Re: encrypting Autologon credentials?

["wirepair" <wirepair () roguemail net>]

True, but if i own Server A. which has uses an administrator/password (domain admin maybe) autologon but say a very strong 
password 
which would take 45 days to crack and the password policy is 30 days. If an attacker were to own the server which doesn't
have autologon they would obviously need 45 days to crack the password. In 30 days the password would be useless so 
this scenario
is ok. But with autologin, i own the server get the administrator password and immediately have access to probably a lot more 
machines... Thats my thought anyways.
I imagine most people are thinking, who the heck would use the domain admin credentials in autologin? More than you want to 
believe.
Anyways, my 'recommendation' was to create a new administrator account for autologon. Then disable 'Allow access over the 
network.'
-wire


On Wed, 4 Feb 2004 16:43:37 -0500
 "Rob Shein" <shoten () starpower net> wrote:
> I'm thinking that the general idea is that if someone's going to use
> autologon in the first place, you're not throwing much of a speedbump up by
> encrypting the password in the registry. If the registry is
> network-accessible without authentication, the machine is pretty vulnerable;
> if it's not, then the attacker needs access to the machine itself, and
> again, the machine is already logged in and therefore pretty vulnerable.
>
> > -----Original Message-----
> > From: wirepair [mailto:wirepair () roguemail net] 
> > Sent: Wednesday, January 28, 2004 3:40 PM
> > To: pen-test () securityfocus com
> > Subject: encrypting Autologon credentials?
> >
> >
> > lo all,
> > I'm curious if anyone has ever seen anything on encrypting 
> > the "Autologon" feature of Windows. I know its a terrible 
> > practice to keep it in the cleartext in the registry so I was 
> > curious if anyone has tried to make this feature more secure. 
> > I did some google searches but turned up with nada. Any info 
> > appreciated, -wire
> > --
> > Visit Things From Another World for the best
> > comics, movies, toys, collectibles and more. 
> > http://www.tfaw.com/?qt=wmf
> >
> >
> > --------------------------------------------------------------
> > -------------
> > --------------------------------------------------------------
> > --------------

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

---------------------------------------------------------------------------
----------------------------------------------------------------------------