Fwd: Caching of passwords revealed after installing SP6

[ews () TELLURIAN NET (Eric Schultze)]

> Approved-By: mark () NTSHOP NET
> X-Mailer: Internet Mail Service (5.5.2650.21)
> Date:         Sun, 31 Oct 1999 17:00:43 -0500
> Reply-To:     Technical discussions regarding security bugs that pertain 
> to              Microsoft networks <WIN2KSECADVICE () LISTSERV NTSECURITY NET>
> From:         "Noël, Richard" <noel () WANG COM>
> Subject:      Caching of passwords revealed after installing SP6
> To:           WIN2KSECADVICE () LISTSERV NTSECURITY NET
>
> I found something disturbing today.  I installed SP6 on an NT4 SP5 server
> that I've been using as a PPTP client for the past couple of years.  After
> installing SP6, I found that the setting for saving passwords for at least
> PPTP dial-up has been enabled which is a feature I never, never use.  While
> this is bad, the disturbing part revealed by installing SP6 is that even
> though I never used the "Save password" feature with PPTP, my password was
> in fact being cached.  I know this because the first four PPTP dial-up
> connections I tried (i.e. four different PPTP servers) all immediately
> connected and authenticated without prompting me for credentials.  Two
> others failed to connect immediately because the cached password did not
> match the current password for my domain account.
>
> If any of you get a chance, could you pls verify this behavior.
>
> Thanks,
> Richard