Re: Security of Credenitals Stored in Service Control Manager


Comments are in-line.

There are a couple of utilities around that can tell you if a system is
storing passwords insecurely. Korben's RockXP is one. has some more.

Basically, no password stored within Windows is entirely secure. We
this a while back when RockXP appeared, and we found that the POP3 or
passwords - which users were storing in IE for their convenience - could
easily be revealed by this, and as the same passwords were used for
fileserver-logon this created a very dangerous loophole, whereby anyone
allowed access to a laptop for a few minutes could 'harvest' a
network-password from it.

Most of these tools will require administrator privileges to run -- so as so
many time before -- don't let users run as administrators. You can't protect
computers against administrators.

No system is secure if you have physical access to (it doesn't matter what
it is running. For the sake of this post -- take for example routers. As
long as I have physical access to them I "own" them).
Becoming an administrators still takes at least few minutes and at least one
reboot (hence the physical access). So don't leave laptops (or other
computers) unattended. Personally when I travel or work with my laptop at
customer site I lock it to the desk with appropriate chain.

If this laptop was mine or I was working for this company as e.g. security
consultant - my recommendation would be to try and avoid storing such data
on laptop in the first place and use other means of access to the data that
is sitting safely in e.g. server room.

Users will gripe, but the best answer is not to let them store passwords.
Make them type them in.

Different applications store passwords in different ways. Some are safe and
the others are not.

The other option is to write a small program that decrypts the password
a local file, and injects it into the SQL logon. That way you're using
own encryption, which (even if very simple) is much more secure than a
standardised algorithm.

This is such a load of bollocks that I am not even going to comment on ;-).
I would love to see you explain this to an auditor. ;-)