January 04, 2001, 11:05 AM — MICROSOFT HAS ANNOUNCED that its consumer products -- Windows 95, 98, and Me -- are vulnerable to a utility available on the Internet that allows a person to get into password-protected file shares without knowing the entire password. This makes it easier for an unauthorized person to open or delete files.
The problem affects only Windows 9x and Me. Windows NT and Windows 2000 use a different password scheme and are not open to this utility, but there's a separate problem in Windows 2000, described later in this column.
The weakness in Windows 9x and Me concerns only "share-level security." It does not affect "user-level security," such as the access controls available if a Windows 9x machine is part of a Windows NT or Windows 2000 domain.
As of press time, Microsoft has released patches that can be run on Windows Me and Windows 98 Second Edition to correct the weakness. By the time you read this, Microsoft also should have a solution for Windows 95 and the original Windows 98.
Of course, the fix won't cure the inherent weaknesses of Windows 9x's password scheme. Please see reader Ken Oden's comments within the following section for more information on this.
Locking Windows 2000 and 9x
In my Oct. 9 column ("A quick and easy way to secure a Windows 9x/2000, NT machine, and a new TweakUI"), I warned that a password-protected screen saver doesn't password-protect Windows 2000 if the saver is launched manually, such as from a command line.
I recommended Microsoft article Q262646 on this subject. You can find it on the Microsoft Web site at support.microsoft.com/support/kb/articles/Q262/6/46.ASP. You should also read article Q228160, which you can jump to from this article.
I provided a command for people who want to protect their Windows 2000 workstation with a single keystroke when walking away (instead of allowing 15 minutes or whatever for a preprogrammed delay to kick in). Unfortunately, an editing error at InfoWorld.com caused an extra space to be inserted into that command line, which I stressed was "space-and case-sensitive." The corrected Windows 2000 command line is rundll32user32 .dll,LockWorkStation.
I noted that this command could be placed on an unused numeric keypad key. Tapping the keypad's Minus key, for example, would password-protect a Windows 2000 workstation more quickly than the finger-twisting Ctrl+Alt+Delete combo, followed by Enter.
Reader John Wagner commented that a time delay is enough for most of his company's users. "For others who wish to lock down every time they leave their computer," he writes, "the Ctrl+Alt+Delete and Enter doesn't seem to be a problem."