Friday, January 10, 2003

System Policies for the Windows network passwords caching management

mad hack

The article is dedicated to the System Policies, which controls the network passwords caching in Windows 95/98/ME.

The problem of passwords caching, on the other hand, their storage on the local drive, and concerning this the security threat, appeared in Windows for Workgroups 3.11 and still exists in 32-bit Windows. The files with "*.PWL" extensions, which were used to store the enciphered local copies of passwords used for access to the network and net resources in Windows for Workgroups 3.11, passed to the 32-bit Windows versions: 95/98/ME.

The Microsoft realisation of DES algorithm, which enciphers the password, was compromised several times. Discussion of this is out of frames of this article, dedicated to the Windows administering there were published a lot of articles and utilities breaking the weak cryptographic defense.

These files are created in the folder, where the Windows was installed. This folder will be the booting one. Soon of all, this directory will be "C:\Windows" for Windows 9.X/ME. If this folder was renamed, it is possible to determine its location simultaneously with all environmental variables through typing "set" in DOS command prompt. The environmental variable "windir" reveals the sought path. The passwords are cached to the files named USERNAME.PWL, where "USERNAME" is user named given while logging on or accessing the resource.

Besides, the list of files for cached passwords copies is kept in the in "System.ini" initialisation file, which is also stored in Windows boot directory. The section "[Password Lists]" is created in this file, where are stored the strings like "USERNAME =C:\WINDOWS\USERNAME.PWL", "User name=full file name with cached password". When user registers in the system, Windows check this list containing the references to the files with passwords. First eight letters of user name are taken to form the file name. If the file with such a name exits, it is overwritten.

Microsoft solved partially the problem of weak cryptographic algorithm released the Service Pack 1 for Windows 95 and updated version of Windows 95 OSR1 (OEM Service Release 1). The key length was enhanced from 32 bit to 128.

The Windows 9.X and ME operating system can be classified as D class of protection according to the "Orange Book". In them it is possible to stroke simply the Esc key or Cancel button in order to bypass the password dialog box, on condition that the system is not a part of domain and not demanded the obligatory verification procedure. The password in Windows 9.X/ME is necessary for the network resources access and not crucial for the boot of very operating system. On the other hand, they can be classified as systems allowing "the open and not restricted access". The protection of client machines working under Windows 9.X/ME control can not be even compared with the protection of servers. The breakers are ruled with the same "admissible hypothesis", to attack them, gaining later the access to the protected resources.

Microsoft offers the next system policies as one of the partial solution to this problem.

Disable Password Caching

This system policy disables the network passwords caching. When it is in active state, the passwords are not cached, but user is to enter the password each time while attempting to access the password-protected resource. "By default" the policy is disabled in the system.

Its state is represented with the pair of Boolean values, which is stored in "DisablePwdCaching" parameter, in the "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network" system registry key. Although, the type DWORD is recommended for this value in MSDN, this policy will work in Windows 95/98/ME with "DisablePwdCaching" value of binary type. DWORD-value takes "1" and "0", the binary - "01 00 00 00" and "00 00 00 00". The first of pair of values stands for the active state of the policy. The missing of value in the system registry sets the policy to disabled state.

This key is located in HKEY_LOCAL_MACHINE hive and the range of this policy covers not the Current User, but all the system (Local Machine). When it is enabled, the "Change Windows Password" password is blocked in the "Passwords" applet in "Control Panel", showing that the passwords can not be changed. The second dialog box for the confirmation of new password is also disappeared.

If the persistent connections with the password-protected resources are created, then after enabling the policy, the Quick Logon feature for the Microsoft network client can not be used effectively, when there is no automatic verification that all network connections are ready, but network connections are restored while they are required.

"Disable Password Caching" does not erase the file list in "System.ini". The files with "*.PWL" are also remained and, and they must be deleted manually, if needed.

The active state of this policy has an effect for the caching of passwords, which are entered in the forms of browser Internet Explorer, when the AutoComplete is enabled. The cached passwords are "lost" after the system reboot, notwithstanding the states of check boxes "Prompt me to save passwords" and "User names and passwords on forms" which control the password caching in browser. These boxes are on the "Content" page in "Personal information" in browser "Internet Options (Properties)".

Disable Domain Password Caching

While in active state this system policy disables the caching of the passwords for the access to domain or domain network resources.

The numeric "NoDomainPwdCaching" value, located in "Network\Logon" key, in HKEY_LOCAL_MACHINE system registry hive, stands for its representation. The range of the policy covers all the system. The "1" value brings it to enabled state, "0" or absence - to disabled. "By default" the policy is not present in the system.

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mention policy "Disable Password Caching" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, then Passwords and find it in the right list item corresponding to this policies named:

  • Disable Password Caching

No comments:

Post a Comment

Activity and Authentication Analyzer history

"Activity and Authentication Analyzer" takes into account what system policies and what histories of user activity are inherent in...