[10581] in bugtraq
Re: Secure Storage of Secrets in Windows
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Wed May 19 15:05:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <199905180037.UAA23804@hil-img-ims-4.compuserve.com>
Date: Tue, 18 May 1999 12:35:28 +0000
Reply-To: nick@virus-l.demon.co.uk
From: Nick FitzGerald <nick@VIRUS-L.DEMON.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
> The Win32 API provides such service. Although in the past it was
> found that its encryption was rather weak Microsoft claims to have
> fixed it, no one else has claimed otherwise, and its better than
> nothing. (References:
> http://www.netsys.com/firewalls/firewalls-9512/0442.html
> http://www.geek-girl.com/bugtraq/1995_4/0138.html ).
>
> So here is a reminder to Windows application programs that you can
> use WNetCachePassword and WNetGetCachedPassword, which in some
> documentation MS calls the Master Password API.
Indeed.
And for admins who wish to prevent user machines from caching
passwords the following Win9x REG file may be useful:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001
Apply that to a client machine then nuke all PWL files in the Windows
dir and you need not worry whether future vulnerabilities might open
you to exposure from cached passwords.
I imagine there is something similar for NT. Anyone know the
details?
Regards,
Nick FitzGerald
