$).
    4) Within the mapped drive rename
       %systemroot%\system32\sstext3d.scr to *.scx.
    5) Deactivate the screen saver on the first machine by moving  the
       mouse.
    6) Wait for the screen saver timeout period to elapse.
    7) Press  Ctrl-Alt-Del  and  select  Cancel  from  the Windows  NT
       Security window.
    8) You're in!

    This  is  one  of  those  situations  where  if  you  already have
    administrative privileges enough to  connect to C$ or  ADMIN$ then
    who  cares  if  you  can  remove  somebody's  password protection.
    However,  there  is  at  least  one  situation where this could be
    abused: "I am a  Domain Admin for a  master domain. I travel  to a
    remote site with a resource domain that trusts the master  domain.
    I logon to  an NT workstation  to do some  work. Lunch time  comes
    around and  I verify  that my  screen saver  has activated  and is
    locked with password protection enabled. I leave the  workstation.
    The  local  LAN  Administrator,  who  is  an Administrator for the
    resource domain, maps a drive to the workstation I am logged  onto
    and performs the above procedure. The person is now able abuse all
    of my privileges as if s/he were me."

    For those who  will think of  locking WS, locking  the workstation
    manually yields the same problem.  Yes, another admin can log  you
    out,  but  the  situation  identified  before allows another admin
    (i.e.   resource  domain   admins)  to  effectively  become   you.
    Another point  here is  that if  the abuser  renames the .scr file
    back  to  its  original  name  and  chooses "Lock Workstation" the
    "victimized" user will never know.

    Kevin Fries added following.   Backup operators can see the  whole
    drive.  Since *.scr files by default have "everyone full  control"
    access privilege,  this should  be a  huge problem.   Christoper's
    original example showed  another admin, but  a backup operator  is
    not necessarily an admin.

SOLUTION

    Nothing yet unless you are ready to give up from screen savers.