Re: Security of Credenitals Stored in Service Control Manager


Comments are in-line.

There are a couple of utilities around that can tell you if a system is
storing passwords insecurely. Korben's RockXP is one. has some more.

Basically, no password stored within Windows is entirely secure. We
this a while back when RockXP appeared, and we found that the POP3 or
passwords - which users were storing in IE for their convenience - could
easily be revealed by this, and as the same passwords were used for
fileserver-logon this created a very dangerous loophole, whereby anyone
allowed access to a laptop for a few minutes could 'harvest' a
network-password from it.

Most of these tools will require administrator privileges to run -- so as so
many time before -- don't let users run as administrators. You can't protect
computers against administrators.

No system is secure if you have physical access to (it doesn't matter what
it is running. For the sake of this post -- take for example routers. As
long as I have physical access to them I "own" them).
Becoming an administrators still takes at least few minutes and at least one
reboot (hence the physical access). So don't leave laptops (or other
computers) unattended. Personally when I travel or work with my laptop at
customer site I lock it to the desk with appropriate chain.

If this laptop was mine or I was working for this company as e.g. security
consultant - my recommendation would be to try and avoid storing such data
on laptop in the first place and use other means of access to the data that
is sitting safely in e.g. server room.

Users will gripe, but the best answer is not to let them store passwords.
Make them type them in.

Different applications store passwords in different ways. Some are safe and
the others are not.

The other option is to write a small program that decrypts the password
a local file, and injects it into the SQL logon. That way you're using
own encryption, which (even if very simple) is much more secure than a
standardised algorithm.

This is such a load of bollocks that I am not even going to comment on ;-).
I would love to see you explain this to an auditor. ;-)


Relevant Pages

  • Re: possible cryptographic solution for key-loggers?
    ... > If an attacker has got physical access to your machine, ... it was intended for a laptop with an encrypted hard-drive, ... then the contents still remain secure. ...
  • Re: getting rid of reset disc
    ... Assign all new passwords to all accounts and password protect your BIOS. ... Go through this list and secure your PC. ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
  • Low-Hassle Ways to Secure Your Computer System (article)
    ... Low-Hassle Ways to Secure Your Computer System ... If time were no object, we'd all live a more secure computer life—we'd beef up our browsers, use complex passwords, and keep our data locked up with encryption Skynet couldn't crack. ... We've rounded up a good deal of these swift and simple security fixes for Windows, Mac, and Linux, so bust out the tinfoil hats and check 'em out after the jump. ...
  • Mobile Device Security, Was: Re: Dell BIOS DoS
    ... get rid of vendor master passwords and such. ... On Apple machines the boot ROM contains a graphical ... where is the real point of attack? ... Imagine someone stealing your laptop which is ssecured with some sort of ...
  • Re: Stolen Laptop, backpack, other things
    ... too) I put everything into a secure program with good encryption ... or in Splash ID for passwords, ... Also, just by chance, that particular laptop didn't have any e-mail ... are encrypted in Splash ID which is safe. ...