|
Posted by Ian Boyd on June 12, 2007, 7:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
http://www.microsoft.com/technet/security/bulletin/ms07-032.mspx
As given in a security update today:
"There is an information disclosure vulnerability in Windows Vista that
could allow non-privileged users to access local user information data
stores including administrative passwords contained within the registry and
local file system."
What the hell? Passwords are stored anywhere? This must be worded wrong.
There is no way that a password is stored anywhere. The only thing that
Windows has is the password's NTLM hash. Maybe some poorly designed 3rd
party application stored passwords as clear-text, but few people are dumb
enough to do that.
So what is this security update addressing?
|
|
Posted by Ian Boyd on June 13, 2007, 9:45 am
If you were Registered and logged in, you could reply and use other advanced thread options
It's possible for me to take a hard drive out of a PC, sector edit it and
get the passwords, boot up, login, and access the EFS encrypted files?
> "...could allow...users to access...administrative passwords contained
> within the registry and local file system."
|
|
Posted by Roger Abell [MVP] on June 14, 2007, 12:28 am
If you were Registered and logged in, you could reply and use other advanced thread options > It's possible for me to take a hard drive out of a PC, sector edit it and
> get the passwords, boot up, login, and access the EFS encrypted files?
>
>> "...could allow...users to access...administrative passwords contained
>> within the registry and local file system."
>
If the passwords are there, that would be feasible. One at
that point could also just take and crack against the SAM if
it is machine local accounts involved.
Like yourself, I am thinking it is a tech-writer looseness with
the language, where they may have better said the password
hashes are stored. I have not had time to try to see if there is
any clarification on precisely what that language is addressing,
perhaps soon.
Roger
|
|
Posted by Roger Abell [MVP] on June 19, 2007, 1:44 am
If you were Registered and logged in, you could reply and use other advanced thread options > It's possible for me to take a hard drive out of a PC, sector edit it and
> get the passwords, boot up, login, and access the EFS encrypted files?
>
>> "...could allow...users to access...administrative passwords contained
>> within the registry and local file system."
>
>
Ian, Just FYI on this. The description is intended to include the
fact that applications can and do cause credentials to be cached.
This is not intended to say that defining an account or logging in
with the account would cause the password to be recoverable
from the filesystem or registry.
Roger
|
|
Posted by Ian Boyd on June 19, 2007, 11:10 am
If you were Registered and logged in, you could reply and use other advanced thread options > Ian, Just FYI on this. The description is intended to include the
> fact that applications can and do cause credentials to be cached.
> This is not intended to say that defining an account or logging in
> with the account would cause the password to be recoverable
> from the filesystem or registry.
The only credentials i care about is my Windows NT account password. And the
only application that asks for that is NTLogon/Gina. Surely Gina isn't
storing my password anywhere, not even an encrypted form.
The only form that my password should be in is the NTLM hash. No other form
is acceptable, including
- LM hash
- SHA1 hash
- RSA encrypted
- CAST128 encrypted
- AES encrypted
If it's the password cache for web-sites or my e-mail, that's okay; those
have to be stored in reversable encryption - but they are encrypted with a
key that is encrypted with my NT password.
In other words, what's the security hole that was fixed? ACLing a password
cache is not security - the password cache being encrypted is the security.
|
| Similar Threads | Posted | | security of stored passwords, especially in IE | November 17, 2007, 4:18 pm |
| Stored user names and passwords | May 2, 2006, 8:11 am |
| Can we "stored user names and passwords" in Windows XP Home Edition? | December 16, 2005, 5:57 am |
| replication of stored emails | May 12, 2006, 10:24 am |
| System Stored Procedures | June 15, 2006, 4:07 am |
| wireless key stored in Windows | May 12, 2007, 1:49 pm |
| Security of Credenitals Stored in Service Control Manager | August 17, 2006, 1:37 pm |
| Re: passwords | June 27, 2005, 1:08 am |
| passwords | June 27, 2005, 12:23 am |
| Passwords | September 16, 2005, 2:07 pm |
|
XML site map