禁用windows10更新_不,您不需要在Windows 10上禁用密码恢复问题
禁用windows10更新
Recently a group of researchers described a scenario wherein password recovery questions were used to break into Windows 10 PCs. This has led to some suggesting disabling the feature. But you don’t need to do this if you’re a home computer user.
最近,一组研究人员描述了一种场景,其中密码恢复问题被用于闯入Windows 10 PC。 这导致有人建议禁用该功能。 但是,如果您是家庭计算机用户,则无需执行此操作。
那么,这是怎么回事? (So, What’s Going on Here?)
As Ars Technica first reported, Windows 10 has added the option to set password recovery questions on local accounts in the past year. Security researchers delved into this and discovered that on a business network this could lead to potential vulnerability.
正如Ars Technica首次报道的那样,Windows 10在过去的一年中增加了在本地帐户上设置密码恢复问题的选项。 安全研究人员对此进行了深入研究,发现这可能会导致潜在的漏洞。
Right off the bat, you can spot two important points there:
马上,您可以在那里发现两个重要点:
- First, the entire scenario relies on computers joined to a domain network—the kind you’d find on a business network with managed computers. 首先,整个方案依赖于连接到域网络的计算机,这是您在具有托管计算机的商业网络中发现的那种计算机。
- Second, the vulnerability applies to local accounts. That’s particularly interesting because if your PC is part of a domain, you’re almost certainly using a centralized domain user account and not a local account. And security questions are not allowed on domain accounts by default. 其次,该漏洞适用于本地帐户。 这特别有趣,因为如果您的PC是域的一部分,则几乎可以肯定使用的是集中域用户帐户,而不是本地帐户。 默认情况下,域帐户不允许出现安全性问题。
There’s also a third point that’s even more important. All of this requires the malicious actor first to gain administrator-level access on the network. From there, they could then identify machines connected to the network that still have local accounts and then add security questions to those accounts.
还有第三点更为重要。 所有这些都要求恶意行为者首先获得网络上管理员级别的访问权限。 然后,他们可以从那里识别连接到网络的仍具有本地帐户的计算机,然后向这些帐户添加安全性问题。
Why bother?
何必呢?
The idea is that if admins discover and revoke the malicious actor’s access, subsequently changing all the passwords, the actor could, in theory, make their way back into the network to these machines and use their custom questions to reset those passwords and regain full access.
这样的想法是,如果管理员发现并撤消了恶意行为者的访问权限,随后更改了所有密码,则从理论上讲,行为者可以重新进入这些计算机的网络,并使用自定义问题来重置这些密码并重新获得完全访问权限。
The researchers suggested they could also use a hashing tool to determine the previous password, and then restore the old password to hide their access. The trouble here is that most domains networks don’t allow reused passwords by default.
研究人员建议,他们还可以使用哈希工具确定以前的密码,然后恢复旧密码以隐藏其访问权限。 问题在于大多数域网络默认情况下不允许重用密码。
When Ars Technica asked Microsoft for comment, the response was short:
当Ars Technica向Microsoft征求意见时,答复很简短:
The described technique requires an attacker to already possess administrator access
所描述的技术要求攻击者已经拥有管理员访问权限
While that might seem obtuse at first, what Microsoft is implying is right, and it brings us to the real crux of the matter. Once a malicious actor has administrative-level access on a network, the potential damage and avenues of attack go far beyond simple password reset tricks. And if a network is robust enough to prevent the malicious actor from ever gaining administrative-level, then all of this is moot.
虽然乍一看似乎很晦涩,但Microsoft所隐含的含义是正确的,这使我们陷入了问题的真正症结。 一旦恶意行为者在网络上具有管理级别的访问权限,潜在的破坏和攻击途径就远远超出了简单的密码重置技巧。 而且,如果网络足够健壮以阻止恶意行为者获得管理级别的权限,那么所有这些都是没有意义的。
So, in the end, our malicious attacker would need to gain administrator-level access to a business network that uses a Windows domain, find computers that might have local accounts on them, and then create security questions so that they could get back into those computers if they are discovered and locked out. And we’re supposed to be worried about that when their administrator-level access gives them the ability to do so much more harm already.
因此,最终,我们的恶意攻击者需要获得管理员级别的对使用Windows域的企业网络的访问权,找到可能在其上拥有本地帐户的计算机,然后创建安全性问题,以便他们可以重新访问这些计算机。计算机,如果它们被发现并被锁定。 而且,我们应该担心,当他们的管理员级别的访问权限使他们有能力造成更大的伤害时。
得到它了。 那么,这对我适用吗? (Got It. So, Does This Apply to Me?)
If you’re using a Windows 10 computer at home, the short answer is almost certainly not. And here’s why:
如果您在家中使用Windows 10计算机,则简短的答案几乎肯定不是。 原因如下:
- Your home PC is most likely not joined to a domain. 您的家用PC很可能未加入域。
-
Even if it were, you’d have to be using a local account and most people on Windows 10 are probably using a Microsoft account to sign in. This is because Windows 10 requires using a Microsoft Account for many features to work correctly. And while you can take a few extra steps to create a local account instead, Microsoft doesn’t make it the most obvious choice. If you are using a Microsoft Account, then you don’t have the option to use password reset questions.
即使是这样,您也必须使用本地帐户,并且Windows 10上的大多数人都可能使用Microsoft帐户登录。这是因为Windows 10要求使用Microsoft帐户才能使许多功能正常工作 。 尽管您可以采取一些额外的步骤来创建本地帐户 ,但是Microsoft并没有使其成为最明显的选择。 如果您使用的是Microsoft帐户,则无法选择使用密码重置问题。
- To take advantage of this, someone would need to have either remote or physical access to your PC. And with that level of access, password reset questions are the least of your worries. 要利用此优势,某人需要对您的PC进行远程或物理访问。 有了这种访问权限,密码担心的问题便是您最少的麻烦了。
So, the chances are very high that none of this research applies to you. But even if you are using a local account joined to a domain, all of this comes down to an age-old set of questions. How much convenience should you give up in the name of security? Conversely, how much security should you give up in the name of convenience?
因此,没有任何一项研究适用于您的可能性很高。 但是,即使您使用的是已加入域的本地帐户,所有这些都归结为一组古老的问题。 您应该以安全的名义放弃多少便利? 相反,您应该以方便为名放弃多少安全性?
In this case, the chances of a bad actor accessing your machine and using security questions to gain full control are incredibly remote. And the chances of forgetting your password and needing the questions are a little higher. Take stock of your situation, and make the best choice for you.
在这种情况下,不良行为者访问您的计算机并使用安全性问题来获得完全控制的机会非常少。 而且,忘记密码和提出问题的几率更高。 盘点您的情况,并为您做出最佳选择。
禁用windows10更新