Hack and a thought

Recently I came across a cute hack to reset windows 7 password, someone shared that to me , saying its cake walk


I looked at it and tested it in lab and was able to change the password as explained in it. Then I also came across the ways to mitigate this for example.

If we execute below command in elevated command prompt(admin command prompt), this will disable launch of repair that is done in the article given

bcdedit /set {default} bootstatuspolicy ignoreallfailures

There are other ways as well. But that’s not that important, what’s important is(as per me and few others as well) ,that’s what I’m going to discuss here.

If you already are not aware of “Ten immutable laws of security” refer http://blogs.technet.com/b/rhalbheer/archive/2011/06/16/ten-immutable-laws-of-security-version-2-0.aspx

List is here, so if we look at it, this is hitting law#3

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

i.e. Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. So if you indeed are hitting this law and still think operating system should have a mitigation for it by default, then a rethink on it is required.

I was thinking about a scenario, when this can happen to non-corporate machine e.g. regular user and when can this happen to a corporate user’s machines, which are either desktops or laptops.

For non-corporate regular user, this can happen if she loses her laptop. Same is true for a corporate user i.e. if she loses her laptop, so what’s the best defense or mitigation regarding this if you are hitting law # 3 .

 I would feel safe as both type of user, if my data is not accessible to bad guy. That’s only possible with encryption i.e. if user’s laptop’s drive is encrypted.  Microsoft’s latest operating systems have a feature called Bitlocker which is a strong, in fact best defense in such scenario. If bad guy does not have the bitlocker key, he can’t even get to the starting point that’s mention in the blog link of hack. He cannot access data in the drive, its ENCRYPTED J. So although user would still lose the data ,if she hits the law #3 and her machine as well but data will not be compromised or disclosed, nobody can see it.

For desktops in enterprise, its little difficult to imagine hitting law # 3 but here again Bitlocker is a super defense, bad guy can’t go any farther then the bitlocker key screen J.

In information security, confidentiality of data is maintained by ensuring its encrypted at rest and also when it is at move using protocols like SSL , Ipsec. So Encryption is the way forward(its already there, some are using it some are not).

Following are few links about how bitlocker can be enabled, these are few, will add more as and when I ll find more

http://windows.microsoft.com/en-in/windows-8/bitlocker-drive-encryption, windows 8

https://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx windows 7






Comments (3)

  1. junaid says:

    Nice one buddy. I did couple of projects to make sure our Infrastructure is secured from what you have mentioned. First one one having highly available Disk Encryption solution using Bitlocker with MBAM 2.0 (Works great and smooth like TMG 2010) and other
    one was to cover privilege escalation issues by deploying Power Broker which takes of admin rights from user and only provides access to apps what he/she owns or need to use to do business related work. Which provides zero attack surface (theoretically :))
    for bad guys to play with. I believe 80-90 percent of attacks that are happening are due to privilege escalations and it is very important that we trim down unnecessary privileges/permissions from normal user .

  2. karthik says:

    For Privilege Escalation issues, you could also try the Microsoft Identity Manager 2016, which has a module for ‘Privilege Access Management’. This would essentially wipe out all the admin rights for users and add it ad-hoc for the duration of time you
    need access. For example, a User needs to perform administrative task for 30 minutes, raises a request, once approved gets added to admin group for 30 minutes and is then removed.

  3. Karthik my man, thanks for awesome addition to the requirement of privilege escalation trouble 🙂

Skip to main content