Vista Power Security WTF



  • I found an odd and troubling issue with Windows Vista the other day.

    I locked my Windows Vista Laptop and walked away for a while, so the machine was at the Lock/Login Screen.
    I came back and decided to leave for the day, so I pressed the power button on the docking station and the machine started shutting down.
    Now apparently to shut down, it logs me back in and starts shutting down applications.  As troubling as it was, it got worse.
    The customer I work for uses Lotus Notes.  I had Notes open with a large amount of databases open, so it takes a while for Notes to close.  This causes the shutdown procedure to pause and ask if we want to force Lotus Notes to quit or cancel.  Clicking cancel brings me back to windows and lotus notes.

    WITHOUT EVER LOGGING IN!!!

    I have tried it multiple times and it was repeatable.  I tried it with other applications that had a lot open and happened to take too long to close, and it happens.

     

    Anyone else able to repeat this?

    A few things that might have something to do with it is I have a custom image as the login image, not sure it would be the cause?
     



  • There are certain disreputable gentlemen in Russia most interested in making your acquantance, with your newfound knowledge of bypassing security...



  • @shaunburdick said:

    I found an odd and troubling issue with Windows Vista the other day.

    I locked my Windows Vista Laptop and walked away for a while, so the machine was at the Lock/Login Screen.
    I came back and decided to leave for the day, so I pressed the power button on the docking station and the machine started shutting down.
    Now apparently to shut down, it logs me back in and starts shutting down applications.  As troubling as it was, it got worse.
    The customer I work for uses Lotus Notes.  I had Notes open with a large amount of databases open, so it takes a while for Notes to close.  This causes the shutdown procedure to pause and ask if we want to force Lotus Notes to quit or cancel.  Clicking cancel brings me back to windows and lotus notes.

    WITHOUT EVER LOGGING IN!!!

    I have tried it multiple times and it was repeatable.  I tried it with other applications that had a lot open and happened to take too long to close, and it happens.

     

    Anyone else able to repeat this?

    A few things that might have something to do with it is I have a custom image as the login image, not sure it would be the cause?
     

    That's why I only allow shutdown when I'm logged in :P 



  • @XIU said:

    That's why I only allow shutdown when I'm logged in :P 

    Okay. so it's configurable?

    What's the default config for this? Mircosoft has a rep with me for some astoundingly bad defaults. 



  • Ok Guys,


    Firstly I have not tested this (yet), but these values may be usefull!

    Change the timeout for a prompt to kill a service\task

    After recieving a shutdown request vista waits for a notification that persistant services have stopped. You can alter the wait time for Windows to kill the persistent services.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control

    WaitToKillServiceTimeout , default value is 20000

    When this value is exceeded a prompt appears to force the service\task to stop or continue to wait.

    Alter the time for user process's and applications to be killed

    This is the timeout before starting to shut down and kill open applications and user processes when the user want to shutdown, restart or log off.

    Navigate to the following registry branch:

    HKEY_CURRENT_USER\Control Panel\Desktop

    WaitToKillAppTimeout, default 20000.

     When the WaitToKillAppTimeout value is breached, the End Task dialog box appears, stating that the process did not respond, and allowing user to End the task.

    HungAppTimeout, default 5000 -  HungAppTimeout specifies how long the system waits for user processes to end after the user clicks the End Task command button in Task Manager or after the user has selected to restart or shutdown the system.

    Automatically end\kill process's without a user prompt

    When the values above are breached, a end task or other prompt is still generated. By changing to the value of registry key AutoEndTasks to 1, we can ask Windows to end all processes that timeout when shut down or log out from Windows automatically, without asking for user input or interaction. Default value of the key is 0, which mean no user processes will end automatically.

    AutoEndTasks is located at HKEY_CURRENT_USER\Control Panel\Desktop registry branch.

     I would imagine that sensable settings on the above, combines with AutoEndTasks should fix your issue ?  As these are reg keys they can of course all be manipulated via group policy.



  • Mizpah- I think his point isn't so much that he need to fix his own machine but that anyone could walk up to most any locked vista machine, and simply unlock it.



  • @Mizpah said:

    Ok Guys,


    Firstly I have not tested this (yet), but these values may be usefull!

    Change the timeout for a prompt to kill a service\task

    After recieving a shutdown request vista waits for a notification that persistant services have stopped. You can alter the wait time for Windows to kill the persistent services.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control

    WaitToKillServiceTimeout , default value is 20000

    When this value is exceeded a prompt appears to force the service\task to stop or continue to wait.

    Alter the time for user process's and applications to be killed

    This is the timeout before starting to shut down and kill open applications and user processes when the user want to shutdown, restart or log off.

    Navigate to the following registry branch:

    HKEY_CURRENT_USER\Control Panel\Desktop

    WaitToKillAppTimeout, default 20000.

     When the WaitToKillAppTimeout value is breached, the End Task dialog box appears, stating that the process did not respond, and allowing user to End the task.

    HungAppTimeout, default 5000 -  HungAppTimeout specifies how long the system waits for user processes to end after the user clicks the End Task command button in Task Manager or after the user has selected to restart or shutdown the system.

    Automatically end\kill process's without a user prompt

    When the values above are breached, a end task or other prompt is still generated. By changing to the value of registry key AutoEndTasks to 1, we can ask Windows to end all processes that timeout when shut down or log out from Windows automatically, without asking for user input or interaction. Default value of the key is 0, which mean no user processes will end automatically.

    AutoEndTasks is located at HKEY_CURRENT_USER\Control Panel\Desktop registry branch.

     I would imagine that sensable settings on the above, combines with AutoEndTasks should fix your issue ?  As these are reg keys they can of course all be manipulated via group policy.

    Appreciate the effort, but this just adds to the WTF. With Vista being "the most secure Windows ever" it just hurts when the OS is shown to have more holes than swiss cheese. Now we see a list of things that can fix this problem, and you go WTF again! If this is a fixable problem, then WHY THE FUCK aren't these the defaults of the OS?

     
    Well, looking at the list again, those registry settings don't "fix" anything, they just make it harder to get through this glaring hole.
     



  • @shaunburdick said:

    I found an odd and troubling issue with Windows Vista the other day.

    I locked my Windows Vista Laptop and walked away for a while, so the machine was at the Lock/Login Screen.
    I came back and decided to leave for the day, so I pressed the power button on the docking station and the machine started shutting down.
    Now apparently to shut down, it logs me back in and starts shutting down applications.  As troubling as it was, it got worse.
    The customer I work for uses Lotus Notes.  I had Notes open with a large amount of databases open, so it takes a while for Notes to close.  This causes the shutdown procedure to pause and ask if we want to force Lotus Notes to quit or cancel.  Clicking cancel brings me back to windows and lotus notes.

    WITHOUT EVER LOGGING IN!!!

    I have tried it multiple times and it was repeatable.  I tried it with other applications that had a lot open and happened to take too long to close, and it happens.

     

    Anyone else able to repeat this?

    A few things that might have something to do with it is I have a custom image as the login image, not sure it would be the cause?
     

    Wow, that's insane. Is that really the default configuration for Vista?

    I'm going to try this out on XP, too. 



  • My laptop certainly doesn't do that...

    I'm going to assume for now that it's something to do with your docking station specifically. 



  • @misguided said:

    My laptop certainly doesn't do that...

    I'm going to assume for now that it's something to do with your docking station specifically. 

    Did you have an open document or program that was unsaved? It sounded like the, "Oops, you're trying to close the program w/o saving.." dialog was overriding the locked screen.

    In any case I don't think this is a huge issue, even if it consistently repeatable the person who is "breaking in" has physical access to the machine and the ability to restart it. Getting data off the laptop is trivial if you have physical access. Most people leave their bios in its stock state and the computer will boot off any media (cd, thumbdrive etc), so you can boot into another OS and grab whatever you want. Of course this is even easier. One more reason to not run as admin.

     The easy solution: remove vista, install linux, and run an encrypted file system.
     



  • @dubbreak said:

    remove vista, install linux, and run an encrypted file system.
    <hints id="hah_hints"></hints>

    Now you have two problems.
     



  • @dubbreak said:

    The easy solution: remove vista, install linux, and run an encrypted file system.
     

    HURR HURR USE LINUX WINBLOWS SUX PHYSICAL ACCESS HURRRRRRRRRRRRRRRRRRRRRR

    Thanks for the creative input. Here's a scenario for you: Alice is having a face to face meeting with corporate rival Trudy. Practicing due diligence, Trudy was swept for electronics before the meeting, to ensure that no funny business occurred. During the meeting, Alice is interrupted by Bob, who needs her help immediately extinguishing the fire that has suddenly and without explaination engulfed Charlie's prodigious neckbeard. Quickly tapping the "lock" command for her laptop, Alice asks Trudy to please wait, and rushes out of the room. Trudy, having a 2 minute window of opportunity thanks to the diversion, can now access Alice's laptop. She discovers the secret numbers Alice kept, including sensitive passwords and upcoming confidential plans. Trudy returns the laptop to the state in which she found it, and not long thereafter Alice returns to the room to resume the meeting.

    Two days later, "Alice" breaks into corporate, sabotaging the system and stealing an unknown amount of highly sensitive data. The IP resolves to the WinME machine of a 40 year old housewife in Tulsa, who noticed that her "confuser" was a lot slower than normal but figured that it just needed some WD-40.

    Let us review.

    • Trudy was physically searched before the meeting, and found to have only carkeys on her person.
    • Trudy, through a massive, gaping flaw in the security model of the OS, managed to gain undetectable, untracable physical access.
    • There is nothing that actually links Trudy to this crime except circumstance.
    • Using this breach in security, Trudy (or her agents) were able to escalate their access and cause prodigious damage.

    So, thanks for your great "Yeah if you have a boot disk you can get what you need anyway hurr" comment, but this is even more serious than that.



  • @dubbreak said:

    @misguided said:

    My laptop certainly doesn't do that...

    I'm going to assume for now that it's something to do with your docking station specifically. 

    Did you have an open document or program that was unsaved? It sounded like the, "Oops, you're trying to close the program w/o saving.." dialog was overriding the locked screen.

    In any case I don't think this is a huge issue, even if it consistently repeatable the person who is "breaking in" has physical access to the machine and the ability to restart it. Getting data off the laptop is trivial if you have physical access. Most people leave their bios in its stock state and the computer will boot off any media (cd, thumbdrive etc), so you can boot into another OS and grab whatever you want. Of course this is even easier. One more reason to not run as admin.

     The easy solution: remove vista, install linux, and run an encrypted file system.
     

    No, it is a huge issue.  You can transparently encrypt all of your private files in Vista, thus preventing access for reboots/password resets/etc.   This allows a complete bypass of locking procedures and thus full access to a user account.  How many admins leave their servers locked on the administrator account?  With physical access, you could own an entire domain.  This type of flaw is second only to a remote root exploit.  Having said that, I believe there is a way to disable shutdown from the lock screen, so that should provide a reasonable workaround.



  • Ok, I've got to say it... the real WTF is you're using Vista :)



  • I go to a lot of large meetings where people from competing companies all bring their company laptops. Standard practice at lunchtime is to activate the OS lock and use one of the physical locks (such as made by Kensington) to secure it to the desk while everyone troops out to eat. If I had Vista on my laptop all my secrets would be on someone else's flash drive by the end of lunch!

    Sure without this flaw someone could physically remove the hard drive from my laptop and clone it to another drive so that they could spend the next eleventy billion years bruteforcing the encryption, but that would look jolly suspicious to anyone even glancing into the room whereas it should be quite easy to use a simple app on a flash drive to copy everything without looking like anything untoward is happening.

    I am so glad that when I recently bought a new laptop I searched specifically for a model that came with XP! 



  • I gave this a shot on my home PC and asked some coworkers to give it a shot, too. So far we have not been able to recreate the issue. On my home machine I left an unsaved Word document open and then locked the PC and shut it down. I heard Windows' "Do you want to save?" dialog sound in the background, but I did not see anything. Perhaps if I had a hanging process like the OP I would have better luck breaking into my system, but I don't have any applications that consistently hang for me to test.

    Has anyone else had better luck recreating this?



  • @dhromed said:

    @XIU said:

    That's why I only allow shutdown when I'm logged in :P 

    Okay. so it's configurable?

    What's the default config for this? Mircosoft has a rep with me for some astoundingly bad defaults. 

    The default behavior is that you can shutdown any windows pc from the login prompt, you can however (by using group policy, with some good-hidden setting) disable this so that it's only possible for certain groups and hide it from the login screen completely. But I'm not sure what it will do if you press the power button.



  • @GettinSadda said:

    I am so glad that when I recently bought a new laptop I searched specifically for a model that came with XP! 

    The truth is revealed! Windows Vista was made to be crap to create even more sales of XP! It's genius!
     



  • @DOA said:

    Ok, I've got to say it... the real WTF is you're using Vista :)

    Especially if it's a corporate environment. Sometimes being slow as a snail on sandpaper is a good thing. IE 7 won't be rolling out where I contract for years (gov agency). They'll hold onto XP until they can't get licenses. 



  • @nerdydeeds said:

    @dubbreak said:
    @misguided said:

    My laptop certainly doesn't do that...

    I'm going to assume for now that it's something to do with your docking station specifically. 

    Did you have an open document or program that was unsaved? It sounded like the, "Oops, you're trying to close the program w/o saving.." dialog was overriding the locked screen.

    In any case I don't think this is a huge issue, even if it consistently repeatable the person who is "breaking in" has physical access to the machine and the ability to restart it. Getting data off the laptop is trivial if you have physical access. Most people leave their bios in its stock state and the computer will boot off any media (cd, thumbdrive etc), so you can boot into another OS and grab whatever you want. Of course this is even easier. One more reason to not run as admin.

     The easy solution: remove vista, install linux, and run an encrypted file system.
     

    No, it is a huge issue.  You can transparently encrypt all of your private files in Vista, thus preventing access for reboots/password resets/etc.   This allows a complete bypass of locking procedures and thus full access to a user account.  How many admins leave their servers locked on the administrator account?  With physical access, you could own an entire domain.  This type of flaw is second only to a remote root exploit.  Having said that, I believe there is a way to disable shutdown from the lock screen, so that should provide a reasonable workaround.

    Regardless of this hole, with physical access to a server you can own the entire domain. This doesn't make it any easier.

     With a server no one should have access to the power button w/o a physcal key and unlocking a rack (remember that is how this bug was instigated, shutting down with the power button).

     
    If you have admins running Vista and leaving their servers locked on the admin account you have bigger issues than this "hole".

     
    This isn't second only to a remote root exploit, it isn't second to a elevated privileges attack either. You require physical access to the machine (and the power button) to exploit this. If you have that access there are plenty of other ways to cause mischief as well. Yeah, it should be fixed quick and is an issue, but it is an avoidable issue (try logging out, it only takes me seconds to log in and out of my workstation). If data on your laptop is that important then carry it with you, that's what they were designed for!

    Give me 2 minutes alone with a laptop with XP and I'll grab data off it as well, and at worst you will notice it rebooted (although you will most likely forget that you locked the screen rather than logging out as your mind is probably on when and where you can procure another hot coffee).

     



  • @dubbreak said:

    Give me 2 minutes alone with a laptop with XP and I'll grab data off it as well, and at worst you will notice it rebooted (although you will most likely forget that you locked the screen rather than logging out as your mind is probably on when and where you can procure another hot coffee).

     

    Every once in awhile, I come back to find my computer had rebooted, closing the stuff I left open because I didn't want to forgot what I was working on. That's mostly thanks to Windows Update. So no, I wouldn't even notice that. :(

    Not to mention that if you grab the SAM file and manage to bruteforce (or rainbowcrack) the passwords, you can log them back in anyways.

    That being said, the main factor here is speed. Depending on what you're trying to do, it takes a few minutes to own a machine with a bootdisk, whereas it only takes a minute or two if you press their power button. It's much more likely that this one would work when the user has gone for coffee.

    Or you can wait till the boss tells the user to "come to my office right away" and the user runs off without locking his computer. That's the easiest way. :)



  • Yes, but the original poster didn't specify a server. He specified a laptop. You also did not address my scenario. Yes, with physical access, you can certainly take data off of it in some way. That doesn't mean that you can do it undetectably, nor can you gain access to something that's been sitting open on the desktop (potentially unsaved) or the user's open sessions (say.... vnc).

    This is worse because you're not only allowing the attacker to grab data from the machine, you're letting them do it WITH THE USER'S CORRECT CREDENTIALS.

    I could break into your house and copy everything off of your home machine while you were out, and you may not have even noticed that I was there. I would not, however, be able to break any sort of strong encryption on your sensitive datas.



  • @JamesKilton said:

    @GettinSadda said:

    I am so glad that when I recently bought a new laptop I searched specifically for a model that came with XP! 

    The truth is revealed! Windows Vista was made to be crap to create even more sales of XP! It's genius!
     

     Personally, the lack of available laptops with XP just drove me to buy a macbook.  First mac I've touched since 1995.
     



  • @XIU said:

    But I'm not sure what it will do if you press the power button.

    By default (in XP IIRC) it will prompt you as if you went to start->shutdown, this is easily changed by going to control panel (classic mode) -> power options -> advanced -> when I press my power button . . .

    The same option should be available in vista and in XP dummified control panel.



  • @rbowes said:

    Every once in awhile, I come back to find my computer had rebooted, closing the stuff I left open. That's mostly thanks to Windows Update.

    Turn that shit off, then. :) 



  • @dubbreak said:

    IE 7 won't be rolling out where I contract for years (gov agency). They'll hold onto XP until they can't get licenses.
    A government agency that's using XP? Yeah, right. Even the really quick-moving ones have only just finished replacing NT4 with 2k...



  • @dubbreak said:

    Especially if it's a corporate environment. Sometimes being slow as a snail on sandpaper is a good thing. IE 7 won't be rolling out where I contract for years (gov agency). They'll hold onto XP until they can't get licenses. 

    I think I'm misunderstanding your sentences.

    IE7 runs on XP.
     



  • I have not been able to repro this on my laptop.



  • @dubbreak said:

    @nerdydeeds said:

    No, it is a huge issue.  You can transparently encrypt all of your private files in Vista, thus preventing access for reboots/password resets/etc.   This allows a complete bypass of locking procedures and thus full access to a user account.  How many admins leave their servers locked on the administrator account?  With physical access, you could own an entire domain.  This type of flaw is second only to a remote root exploit.  Having said that, I believe there is a way to disable shutdown from the lock screen, so that should provide a reasonable workaround.

    Regardless of this hole, with physical access to a server you can own the entire domain. This doesn't make it any easier.

     With a server no one should have access to the power button w/o a physcal key and unlocking a rack (remember that is how this bug was instigated, shutting down with the power button).

     
    If you have admins running Vista and leaving their servers locked on the admin account you have bigger issues than this "hole".

     
    This isn't second only to a remote root exploit, it isn't second to a elevated privileges attack either. You require physical access to the machine (and the power button) to exploit this. If you have that access there are plenty of other ways to cause mischief as well. Yeah, it should be fixed quick and is an issue, but it is an avoidable issue (try logging out, it only takes me seconds to log in and out of my workstation). If data on your laptop is that important then carry it with you, that's what they were designed for!

    Give me 2 minutes alone with a laptop with XP and I'll grab data off it as well, and at worst you will notice it rebooted (although you will most likely forget that you locked the screen rather than logging out as your mind is probably on when and where you can procure another hot coffee).

     

    Physical access != domain ownage, though it makes it more likely.  Authenticated admin session = domain ownage.  That's the possibility, and that's why this is such a serious problem.

    Locks are meaningless in terms of physical access - pick and bump your way to success in seconds.  Physical access to a server does requires time to reboot and find useful data.  A monitoring service could notify admins if a server was rebooted for nefarious reasons, no monitoring system can catch a problem like this.

    If you can get data off an EFS-enabled XP laptop in two minutes, I'd be impressed.  If someone knows enough to lock their computer, they will notice that it's been rebooted.



  • @nerdydeeds said:

    Locks are meaningless in terms of physical access - pick and bump your way to success in seconds.

    There are locks which are considerably harder to pick - the high quality lever locks take 15 or 20 minutes to open. They're commonly used on safes, but are available for doors as well.

    You won't find them in your local hardware store - those are all useless junk. Every secure lock on the market has to be specially ordered from the manufacturer.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.