Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: encrypting Autologon credentials?
.

  • To: "Rob Shein" <[EMAIL PROTECTED]>, "'wirepair'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  • Subject: Re: encrypting Autologon credentials?
  • From: "wirepair" <[EMAIL PROTECTED]>
  • Date: Wed, 04 Feb 2004 19:51:20 -0800
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
True, but if i own Server A. which has uses an administrator/password (domain admin maybe) autologon but say a very strong password which would take 45 days to crack and the password policy is 30 days. If an attacker were to own the server which doesn't 
have autologon they would obviously need 45 days to crack the password. In 30 days the password would be useless so this scenario
is ok. But with autologin, i own the server get the administrator password and immediately have access to probably a lot more machines... Thats my thought anyways. I imagine most people are thinking, who the heck would use the domain admin credentials in autologin? More than you want to believe. Anyways, my 'recommendation' was to create a new administrator account for autologon. Then disable 'Allow access over the network.' 
-wire


On Wed, 4 Feb 2004 16:43:37 -0500
 "Rob Shein" <[EMAIL PROTECTED]> wrote:

I'm thinking that the general idea is that if someone's going to use
autologon in the first place, you're not throwing much of a speedbump up by
encrypting the password in the registry. If the registry is
network-accessible without authentication, the machine is pretty vulnerable;
if it's not, then the attacker needs access to the machine itself, and
again, the machine is already logged in and therefore pretty vulnerable.


-----Original Message-----
From: wirepair [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 28, 2004 3:40 PM 
To: [EMAIL PROTECTED]
Subject: encrypting Autologon credentials?


lo all,
I'm curious if anyone has ever seen anything on encrypting the "Autologon" feature of Windows. I know its a terrible practice to keep it in the cleartext in the registry so I was curious if anyone has tried to make this feature more secure. I did some google searches but turned up with nada. Any info appreciated, -wire 
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf 


--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------






--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.