Re: focus-ms@securityfocus.com

From: Sam Baskinger (sam_at_reefedge.com)
Date: 09/02/03

  • Next message: simonis: "Re: focus-ms@securityfocus.com"
    To: "fala83@libero.it" <fala83@libero.it>, "focus-ms" <focus-ms@securityfocus.com>
    Date: Mon, 1 Sep 2003 21:11:21 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Just as a side note, local password caching need never be to a local file on a
    disk. If the operating system supports "pinning" memory pages (as WinNT and
    after all do) then a password may be put into a pinned page. The password
    may then be read from that page via some method of ipc.

    The benefits of this is that a pinned page is never swapped out of memory so
    an attacker cannot remove the HD and check the swap space. The password is
    lost when the process owning that page dies (or the computer is forcibly
    powered off).

    Note that for the user to not need to enter a passphrase for every Kerberose
    ticket issued Kerberose must use some sort of credential caching.

    I am fairly sure (though not 100%) that Windows does not cache in local files
    any sort of network security credentials.

    Hope this is helpful!

    Sam

    On Saturday 30 August 2003 04:49, fala83@libero.it wrote:
    > In my opinion a system wouldn'n cache password locally.
    > E.g. Sysadmin logs in into a workstation and password will be stored
    > locally. An attacker could retrieve his password and login into the whole
    > network whit administrative privileges. It is not completely safe.
    > I'd rather prefer use Kerberos, using his tickets to access network
    > resource without caching password.
    > Anyway if the password must be stored locally, it must be!
    >
    > >Todd Shubert wrote:
    > >
    > > What exactly is the "right security policy"? Wouldn't not storing the
    > > password provide problems for users, specifically laptop users, that
    > > require the use of cached credentials?
    >
    > ---------------------------------------------------------------------------
    > KaVaDo provides the first and only integrated Web application scanner and
    > firewall security suite that prevent Web applications attacks, the most
    > common form of online exploitation. Download a FREE whitepaper on Security
    > Policy Automation for Web Applications.
    > http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    > ---------------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQE/U+46uabcSIn58XwRAr07AKDOAisF5Qi4P44w28pW6L0GXKRIDQCfX3Ao
    s+h3neeLY5uuZ5LOmaQsM7w=
    =g3bc
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    KaVaDo provides the first and only integrated Web application scanner and
    firewall security suite that prevent Web applications attacks, the most
    common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
    http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    ---------------------------------------------------------------------------


  • Next message: simonis: "Re: focus-ms@securityfocus.com"

    Relevant Pages

    • Re: Why Programs get written to need admin priveleges.
      ... >>Why administrators must pesuade some applications to run with ... >>firewall security suite that prevent Web applications ... >>common form of online exploitation. ... >>Security Policy Automation for Web Applications. ...
      (Focus-Microsoft)
    • RE: Patch testing
      ... If you don't have mirrored disk capabilities - use Norton Ghost to snap an ... image of the system partition on the server before patching. ... > firewall security suite that prevent Web applications ... > whitepaper on Security Policy Automation for Web Applications. ...
      (Focus-Microsoft)
    • RE: Limiting users on secific machines that are part of a domain
      ... firewall security suite that prevent Web applications attacks, ... common form of online exploitation. ... Security Policy Automation for Web Applications. ...
      (Focus-Microsoft)
    • RE: Patch testing
      ... Just a thought, use mirrored disks, then before installing the patch ... Removable harddrives (if you can afford server downtime): ... firewall security suite that prevent Web applications attacks, ... Policy Automation for Web Applications. ...
      (Focus-Microsoft)
    • RE: Why Programs get written to need admin priveleges.
      ... >> local administrators' group and spare yourself the trouble. ... >> firewall security suite that prevent Web applications ... >> common form of online exploitation. ... >> whitepaper on Security Policy Automation for Web Applications. ...
      (Focus-Microsoft)