Approved-By: mark () NTSHOP NET
X-Mailer: Internet Mail Service (5.5.2650.21)
Date: Sun, 31 Oct 1999 17:00:43 -0500
Reply-To: Technical discussions regarding security bugs that pertain
to Microsoft networks <WIN2KSECADVICE () LISTSERV NTSECURITY NET>
From: "Noël, Richard" <noel () WANG COM>
Subject: Caching of passwords revealed after installing SP6
To: WIN2KSECADVICE () LISTSERV NTSECURITY NET
I found something disturbing today. I installed SP6 on an NT4 SP5 server
that I've been using as a PPTP client for the past couple of years. After
installing SP6, I found that the setting for saving passwords for at least
PPTP dial-up has been enabled which is a feature I never, never use. While
this is bad, the disturbing part revealed by installing SP6 is that even
though I never used the "Save password" feature with PPTP, my password was
in fact being cached. I know this because the first four PPTP dial-up
connections I tried (i.e. four different PPTP servers) all immediately
connected and authenticated without prompting me for credentials. Two
others failed to connect immediately because the cached password did not
match the current password for my domain account.
If any of you get a chance, could you pls verify this behavior.
Thanks,
Richard
Intro
