seems like a bug to me, even if the security risk isn't huge. windows xp doesn't allow you to create a _new_ user with a name that already exists, why should it allow you to rename a user to one that already exists?
-Mark ----- Original Message ----- From: "Jones, Bob" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 23, 2002 8:37 PM Subject: Win XP - Renaming administrator, possible vulnerability? > Greetings to all, > > I've noticed on my WinXP machines that if I rename an existing user to > another name (doesn't matter what), and rename the Administrator account to > the former name of that user account. That I could log in to more than one > account with this name, simply depending upon which password was entered. > Something is not right with this, but I'm not at a level to determine > whether this can pose any kind of security vulnerability or not. Microsoft > says: "Since you must enter the password for the accounts then the system > is operating by design." Is this just a strange bug? > > For example: > Rename user account "user1" to "someone" > rename administrator account "administrator" to "user1" > Now with user1 entered in the login field, and user can enter either > password to gain access to either account. > > Any thoughts/explanations/insights? > > Cheers! > > Bob Jones >
