Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Win2KSecurity Advice> 1999-q4

NTSecAdvice Archives: Re: Caching of passwords revealed after i

Re: Caching of passwords revealed after installing SP6

Steve Manzuik (smanzuikNTSECADVICE.COM)
Mon, 1 Nov 1999 10:30:09 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Noël, Richard: "Re: Caching of passwords revealed after installing SP6"
Previous message: MWeerenWE-WE.DE: "Windows 2000, IIS 5, SSL,PKI, Kerberos"
Next in thread: Noël, Richard: "Re: Caching of passwords revealed after installing SP6"

-----Original Message-----
From: Microsoft Product Security Response Team
[mailto:securemicrosoft.com]
Sent: Monday, November 01, 1999 10:08 AM
To: 'noelwang.com'
Cc: 'smanzuikntsecadvice.com'
Subject: RE: Caching of passwords revealed after installing SP6

Hi Richard -

Thanks for your note. I'll find out how to clear the credential cache and
get the info to you soonest. We did consider clearing the cache as part of
SP6 installation, but the problem is that the vast majority of users choose
to cache their passwords. If we had cleared the cache, it would have been
confusing for these users, as it wouldn't make any sense that they should
need to re-enter their RAS password simply because they installed a new
service pack. I do appreciate the suggestion, though, and I'll get info to
you on clearing the cache right away. Thanks,

Securemicrosoft.com

-----Original Message-----
From: Steve Manzuik [mailto:smanzuiktelusplanet.net]
Sent: Sunday, October 31, 1999 2:42 PM
To: Microsoft Product Security Response Team
Cc: neolwang.com
Subject: FW: Caching of passwords revealed after installing SP6

Noel.

I have forwarded your message to securemicrosoft.com to see if they have
any ideas for you.

Steve Manzuik
Win2K Security Advice

-----Original Message-----
From: Noël, Richard [mailto:noelWANG.COM]
Sent: Sunday, October 31, 1999 3:01 PM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: Caching of passwords revealed after installing SP6

I found something disturbing today. I installed SP6 on an NT4 SP5 server
that I've been using as a PPTP client for the past couple of years. After
installing SP6, I found that the setting for saving passwords for at least
PPTP dial-up has been enabled which is a feature I never, never use. While
this is bad, the disturbing part revealed by installing SP6 is that even
though I never used the "Save password" feature with PPTP, my password was
in fact being cached. I know this because the first four PPTP dial-up
connections I tried (i.e. four different PPTP servers) all immediately
connected and authenticated without prompting me for credentials. Two
others failed to connect immediately because the cached password did not
match the current password for my domain account.

If any of you get a chance, could you pls verify this behavior.

Thanks,
Richard

Next message: Noël, Richard: "Re: Caching of passwords revealed after installing SP6"
Previous message: MWeerenWE-WE.DE: "Windows 2000, IIS 5, SSL,PKI, Kerberos"
Next in thread: Noël, Richard: "Re: Caching of passwords revealed after installing SP6"

This archive was generated by hypermail 2.0b3 on Mon Nov 01 1999 - 11:27:58 CST