OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTSecAdvice Archives: Re: Caching of passwords revealed after i

Re: Caching of passwords revealed after installing SP6

Ian Vaudrey (IVaudreyEXCHANGE.TALK-RADIO.CO.UK)
Mon, 1 Nov 1999 06:49:12 -0000

Caching passwords, even though that option has never been selected, is a
known RAS/RRAS 'feature'. A hotfix was released for it back in May and has
been incorporated into SP6, you need to 'unsave password' after installing
either of these.

See http://support.microsoft.com/support/kb/articles/Q230/6/81.ASP and
http://support.microsoft.com/support/kb/articles/Q233/3/03.ASP

 - Ian

> -----Original Message-----
> From: "Noël, Richard" [mailto:noelWANG.COM]
> Sent: 31 October 1999 22:01
> To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
> Subject: Caching of passwords revealed after installing SP6
>
>
> I found something disturbing today. I installed SP6 on an
> NT4 SP5 server
> that I've been using as a PPTP client for the past couple of
> years. After
> installing SP6, I found that the setting for saving passwords
> for at least
> PPTP dial-up has been enabled which is a feature I never,
> never use. While
> this is bad, the disturbing part revealed by installing SP6
> is that even
> though I never used the "Save password" feature with PPTP, my
> password was
> in fact being cached. I know this because the first four PPTP dial-up
> connections I tried (i.e. four different PPTP servers) all immediately
> connected and authenticated without prompting me for credentials. Two
> others failed to connect immediately because the cached
> password did not
> match the current password for my domain account.
>
> If any of you get a chance, could you pls verify this behavior.
>
> Thanks,
> Richard
>

This archive was generated by hypermail 2.0b3 on Mon Nov 01 1999 - 01:08:23 CST