I've heard from a couple of people at Microsoft Corporation regarding my story earlier this week about the security problems in Windows 2000 Professional. Though I was assured initially that the problems with Windows 2000 Professional's auto-logon feature were fixed, I have verified that this is not the case. A continuing dialog with Microsoft will hopefully clear the air, but here's what I've learned so far:
"With regard to the question about why the auto-logon feature is present, customers, especially those with home businesses, have told us that they wanted it," Microsoft's Scott Culp told me. "The feature is intended for use in environments where the user has physical control over the machine, and if this is the case, the auto-logon account doesn't present any additional vulnerability."
Frankly, I don't understand what the term "physical control" means. In this day in age of pervasive Internet access, one has more to fear from a Net-based attack than from someone walking up and accessing your PC. Given the spate of IE 5.0 vulnerabilities that have become known this year, this type of "feature" could really come back to haunt Microsoft. I realize it's probably too late in the process to change it dramatically, but perhaps the most obvious thing to do would be to not give this auto-logon user Admin privileges. Then, the first time the user attempted to do something that wasn't allowed with his privileges, a balloon help (or whatever) could pop up explaining how to "run as Administrator."
Also, I think it's a huge mistake to even allow someone to assign an empty password to Administrator during Setup. If the user is hell-bent on doing this, they could change it later, but Administrator is a known account and one that hackers will try to attack. It makes sense to protect this account with the most basic of security measures.
Furthermore, Scott's description of the known problem with Windows 2000 Professional, regarding the ability to remotely start the Telnet server and access a system that way, is open to interpretation.
"As to the specific attack that you described via the Telnet server, we are making additional changes to Windows 2000 that will prevent this attack from succeeding even if a blank Administrator password is selected," he told me.
OK. But this suggests that the fixes are in progress, that is, that they have not yet happened. And I'm sure that an experienced hacker could quite possibly gain access to a Windows 2000 Professional system that is connected to the Internet, based on my hands-on experience this week.
I'm still waiting to hear the final word on this, but this much seems clear: Microsoft is working to ensure that Windows 2000 Professional is secure by the time it's released later this year. However, the currently available beta and release candidate builds may not live up to that promise, so tread carefully. I'll provide more information if and when it comes from Microsoft.
--Pau
