Monthly Archives: February 2008

Windows 2008 Hacked?

Posted on by
Reply

Dean, has put up a post explaining an architectural defect in the way Windows Server 2008 handles the Accessibility Options prior to login.

As Microsoft’s 3rd Law of security states, if you have physical access, then it’s not your box anymore. And this is just another good reason why physical security is one layer in your security policy. You do have a multi-layered security policy don’t you?

Really, this comes down to, why MS:

1. Give an anonymous console user the ability to kick of a SYSTEM level process. DOH!
2. Not having the GINA validate what it is launching.
3. Having this as the default and not an option. DOH! Again!
4. SYSTEM Full Control over the Active Directory – Priceless!

Windows Server 2008 is moving in the right direction, they are reducing attack surfaces out-of-the-box and producing a more secure, leaner OS, which is great. I guess they missed this one ….

The post is well worth a read, cheers Dean :)

WAIK 1.1

Posted on by
Reply

In the shadow of yesterdays Microsoft RTM announcements, another product team has released a new version: The Automated Installation Kit (AIK) has been updated for Windows Server 2008 and Vista SP1.

According to the Microsoft Download page, this version of the WAIK Tools will support the following OS’s:

Windows Vista
Windows Vista Service Pack 1
Windwos Server 2008
Windows Server 2003 Service Pack 1 with KB926044
Windows Server 2003 Service Pack 2
Windows XP Service Pack 2 with KB926044

Microsoft’s Michael Niehaus, advises:

It also includes the new Windows PE 2.1 version, a minor update to the existing Windows PE 2.0 version. Images created with WAIK 1.0 are fully compatible with those created with WAIK 1.1 — there are no changes to the WIM file format.