Re: encrypting Autologon credentials?
From: wirepair (wirepair_at_roguemail.net)
Date: 02/05/04
- Previous message: Rob Shein: "RE: password cracking a web form, tried hydra and brutus"
- In reply to: Rob Shein: "RE: encrypting Autologon credentials?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Rob Shein" <shoten@starpower.net>, "'wirepair'" <wirepair@roguemail.net>, <pen-test@securityfocus.com> Date: Wed, 04 Feb 2004 19:51:20 -0800
True, but if i own Server A. which has uses an administrator/password (domain admin maybe) autologon but say a very strong
password
which would take 45 days to crack and the password policy is 30 days. If an attacker were to own the server which doesn't
have autologon they would obviously need 45 days to crack the password. In 30 days the password would be useless so this scenario
is ok. But with autologin, i own the server get the administrator password and immediately have access to probably a lot more
machines... Thats my thought anyways.
I imagine most people are thinking, who the heck would use the domain admin credentials in autologin? More than you want to
believe.
Anyways, my 'recommendation' was to create a new administrator account for autologon. Then disable 'Allow access over the
network.'
-wire
On Wed, 4 Feb 2004 16:43:37 -0500
"Rob Shein" <shoten@starpower.net> wrote:
>I'm thinking that the general idea is that if someone's going to use
>autologon in the first place, you're not throwing much of a speedbump up by
>encrypting the password in the registry. If the registry is
>network-accessible without authentication, the machine is pretty vulnerable;
>if it's not, then the attacker needs access to the machine itself, and
>again, the machine is already logged in and therefore pretty vulnerable.
>
>> -----Original Message-----
>> From: wirepair [mailto:wirepair@roguemail.net]
>> Sent: Wednesday, January 28, 2004 3:40 PM
>> To: pen-test@securityfocus.com
>> Subject: encrypting Autologon credentials?
>>
>>
>> lo all,
>> I'm curious if anyone has ever seen anything on encrypting
>> the "Autologon" feature of Windows. I know its a terrible
>> practice to keep it in the cleartext in the registry so I was
>> curious if anyone has tried to make this feature more secure.
>> I did some google searches but turned up with nada. Any info
>> appreciated, -wire
>> --
>> Visit Things From Another World for the best
>> comics, movies, toys, collectibles and more.
>> http://www.tfaw.com/?qt=wmf
>>
>>
>> --------------------------------------------------------------
>> -------------
>> --------------------------------------------------------------
>> --------------
>>
>>
>
-- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Rob Shein: "RE: password cracking a web form, tried hydra and brutus"
- In reply to: Rob Shein: "RE: encrypting Autologon credentials?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
