You maybe aware of utilities like ERD (from Microsoft former Winternals, sadly only available to certain Microsoft License holders) that will allow you to change the password for a Windows account, thus effectivelyallowing you access to the data on the pc/server?
There can be legitimate reasons for this (forgotten passwords etc), but some users may have a more sinister motive… to gain unauthorized access.. for the latter group utilities like ERO has a drawback, it leave traces behind, when the original user try to logon he can’t as you changed the password.. Now there are ways around this, some other utilities allow you to dump the password database before you change it, then afterwards (once you scored all the data) you can reinject the original password and only a close examination would reveal your traces.
But now there is a new player on the marked, Kon-Boot,this small boot cd will do something very clever indeed, it will allow you to boot into Windows as normally via a CD – and then once asked for the password you can just enter anything – Kon-Boot will simply bypass the password check.. Clever indeed.
A few problems/concerns though;
- Is this Kon-Bootsafe (or does it leave something nasty behind like eg a Rootkit), some experienced guys took it upon themselves to check just this and their preliminary findings is that it appear safe enough (no aparant traces left behind).
- EFS and diskencryption will defeat this, you will not be able to read EFS (Microsoft Encrypted file system) files and diskencryption in general would serve as a protection against booting via a Kon-Boot bypass boot cd/dvd (this may however not apply to all encryption schemes / software brands).
- Allegedly this bypass is only possible for local machine accounts and not for domain accounts (however if you use a local admin account, then once you are a local admin you will have full access to the entire disk (except EFS) and all data on it, thus this may not be a big deal).
I will have to experiment a bit with this in the near future, it sounds disturbing.
Update; I just tested this on a VM, and it works just as advertised on an XP installation, interesting indeed…
Update 2; I checked this on a domain account, if the user has his profile/password cached (have been logged on previously) you CAN logon locally and access the users data – BUT ofcause no access to network ressources and you will see a warning that your credentials has expired (or something to that effect). I also tried a locked/disabled account, and here I was unable to logon.
Read this excellent post by Claus Valca on Kon-Boot
And see the YouTube demo on how it works;