Penetration Testing mailing list archives
Re: Testing two bank laptops. winxp vpn client
From: lion nagar <lionbsd () gmail com>
Date: Mon, 13 Feb 2006 01:52:31 +0100
hi, well first they should protect their windows login, as only this user will be able to use the saved vpn connection with the username and password. they should also consider encryption to the whole HDD (safeguard could be used for example) which adds to the protection of the data if the laptop was stolen. they should have a timeout for locking out the laptop 5 minutes should do the less the better :) now if you really want to try ( i am not sure it will work) you can try this: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters add a DWORD Value Name: DisableSavePassword Value Type: REG_DWORD Value Data: 1 this should disable to option to save password for dial up connections, i guess it might work for the VPN connection too. however i notice cisco vpn client have the option of saving the password too, which basically make sense if you ask me, for stuff like this i don't like the users to know the passwords for certain services (email for example) imagine the person have to type in a strong password every time, a person behind him can have it or even worse can get a hold of a piece of paper the user wrote on (cause it too complicated for him) together with your vpn server ip. then you won't even notice when something is wrong and you will get compromised, while when the person's laptop was stolen he can call right away to TECH and have his vpn account disabled. hope it helps in a way, LionBSD www.shukipel.com On 2/12/06, Bob WIlliams <sopiaz57 () gmail com> wrote:
Hey All, I have a client who wants two bank laptops tested. I want to do some reasearch on a fix for a problem I know they are vulnerable too. They use the WIN xp VPN client which saves the password, giving someone who steals the laptop an easy way into the corporate network. Does anyone know how I can disable this feature so employees cant save the password? Thanks in advance// ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Testing two bank laptops. winxp vpn client Bob WIlliams (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Thor (Hammer of God) (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Rony Romero (Feb 13)
- Re: Testing two bank laptops. winxp vpn client Skip Carter (Feb 24)
- Re: Testing two bank laptops. winxp vpn client Rony Romero (Feb 13)
- RE: Testing two bank laptops. winxp vpn client jeremiah (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Thor (Hammer of God) (Feb 12)
- Re: Testing two bank laptops. winxp vpn client lion nagar (Feb 12)
- Re: Testing two bank laptops. winxp vpn client Thor (Hammer of God) (Feb 12)