Re: RAS 'save password' problems...

[mdolphin () POBOX COM (martin Dolphin)]

At 12:04 AM 3/23/98 -0500, David LeBlanc wrote:
The way to disable this is to use the CachedLogonsCount registry value in
the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry
key.  Default value is 10 if the key doesn't exist.  I keep my set at 1 so
only the first logon is cached.

NT does store the hashes and not clear text.  It store these credentials in
the HKLM\SECURITY\Policy\Secrets area of the registry as NL$1 to NL$10  and
it stores the lanman hash followed by the NT hash followed by 3 bytes of
'status'. (as per Paul Aston's posting to NTBUGTRAQ)  I'd bet that these
hashes are not syskeyed.

> There are also a number of entries corresponding to previous logins by
> users.  There is a way to turn this behavior off, but I don't recall at the
> moment exactly what it is.
>
> Essentially, it is there to allow you to log on if the domain controller
> can't be reached.  I believe it stores hashes rather than clear-text.
>
> The RAS functionality can often be annoying as well - it tends to prompt me
> for my password even when I'm using a script (which of course contains the
> user-password pair in the clear).  Not sure why it thinks it needs it - I
> just leave it blank, but a less astute user would probably type in their
> actual password.
>
>
> David LeBlanc           |Why would you want to have your desktop user,
> dleblanc () mindspring com |your mere mortals, messing around with a 32-bit
>                        |minicomputer-class computing environment?
>                        |Scott McNealy