Re: How secure is EAPOL registery key?

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 10/28/03

  • Next message: Michel Lapointe: "Re: Difference between 2003 edition for PKI functionnality" 
    Date: Tue, 28 Oct 2003 22:43:59 +1100

    Using local account? Never seen that, find it hardly possible... Maybe all
    laptops are members of a domain and AuthType is set to 2 so that only
    computer authentication happens?

    Closer to the point: EAPOL doesn't exactly contain user name and password; I
    don't believe you can copy the key across to another computer and have
    access granted (I'll test). Unless special measures are implemented,
    physical access to the computer gives full admin access to the system
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;818200) and
    consequently can connect to the network. Mitigation? Implement procedure for
    reporting lost/stolen/compromised computers similar to that used for credit
    cards - with the computer account immediately disabled and later on possibly
    re-created from scratch. 

    -- 
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Tim Guy" <tim@hurtwood.demonREMOVE.SPAM.co.uk> wrote in message
news:OOy3boTmDHA.1072@TK2MSFTNGP09.phx.gbl...
> I'm looking at implementing wireless 802.1x into a site where the laptops
do
> not belong to the infrastructure supplier.
>
> I was going to use PEAP with a domain user and password created for the
> computer not for the user.
>
> The infrastructure IT dept will put the username, password and root CA
into
> the laptop for the laptop owner and then the user continues to use the
> laptop with the local account.
>
> The problem is how secure is the EAPOL reg key where the PEAP username and
> password is kept. If I look with regedit it seams to be encrypted but I'm
> not sure if it could be brute forced or not.
>
> If it could I would consider using certificates but I can also see that
with
> an open laptop these certificates could be exported and import into
another
> laptop thus making that pretty pointless too.
>
> Any thoughts?
>
> Tim
>
>
  • Next message: Michel Lapointe: "Re: Difference between 2003 edition for PKI functionnality"

    Relevant Pages

    • Re: PLEASE HELP - USENET/Proxy Security Question
      ... > tunnel won't work for me because the proxy blocks VPN connections. ... > network security folks anymore since they've all been transistioned to the ... >this local account, I pointed everything to the proxy and it worked. ... The laptop then masquerades as the legit ...
      (alt.computer.security)
    • Re: Connecting to Analysis Server 2005
      ... and password as my friend logs onto his laptop with. ... When my friend tries to connect to the instance from the ... Only a local account on one machine ... Can your friend set up a local user on his laptop with the same username ...
      (microsoft.public.sqlserver.olap)
    • Re: XP networking issues
      ... > at work), you can have a local account on the laptop, which will allow you ... > access workgroup resources at home. ... TCP/IP, reboot both machines, still no success. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Windows 2000 File Shares Cant Be Accessed
      ... I'm not sure what would have changed, but try logging into your laptop using ... a local account and see if that let's you into the shares. ... have a local account on the laptop, try typing in the name of the windows ... > my domain username and password in, remember, this is the same username ...
      (microsoft.public.win2000.networking)
    • Re: Networking question
      ... >I use the Laptop on my work and I connect to the domain. ... >I tried to connect a cable between my computer and the router but it's not ... You should have a local account on the laptop, so you can hit the pull down ...
      (microsoft.public.windowsxp.network_web)