Penetration Testing mailing list archives
Re: Testing two bank laptops. winxp vpn client
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Sun, 12 Feb 2006 18:48:55 -0800
Cached credentials are not the same thing as a saved password for VPN connections. The number of cached creds to save in the LSA do not affect the "Save Password" option for MS VPN clients at all.
See my earlier email for the reg hack to disable saving the password on an RRAS connection.
t ----- "I don't want their respect, I want their obedience." Dr. Thomas W. Shinder, M.D.----- Original Message ----- From: "jeremiah" <jeremiah () nur net>
To: "'Bob WIlliams'" <sopiaz57 () gmail com>; <pen-test () securityfocus com> Sent: Sunday, February 12, 2006 11:42 AM Subject: RE: Testing two bank laptops. winxp vpn client
Disable cached credentials via a domain Group Policy Object. The best wayto do this is by creating a container group for the laptop machine accountsin the domain. Caveats? The user will have to login via a RAS connection. The other alternative is two-factor auth, which will allow safe use of cached creds."To turn off cached credentials, use a Group Policy Object (GPO) to set thenumber of cached credentials to zero. Users can still log on using local user accounts, but in most environments, it's unusual for users to havelocal user accounts on their clients. You might consider changing the cachedcredential setting only for desktop computers, as laptop users may have a legitimate need to log on when they can't contact a DC." http://www.mcpmag.com/columns/print.asp?EditorialsID=658 More here: http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account- Lockout.html http://www.windowsdevcenter.com/pub/a/windows/2004/05/18/ug_caching.html http://www.windowsdevcenter.com/pub/a/windows/2004/05/18/ug_caching.html-----Original Message----- From: Bob WIlliams [mailto:sopiaz57 () gmail com] Sent: Sunday, February 12, 2006 9:34 AM To: pen-test () securityfocus com Subject: Testing two bank laptops. winxp vpn client Hey All, I have a client who wants two bank laptops tested. I want to do some reasearch on a fix for a problem I know they are vulnerable too. They use the WIN xp VPN client which saves the password, giving someone who steals the laptop an easy way into the corporate network. Does anyone know how I can disable this feature so employees cant save the password? Thanks in advance// -------------------------------------------------------------------------- ---- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------- ----------------------------------------------------------------------------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Testing two bank laptops. winxp vpn client Bob WIlliams (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Thor (Hammer of God) (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Rony Romero (Feb 13)
- Re: Testing two bank laptops. winxp vpn client Skip Carter (Feb 24)
- Re: Testing two bank laptops. winxp vpn client Rony Romero (Feb 13)
- RE: Testing two bank laptops. winxp vpn client jeremiah (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Thor (Hammer of God) (Feb 12)
- Re: Testing two bank laptops. winxp vpn client lion nagar (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Thor (Hammer of God) (Feb 12)