Bugtraq mailing list archives

Re: Secure Storage of Secrets in Windows

From: nick () virus-l demon co uk (Nick FitzGerald)
Date: Tue, 18 May 1999 12:35:28 +0000

The Win32 API provides such service. Although in the past it was
found that its encryption was rather weak Microsoft claims to have
fixed it, no one else has claimed otherwise, and its better than
nothing. (References:
http://www.netsys.com/firewalls/firewalls-9512/0442.html
http://www.geek-girl.com/bugtraq/1995_4/0138.html ).

So here is a reminder to Windows application programs that you can
use WNetCachePassword and WNetGetCachedPassword, which in some
documentation MS calls the Master Password API.


Indeed.

And for admins who wish to prevent user machines from caching
passwords the following Win9x REG file may be useful:

   REGEDIT4

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
   "DisablePwdCaching"=dword:00000001

Apply that to a client machine then nuke all PWL files in the Windows
dir and you need not worry whether future vulnerabilities might open
you to exposure from cached passwords.

I imagine there is something similar for NT.  Anyone know the
details?


Regards,

Nick FitzGerald

Current thread:

Secure Storage of Secrets in Windows Aleph One (May 17)
- <Possible follow-ups>
- Re: Secure Storage of Secrets in Windows Nick FitzGerald (May 18)
  - Re: Secure Storage of Secrets in Windows Bronek Kozicki (May 20)
- Re: Secure Storage of Secrets in Windows Olaf Titz (May 18)
  - Buffer Overruns in RAS allows execution of arbitary code as system Mnemonix (May 19)
  - Re: Secure Storage of Secrets in Windows Eivind Eklund (May 19)
  - NetBSD Security Advisory 1999-010 matthew green (May 21)
    - Re: NetBSD Security Advisory 1999-010 Olaf Kirch (May 21)