Password Recovery Disk
Did a little experiment with Windows 7 on a Hyper-V VM.
Created a fresh user account on a non-domain VM
Attached and formatted a Virtual Floppy.
Created a password recovery disk for this new user.
Got the password wrong and reset the password multiple times using the password reset disk.
Logged on as a local admin and reset the test account password. I expected this to make the password recovery disk useless … NO … could still use the password recovery disk to reset the password to get back into the user account.
Okay what about encrypted files?
Created a very important text document and encrypted it.
If you logon as local admin and change the password the user should NOT be able to get back into the file.
Logged on as the user with the changed password and could NOT access the encrypted file as expected.
What if … I can remember the password now!!
Used the password recovery disk to change the password back to the one used when the file was encrypted and I could get back into the encrypted file.
What if I change the password again using the Password Recovery Disk … YES … can still get into the encrypted file.
Useful tool or great big gapping security hole!!!
You decide …
No comments:
Post a Comment