Actually, Andy... Changing permissions is a bad example -- because NTFS file, and registry, permissions change immediately. Group memberships, on the other hand, require a logoff/logon cycle. Guess I should read mail more often than once a week... TTYL Darren -----Original Message----- From: Andy Wood [mailto:snortin_yer_packetsat_private] Sent: April 30, 2002 9:41 PM To: vuln-devat_private Subject: [Fwd: FW: XP Screen Saver password uses Old password until logoutor New one is used.] Passwords aren't cached, it is the Access Tokens that are cached. If you change permissions on a folder, from RO to RW for example, the folder will not be RW until the user logs off then on. This is important to remember when reducing the privs: If the user is logged on when a permission change is made they will retain their old rights until logging off....i.e. They could still delete data after you set the privs from RW to RO. Don't be confused though, this is only a MS feature. It is listed to "improve performance". I, however, am confused as UNIX so far out performs MS yet is not plagued with the whole needing to logoff thing. I guess we should just be thankful.......at least windows doesn't require a reboot. > -----Original Message----- > From: Muhammad Faisal Rauf Danka [mailto:mfrdat_private] > Sent: Tuesday, April 30, 2002 4:18 PM > To: Ghazi H. Al Wadi [NGHA-CTC]; vuln-devat_private > Cc: adnanat_private; qaziaat_private; rootat_private > Subject: Re: XP Screen Saver password uses Old password until logout or > New one is used. > > > Is'nt that the case with all win* since long time? > Well the password is cached, that's why it verifies from cache, where it > should verify it from the actual password location. Lack of routine > addition in all screensavers I guess. Remember flushing cached Passwords > in win* , HEH! =) > > P.S. It's not a feature, untill its discovered by Microsoft. > > Regards, > --------- > Muhammad Faisal Rauf Danka > > Chief Technology Officer > Gem Internet Services (Pvt) Ltd. > web: www.gem.net.pk > voice: 92-021-111-GEMNET > > Chief Security Analyst > Applied Technology Research Center (ATRC) > web: www.atrc.net.pk > voice: 92-021-4548323, 92-021-4546077 > > "Great is the Art of beginning, but Greater is the Art of ending. " > > ------BEGIN GEEK CODE BLOCK---- > Version: 3.1 > GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ > P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- > PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+ > ------END GEEK CODE BLOCK------ > > > --- "Ghazi H. Al Wadi [NGHA-CTC]" <wadigat_private> wrote: > >Hi, > >Today I have as usual, changed my PC logon password (XP Home Edition). > >When the screen saver started, I dismissed it and by force of habit, I > >typed the old password. To my surprise I was able to unlock the screen > >saver using the old password. I was able to do that several times, > >However, once I logout or use the new password I am unable to use the > >old password and have to use the new one. > > > >The question is , Is this a feature. and from a security point of view > >wouldn't that be a vulnerability. If not is it documented any where. > >And last, was this issue addressed before. > > > >Kindest regards > >Ghazi Al Wadi > > _____________________________________________________________ > --------------------------- > [ATTITUDEX.COM] > http://www.attitudex.com/ > --------------------------- > > _____________________________________________________________ > Run a small business? Then you need professional email like > youat_private from Everyone.net http://www.everyone.net?tag > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > >
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 01:45:35 PDT