March 6th, 2008

How do I log on using a dial-up connection on Windows Vista?

Mike Stephens from the Group Policy Team Blog explains how to get “Log on using dial-up connections” working on Windows Vista. But I’m posting to respond to a comment on that page, since that falls under the category of “When people ask for security holes as features.”

The only problem is all users need to have access to an account with local admin privileges [in order to set this up].

The implied request is that non-administrative users be allowed to create dial-up connections that can be used for logging on. This request falls into the category of When people ask for security holes as features; in this case, it’s a repudiation security vulnerability. Here’s how. A non-administrative user creates a dial-up networking connectoid and marks it as available for use during logon. For the phone number, the non-administrative user uses a voting number for a television reality show, one that charges $2 per call. (If you are more mercenary, you can arrange to set up a phone number that charges $50/minute and agree to split the profits.) The non-administrative user then logs off and waits. When the show starts, the non-administrative user then goes up to the computer and instead of logging on normally, goes to the dial-up connection button and selects the dial-up connectoid. The non-administrative user then proceeds to make dozens of failed logon attempts with that connectoid, under bogus user names like SanjayaRocks or WilliamHung4Ever. Each failed logon attempt casts a vote for the contestant, and (here’s the important part) since nobody is actually logged on, you can’t prove who made the calls. Some time later, the non-administrative user logs on and deletes the dial-up networking connectoid, to clean up afterward.

The next month, the system administrator gets the phone bill and sees $100 worth of calls to the television show. The system administrator goes to the audit logs to see who made those calls, only to find that they were made by nobody. Even if the system administrator finds the logs for the non-administrative user having created and subsequently deleted the offending dial-up networking connectoid, that’s just circumstantial evidence. “I created those for fun, as a joke. I never actually used them. It must’ve been just somebody walking past the machine who saw that they could use it to vote for Sanjaya.”

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.