RE: Windows XP security concerns

["Geoff Sweet" <gsweet () worldvision org>]

Commenting on the loss of user data below:  I don't think this is a critical
issue.  By default Win2K/XP adds the local Administrator as a Encrypted Data
Recovery Agent.  So while the pain-in-the-arse factor is there of needing to
reset the password via the admin account, any encrypted data won't be lost
due to loss of private key.  The Administrator can still recover the data,
then the user can re-encrypt it with his/her new credentials.  

Geoff Sweet
Systems Engineer
World Vision (www.worldvision.org)

II. Problem with reset password disk

Windows XP introduced a new feature - "Password Reset Disk", which can
be used 
to recover user account and personalized computer settings if a user
forgets
his password.

The problem is that in certain conditions (Minimum password age <> 0) 
user may not be able to reset his password using above mentioned disk 
and the only solution is the reset password feature available to the
Administrator. 
First, make sure the "Minimum password age" policy is set to a value
other than 0. 
Now, supposing the user forgets his password before it's age expires, 
he will not be able to reset it with the disk until the password
expires.

What's more, changing password by an Admnistrator using MMC or control
panel 
(in other words - GUI) leads to user data loss (i.e. EFS files)
because of 
private key loss. 
The only solution seems to be "net user" command issued by an
administrator.