Windows Vista Recovery Console and the Password

Every once in a while I am left scratching my head. Over the last few days a few blog postings have popped up on a subject and I am at a loss to understand why. I’m not the only one – several security industry colleagues have been in touch and have said they are just as puzzled.

The subject in question is that the Windows Vista installation medium and especially the Recovery Console of it is the biggest vulnerability of Vista. Why? Well because the Recovery Console on the installation medium does not require a password anymore and makes the whole disk accessible.

So I wanted to give my perspective, and that of a number of security industry colleagues both inside and outside of Microsoft:

  1. There are the 10 Immutable Laws of Security. Law #3 says: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. This is well known by everybody having just the slightest security knowledge. There are a lot of tools on the web, where you can boot from and access a disk. Being it Linux distributions, Windows PE, or any other OS that can mount an NTFS partition.

  2. If you have physical access to a disk you can attach it to any computer and mount the disk from there to access the data.

  3. We have a process called "Security Development Lyfecycle" where all the decisions which concern security have to be approved by the Secure Windows Initiative Team. The decision to remove the password was taken in this process and approved there. The reason is an obvious one: This password does not add any security - not a tiny little bit. But it added a lot of hassle: A lot of times, where you would need the Recovery Console, the disk is corrupt in one way or an other. This might lead to the point, where the Recovery Console does not find the Windows installation any more and therefore not Registry and therefore no password and therefore no Recovery Console. As this adds no security but a lot of problems we removed it. This was a conscious decision.

  4. Finally, if you want to protect your computer, do what we said since a long time: Use a BIOS password, use disk encryption (like Bitlocker) and/or EFS. I am using these technologies and am not afraid at all by the whole discussion.

So, I understand that this is scary for people not being too deep in security but as I said: I was pretty surprises that it was even taken up by security sites.

Any comments?


Comments (5)

  1. Anonymous says:

    Roger's Security Blog : Windows Vista Recovery Console and the Password:

  2. Anonymous says:

    Basic steps that all users should take notice off.

  3. Anonymous says:

    Basic steps that all users should take notice off.

  4. Jon says:

    Well, isn’t this obvious? This is known since a long time and a base of every defense in depth concept you are building.

    If there are really security companies supporting statements around this, you probably shoudl think twice

  5. Andy says:

    What OS are you having?

    On xp you can try this:

    Boot computer and press Ctrl+Alt+Delete twice when you See Windows welcome screen / login screen. It'll show classic login box. Now type "Administrator" (without quotes) in username field and leave password field blank, press Enter and you should be able to login Windows.

    Now you can reset your account password from "Control Panel -> User Accounts".

    On win 7 or vista:

    Ctrl+Alt+Delete won't work, you have to use some windows password recovery software. I recommend Windows Password Recovery Tool 3.0 .

Skip to main content