How do I log on using a dial-up connection on Windows Vista?


Mike Stephens from the Group Policy Team Blog explains how to get "Log on using dial-up connections" working on Windows Vista.

But I'm posting to respond to a comment on that page, since that falls under the category of "When people ask for security holes as features."

The only problem is all users need to have access to an account with local admin privileges [in order to set this up].

The implied request is that non-administrative users be allowed to create dial-up connections that can be used for logging on. This request falls into the category of When people ask for security holes as features; in this case, it's a repudiation security vulnerability. Here's how.

A non-administrative user creates a dial-up networking connectoid and marks it as available for use during logon. For the phone number, the non-administrative user uses a voting number for a television reality show, one that charges $2 per call. (If you are more mercenary, you can arrange to set up a phone number that charges $50/minute and agree to split the profits.) The non-administrative user then logs off and waits.

When the show starts, the non-administrative user then goes up to the computer and instead of logging on normally, goes to the dial-up connection button and selects the dial-up connectoid. The non-administrative user then proceeds to make dozens of failed logon attempts with that connectoid, under bogus user names like SanjayaRocks or WilliamHung4Ever. Each failed logon attempt casts a vote for the contestant, and (here's the important part) since nobody is actually logged on, you can't prove who made the calls.

Some time later, the non-administrative user logs on and deletes the dial-up networking connectoid, to clean up afterward.

The next month, the system administrator gets the phone bill and sees $100 worth of calls to the television show. The system administrator goes to the audit logs to see who made those calls, only to find that they were made by nobody. Even if the system administrator finds the logs for the non-administrative user having created and subsequently deleted the offending dial-up networking connectoid, that's just circumstantial evidence. "I created those for fun, as a joke. I never actually used them. It must've been just somebody walking past the machine who saw that they could use it to vote for Sanjaya."

Comments (31)
  1. Rick C says:

    "I was just creating it as a joke" isn’t a valid excuse, as it doesn’t establish plausible deniability.

    When I was a freshman in college, some twerp would constantly use write to send messages to other logged in users.  Usually stuff that was not quite gibberish.  It was very annoying.  Whenever challenged about it, he’d act indignant and swear it wasn’t him–he’d left the computer on and someone must’ve walked in and done it.

    That excuse gets old after the 23rd time.  Lock your damn machine.  People took to raining or catting /etc/hosts (back at this time, a big college could have a HUGE hosts file) into his terminal.  Really sucked at 1200 baud speeds.

  2. gedoe says:

    and that is assuming that the logon procedure is solid enough not to be tricked into thinking it’s connected to the domain and authenticates you based on a bogus dial up connection… (because you can then sneak your way to the other side of the airtight seal, you were a nobody, created a dial up connection, logon again and hey suddenly you have local admin rights because this bogus domain sais so) I don’t know if you could but even if there is a remote possibility it looks to me that you should indeed have admin rights to set this up

  3. MadQ1 says:

    But the non-administrative user was already on the other side of the air-tight hatch. If he could dial the number using a PC, he could also have dialed it while the PC was turned off by plugging in a telephone. “It wasn’t me! The PC wasn’t even runnning! Check the event log!” That’s not a security hole in the OS.

    Security is hard. The administrator should go shopping for a phone system that lets him block toll numbers und such.

    [Your attack requires physical access to the computer. -Raymond]
  4. nouidd says:

    Surely the connection can be added while joining a domain  (manually, scripted, whatever)? Surely it should be possible to let a connection be established before logging on without risking privilege escalation (unless a security vulnerability somewhere in the process of establishing that connection can be exploited)? (And to deny a non-administrative user to mark a connection as available for use during logon.)

    Sorry, I don’t quite see a technical reason why allowing a dial-up connection to be established before logging on directly implies requiring privilege escalation.

    [Please at least have the courtesy of objecting to something I actually wrote. Nowhere did I write “privilege escalation”. -Raymond]
  5. alex.r. says:

    MadQ

    Not necessarily, the actual computer with a phone connection could have been in different room with restricted physical access.

    I agree with the second part of your comment though :)

  6. MadQ1 says:

    Raymond, alex.r.: Point taken.

    Still, IMHO it’s not the OS vendor’s responsibility to secure their customer’s phone lines. I guess it would be nice if the hammer I bought came with a thumb-protector, but blaming Stanley for my black thumb if it didn’t is kinda silly.

    [I don’t see how one goes from “It is not the OS’s responsibility to secure the customer’s phone lines” to “It is okay for the OS to make it impossible to secure the customer’s phone lines.” Imagine if Stanley added a feature that allowed people to smash your thumb with their hammer anonymously. -Raymond]
  7. Bryan says:

    Remember it wouldn’t even have to be a toll free number.  Gedoe’s situation would be a huge security hole.

  8. Triangle says:

    “Each failed logon attempt casts a vote for the contestant, and (here’s the important part) since nobody is actually logged on, you can’t prove who made the calls.”

    Can’t the logon agent (GINA?) record the time, machine, fake username and number that was dialed? That should be more than enough to create an audit trail.

    “I created those for fun, as a joke. I never actually used them. It must’ve been just somebody walking past the machine who saw that they could use it to vote for Sanjaya.”

    Would you honestly believe someone who told you they created a connectoid with Sanjaya’s number just for fun ?

    [Yes, the audit trail would log all that, but that doesn’t prove who actually made the calls. (And you’re saying you’ve never written a “format c:” batch file just for fun – even if you had no intention of actually running it?) -Raymond]
  9. Brian says:

    That’s kind of like saying, "yeah, I put the bucket of water above the door but I didn’t dump the water on him when he walked through it!"

  10. Josh says:

    More like: I filled the bucket of water, but someone else put it above the door.  It’s a significant difference.

  11. MadQ1 says:

    >[I don’t see how one goes from “It is not the OS’s responsibility to secure the customer’s phone lines” to “It is okay for the OS to make it impossible to secure the customer’s phone lines.”

    That makes two of us. The OS doesn’t make it impossible to secure the customer’s phone lines. The phone system should take care of it. Besides, it would be next to impossible for the OS to get it right all of the time. For example, in Austria you even have to pay for hearing a busy signal. It would be feasible to keep one PC connected, and have another repeatedly call the busy number. (Yeah, I know it’s a weak example, but you smell what I’m stepping in.)

    To abuse the analogy some more: Stanley is in the business of making hammers. They take pride in their work (I assume,) so they care whether their products perform as advertised, but if anonymous people start banging on random thumbs with them, that’s not Stanley’s problem. Otherwise, where would it stop? People will start demanding that Stanley protect them from splinters as well.

    Either way, we’re probably just going to have to agree to disagree on this one; there isn’t always one correct answer. Is it the bullet that kills, or the gun? Oh, and the glass is always 100% full: half water and half air.

    [Okay, I’ll suggest that Stanley add a feature where anybody can go to a web site and click “Bang MadQ on the fingers” and boom, your fingers get mashed anonymously. Even if you took all reasonable steps to lock up the hammer in a case, their “remote mashing” feature lets them bypass the case lock and mash your fingers. That’s not Stanley’s problem. -Raymond]
  12. steveg says:

    The only problem is all users need to have access to an account with local admin privileges [in order to set this up].

    Do you need local admin privileges to set up any network connection in Vista or are modem connections an exception? I’m wondering specifically about wireless connections.

    Actually, thinking about it, I think all network connections should require local admin — it’d be crazy to allow a low-privilege user to log on to a unencrypted network (think work environment, not home).

    I think I’ve answered my own question. Sorry to waste your time!

  13. Stephen Jones says:

    You’ve chosen  bad example here, Raymond, and you’re digging yourself deeper trying to defend it. If a company allows calls to premium lines then it is irrelevant whether they are done from a computer with nobody logged on or from a standard phone.

  14. steveg says:

    You’ve chosen  bad example here, Raymond

    I disagree. It’s a very interesting example of a security hole that appears in an unexpected place.

    Replace "I created that modem account as a joke" with "oh… right that was the modem account I tested on that PC 6 months ago" and you’re in the same position: an audit trail you can’t use in court, or to fire somebody (although firing somebody does not require any particular level of due process or follow any established rules evidence from what I’ve seen, which is a shame).

    And also getting beyond the login screen scenario, it’s A Good Thing you need local admin rights to avoid malware creating dial-home connections.

    This blog (like any tech discussion on this interthingy) often focuses on the minutae and misses the bigger broad brushstroke implications of what the post was about: Sometimes a seemingly innocuous request has potentially serious side effects.

  15. MadQ1 says:

    Oh yeah? Well my PC can beat up your PC! Nanny nanny boo boo! [Visual of Guybrush Threepwood™ retreating three steps]

  16. nobody in particular says:

    I can not understand most of the discussion here:

    What the fuss about an administrative task like setting up a dial-up connection requiring administrative privileges?

    And why is Raymond so fiercl fightig for his bogus example? The task of blocking unwanted phone numbers is done by the phone system: Asterisk is your friend.

    To me it seems as if Raymond (and thus Microsoft) should much more confidently push the point how only administrators do administrative tasks and how they are free to shoot themself in the foot without being nannied by Microsoft.

  17. oh man says:

    oh raymond, you’re so smart, you and microsoft always know what’s the best for people, that’s why people loves Vista so much, they rather install latest Ubuntu ;)

    look at the sales asshole!!! people knows better what they want!

    ps. vista’s GUI is a total disaster, inconsistency everywhere, Segoe UI used in 50% dialogs, different styles, broken USER32.dll

  18. poochner says:

    I’m with nobody.  Creating the system dialup connection is obviously an administrative task, and should require admin privilege.  As long as the user name / password you put in for step 4 are the ones for the normal non-admin user, I don’t see what the problem is.  The system is only going to dial the number the admin put in the connection, right?

  19. Will says:

    So Raymond chose an off the wall and somewhat unlikely example.  He’s commenting on the principle.  What a bunch of twits you are.

    Not every company has a versatile phone system.  The number could be a foreign number rather than a typical pay number and the company may have offices, employees, or business contacts there – meaning the country can’t be blocked.  The number could be a local number that’s dialed to signal to a pal – security went on lunch, the money’s in the office, I crashed the DB so IT is to busy to notice your intrusion.  There could be an exploit that would allow an outsider to crash the login, esclate privilege ,and take control of the system through that connection.  Remember that, just because you lock your workstation when away, don’t tape your password to your monitor, and aren’t given the same simple password as everyone else in the company, doesn’t mean a lot of others aren’t.  

  20. Cgomez says:

    I think after so many years of running as admin, people who regularly have used Windows want to start running as non-admin, but they still want all the rights or privileges they had before.

    It’s not a big deal to have your admin set up your machine.  That’s the point of admin.

  21. Bryan says:

    poochner, oh man, and nobody might have a valid point if they weren’t most likely the people on the front line of the anti-microsoft crusade regarding administrative privileges and what-not.  It’s highly ironic that the samep people who touted the "XP IS INSECURE" are the same people who now carry the "Vista is too secure!" banner.  It’s just mindless Microsoft hate.

    I personally would be very against an admin being able to create a log on dial-up connection.  I can’t really even think of why you’d want to do that as a regular user.  On the other hand, I can think of a lot of obscure reasons why you would not want to allow it.

    Part of Windows’ value (especially lately) is thinking of the strange security issues so that other people don’t have to.

  22. poochner says:

    So the problem is that JRandomYahoo can ding away at the login dialog?  At least they’re calling a number the admin put in there.  If that costs me money, it’s at worst a toll call I’ve (presumably) gotten negotiated as well as I can with my telco because I expect to be using it.   That’s not much different than somebody repeatedly calling my 1-800 line and asking about Prince Albert in a can.

    Admittedly, I may have no pull with my telco at all.

  23. poochner says:

    So the problem is that JRandomYahoo can ding away at the login dialog?  At least they’re calling a number the admin put in there.  If that costs me money, it’s at worst a toll call I’ve (presumably) gotten negotiated as well as I can with my telco because I expect to be using it.   That’s not much different than somebody repeatedly calling my 1-800 line and asking about Prince Albert in a can.

    Admittedly, I may have no pull with my telco at all.

  24. Triangle says:

    Thursday, March 06, 2008 10:55 PM by steveg

    "Replace "I created that modem account as a joke" with "oh… right that was the modem account I tested on that PC 6 months ago" and you’re in the same position"

    Then the isssue is that you leaked, not that you created it, as in: http://blogs.msdn.com/oldnewthing/archive/2006/07/03/655251.aspx

    (And you’re saying you’ve never written a "format c:" batch file just for fun – even if you had no intention of actually running it?)

    Not at work.

    <offtopic> Mr. Chen do you play any musical instrument? </offtopic>

  25. Friday says:

    I never complained about security.

    And then came Vista.

    And I keep using XP until I can.

    It’s simple as that.

  26. poochner says:

    -Bryan, I don’t think you get what my question was.  I’m not anti-MS.  If I’m reading the blog right, it seems that to be “not too hard, not too soft, just right.”  But if Raymond brings it up, I don’t think I’m reading it right.  That’s my point.  If only an administrator can *create* a connection, then that’s as it should be.  I wouldn’t wan’t unprivileged users doing that.  I do want normal users to be able use that connection to authenticate.

    (of course, if they can put in random phone numbers at login time, that would be a problem; I haven’t looked at that dialog)

    [Right. Only administrators can choose what telephone numbers the login dialog uses. Of course, once that’s done, anybody can use it. (Because you don’t know who the person at the keyboard is until you validate the password, which you can’t do until you call the number. Catch-22.) -Raymond]
  27. anony.muos says:

    I cannot migrate to Vista because of a similar "security perspective design change" i.e. the strong host networking model which reduced my comp’s connectivity…no choice given..I too have no choice in my region…so I’m stuck with XP.

  28. Ken Hagan says:

    Friday, March 07, 2008 7:42 AM by oh man

     "oh raymond, you’re so smart, you and microsoft always

     know what’s the best for people, that’s why people

     loves Vista so much, they rather install latest Ubuntu"

    Ubuntu has the same administrative requirements, for the same reason. So your point is …?

  29. nouidd says:

    I agree with Poochner and Raymond. If there’s no risk of privilege escalation in establishing a dial-up connection (essentially an administrative task) and the only risk is placing expensive calls, unauthenticated users shouldn’t be allowed to alter the phone number. The only question remains then is why wasn’t this done instead of removing the option alltogether? It would ofcourse still be possible to hook up a phone to the modem or phone line and place calls easy and swift, so allowing the computer to dial a preset number doesn’t seem such a big deal to me. If the attacker is using your phone line, you have some control over it. If not, then any costs associated with the call aren’t yours. If the computer has built-in GSM, the attacker would have to rip out the SIM card, in which case it’s game over for the OS anyway. So the descision to remove the dial-up option doesn’t seem to make Windows much more secure. Didn’t there used to be a group policy on this? Changing the default policy would’ve been easier I guess.

  30. Hayden says:

    How do travelling execs manage?

    A wise IT person doesn’t give a manager admin on his laptop – not unless he wants to re-image/unspyware it every 3 months. But the exec wants to use (this is slightly old, with wireless in hotels) dial up wherever he travels. At the moment, the IT guy has to make the exec a local admin, so the exec can connect to the hotel/conference/local ISP dialup service.

  31. Obviously, creating a dialup connection and configuring the phone number should be a task limited to administrators.

    I’m not exactly sure, though, how it’s a problem to have the login box authenticate regular users via a pre-configured dialup networking connection that can only be modified by an administrator.

    Honestly, if my life sucks so bad that I need to alleviate boredom by making prank phone calls a preconfigured RAS server phone number, I might just plug a phone in and dial as it would be much easier.  

Comments are closed.

Skip to main content