Server 2008 really is more secure, right?
One of my favorite sessions at TechEd 2008 was a session given by Marcus Murray about password hacking — the number of available tools out there and their power to break into "locked" accounts is just as scary as it is fascinating.
The most amazing demonstration at this session had to do with Windows Server 2008. Vista and Server 08 include an “Accessibility” button on their logon screens that users can use to turn on helper tools like Sticky Keys or Magnifier, etc. This simple button envokes a small app called “Utilman.exe which takes the user’s preferences and applies them to the server before logon time.
So what’s the big deal?
The big deal is that utilman.exe is run with System rights; it has to: it’s run before any particular user is logged on.
The problem with this scenario is this: anyone with physical access to the machine can simply boot the computer with an alternate OS (assuming that OS can read NTFS) and replace the Utilman.exe file with a copy of the CMD.exe file.
Now, when Server 2008 or Vista is rebooted, clicking that Accessibility button (great name, given the exploit) brings up a command prompt window with System rights.
Yeah. You can do just about anything on a computer with System rights. And with this exploit, you’re granted them without having to even come up with a user name or password.
Read the original story here.
