Policies for the passwords caching management in Internet Explorer

The article gives the System Policies, which manage the caching, on the other hand, saving to the local drive, the passwords in Internet Explorer.

The dialog box will appear, requesting additional credentials whether to save or not password, after the password is entered to the form window in Internet Explorer. Later, the password will not to be entered once more time, when the same page with the same input form is opened. That is the very password caching.

On the one hand, the password caching is the obvious facility for user, who may even forget the entered password, on other hand, is the serious security threat, because the unhampered access to password-protected resource is possible, it is enough for this to know its exact name. If in Windows the automatic completion for the addresses or forms in Windows or Internet Explorer is enabled, so called AutoComplete, the task is simplified to minimum. The very feature of automatic completion gives out the item list, while exploring which it is possible to guess the exact name of resource. The one taken item given by automatic completion can be deleted from the list. The item must be selected and the DEL must be clicked afterwards. However, this feature does not for the drop-down addresses list entered in Internet Explorer address box.

If one opens in browser "Internet Options (Properties)" the page with "Content" tab, one can see the "AutoComplete" button. On clicking this button, the dialog box appears containing the check boxes for the control over "Use AutoComplete for": "Web addresses", "Forms", "User names and passwords on forms" and "Prompt me to save passwords". The password caching in Web pages forms can be totally disabled with check box named "User names and passwords on forms". The check box "Prompt me to save passwords" deselecting disables all the further caching, but, the passwords, entered before, are still automatically suggested, when the user name is entered in the same form. The passwords AutoComplete prohibition in settings does not clean the information on names and passwords corresponding to them, which is already entered before, which; there are to buttons for this to "Clear AutoComplete history", which are located below, in the same dialog box, named: "Clear Forms", "Clear Passwords".

The full consideration of the AutoComplete feature is out of this article topic. I note two facts in conclusion. The AutoComplete settings, stored addresses, are common either for Internet or Windows Explorer. The last fact: the AutoComplete is nice tool to implement the activity analysis and to reconstruct the user's work.

To avoid unnecessary reiteration and potential discrepancies, caused by the difference inherent to various browsers versions, presence the installed services packs, various Windows versions, I must at once notice, that all the given information was tested on Windows ME, Internet Explorer 5.5, with installed service pack for 128-bit cipher strength.

Disable Password Caching

Here the talk will be about how to disable the password caching in Internet Explorer. This system policy has restricted application. The information given here concerns: the Internet Explorer of 4.01 version with the 2nd service pack installed, the Internet Explorer of 5 and 5.01 versions, working on Windows 95, 98, NT 4.0 and the Internet Explorer 5.01 for Windows 98 Second Edition. For instance, the Internet Explorer of 5.5 version ignored this policy, while performing the test on Windows ME.

The state of this system policy is stored in the numeric "DisablePasswordCaching" value, which must be in "Software\Microsoft\Windows\CurrentVersion\Internet Settings" system registry key, in HKEY_CURRENT_USER hive. Correspondingly, the policy range spreads over the Current User only, but not over all the system. The "1" value enables the policy, the "0" value or its missing disables the policy. "By default" this policy is in disabled state in Internet Explorer and there is password caching in Internet Explorer.

The Microsoft company releases the article Q229940 in MSDN titled: "How to Disable Internet Explorer Password Caching".

Do not allow AutoComplete to save passwords

This system policy has the similar purpose to the previous one. While in active state this system policy disables the automatic completion of the names and passwords in Web-pages forms and prevents from appearance the dialog boxes requesting whether to save or new password. If this policy is enabled, the check boxes "User names and passwords on forms" and "Prompt me to save passwords" become dimmed, showing that blocked both these features and the very possibility to switch them on.

One must select the page with "Content" tab in "Internet Options (Properties)" settings, and later click the "AutoComplete" button in order to see these check boxes.

The value "FormSuggest Passwords", storing this policy, is located in "Software\Policies\Microsoft\Internet Explorer\Control Panel", in HKEY_CURRENT_USER hive. The range of this policy covers only the Current User, registered in the system, but not all the system on the whole. It is not necessary to reboot all the system but will be enough to reload the very browser, closed before this all its instances, to take this policy into effect, when its state is changed.

It is demonstrative, that the Microsoft realisation of this policy provokes more than perplexity. The "FormSuggest Passwords" value can be either of numeric (DWORD) or binary or string type. The missing of value in the system registry brings the policy to the disabled state - state "by default". If the value is of numeric type, the two Boolean values: "1", gives the active state, and "0", which gives disabled, respectively, stands for the representation of two states. When the value is of binary type, it can have two possible values: "01 00 00 00" for active state and "00 00 00 00" for not active.

The strangest reaction of this policy was on the content of this value of string type. The empty string or the "yes", "no", "1" and "0"content bring the policy to active state. The strings "true" and "false" or total missing of value cancel its effect. The symbol case had no effect.

The active state of the policy for "prohibition for AutoComplete to save passwords" does not lead to erasing the information that is already entered into history journal, which stores the names and corresponding to them passwords.

And last note: the "FormSuggest Passwords" value, storing in "Software\Policies\Microsoft\Internet Explorer\Control Panel" key and the value with the same name, which can be stored in "Software\Microsoft\Internet Explorer\Main" key, possibly appearing in either HKEY_LOCAL_MACHINE, or HKEY_CURRENT_USER hives are not to be mixed. The last value belongs to the browser setting, storing the state of check box with name "User names and passwords on forms".

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mention policy "Disable Password Caching" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Internet Explorer and find it in the right list item corresponding to this policies named:

• Disable Password Caching

In order to see the state of above-mention policy "Do not allow AutoComplete to save passwords" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Internet Explorer, then IE Tools and find it in the right list item corresponding to this policies named:

• Do not allow AutoComplete to save passwords

System Policies for Password applet of Control Panel

The article is dedicated to the System Policies for the Password applet of Control Panel for Windows 95, 98, ME.

Passwords in the common sense resemble the key and the lock and, when humankind begot the division to the native and the strange, there appeared the problem of authentication. The password management is inseparable part of any system security rules and simultaneously the main target for the computer malefactors.

The system policies for Windows 95, 98 and ME, destined for the restriction of the accessible for the user actions in Passwords applet, which is located in Control Panel are represented in this article. The Password applet has three pages: "Change Passwords", "Remote Administration" and "User Profiles". The "Remote Administration" page will appear after the installation of the relevant services. The "Change Passwords" tab contains the controls: "Change Windows" and "Change other Passwords". The "Remote Administration" tab is used for enabling and further managing the "Remote administration". The customised (personal) preferences for the different users for the Desktop, Network Neighbourhood, Start menu and Programs menus can be enabled on the "User Profiles" page. The below-given system policies were designed for single-user, or how it went in fashion to name: "client", Windows systems. I do not intentionally introduce the detailed descriptions for the functions or purposes of these or others settings of "User Profiles" or "Remote Administration" in order not to go away from the topic of Password administration in Windows 9.x. The Passwords management in Windows NT or 2000 is also out of this article topic.

All the policies given in the article have a lot of common features. All of them are Boolean, in other words, can have only two states. They have the scope of the Current User only, and all are stored in the HKEY_CURRENT_USER system registry hive. The values corresponding to their states are numeric (DWORD) and can be equal to "1", enabling the policy and to "0", disabling it. The policies are absent in the system by default. If there is no corresponding value in the system registry, this is equivalent to the "0" and disables the policy. All the policies are stored in "Software\Microsoft\Windows\CurrentVersion\Policies\System" key.

Disable Passwords in Control Panel

This policy, stored in "NoSecCPL" value, prohibits from launching the Passwords applet in Control Panel, thus, protecting from changing the system settings concerned with the system security. While making an attempt to access there appears the message that the system administrator restricted the Passwords applet.

Hide Change Passwords Page

The state of this policy is stored in the "NoPwdPage" value. When the policy is in enabled state, the access to the "Change Passwords" page is closed. This page is removed from the Passwords applet and Windows passwords can not be changed through this applet in Control Panel.

Hide Remote Administration Page

The value "NoAdminPage" responds for the hiding of the "Remote Administration" page. If the policy is enabled, there is no access to "Remote Administration" page, since the page is removed from the Passwords applet and it will be impossible to change the settings through the applet in Control Panel.

Hide User Profiles Page

The value "NoProfilePage", being equal to "1", turns this policy to the enabled state and the "User Profiles" page is removed from the Passwords applet. Thus, the applet using to change "User Profiles" settings is forbidden.

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, Passwords item after this, and find in the right list items corresponding to these policies named:

• Disable Passwords in Control Panel
• Hide Change Passwords Page
• Hide Remote Administration Page
• Hide User Profiles Page

System Policies for the restriction of Display settings (Part 2)

The description of the system policies intended for the Display settings restriction is continued in this article.

Screen Saver, besides the functionality of User Interface decoration, can have the functions of security and discretionary access, when it has enabled the password protection. Screen Saver, like every application, demands substantial resources to work. The latest versions of screen savers are drastically saturated with graphics, what could slow the system down, especially during initial start. This can have an effect, for example, on performance of the disk defragmentation program. Next three system policies are dedicated to restrictions imposing on Screen Saver.

Disable screen savers from running while Disk Defragmenter Active

This system policy can be applied to Windows versions 9.x and ME. It is stored in the "Default" value, in the "Software\Microsoft\Windows\CurrentVersion\ Applets\Defrag\Settings\DisableScreenSaver" key, located in the HKEY_CURRENT_USER hive. Two Boolean values: "Yes" and "No" respond for the state of this policy. Which of values corresponds to which state of this policy, I think, is clear from the literal meanings of these words in English. If the "Default" value does not store anything, this means that the policy is not enabled. While in enabled state, this policy blocks the screen saver launching when the Disk Defragmenter is active.

The launch of screen saver during the disk defragmenter active can slow down or interrupt the disk defragmenter routine. Here it is necessary to note that this policy affects only the defragmentation program which is provided together with Windows. This system policy does watch the work of disk defragmentors from other vendors, for example, from the Norton Utilities package.

No screen saver

This system policy works in Windows versions 2000 and XP. If this policy is enabled, it will prohibit Screen Saver from launching and blocks all "Screen Saver" section with saver settings. It is stored in DWORD "ScreenSaveActive" value in "Software\Policies\Microsoft\Windows\Control Panel\Desktop" key of HKEY_CURRENT_USER system registry hive. The "0" value means active state of this policy and protection of the Screen Saver launch. The "1" or its absence is analogous to the state, when the policy is not configured and there is no prohibition to Screen Saver against launching or their settings adjusting.

Password protect the screen saver

This system policy can be also applied only in Windows versions 2000 and XP. Comparing with other system policies given in this article, its state can be represented by a pair of Boolean values, coming to the binary "yes" or "no". It has three states. This policy is stored in HKEY_CURRENT_USER hive in DWORD "ScreenSaverIsSecure" value, which must be located in "Software\Policies\Microsoft\Windows\Control Panel\Desktop" key. This policy responds to, whether the Screen Savers, which are used in Windows system, resort to passwords and prohibits setting (changing) Screen Saver password by means of Display Properties application.

This policy has three states:

1. The "ScreenSaverIsSecure" value is absent in system registry. The behavior of screen saver is usual and the passwords can be changed, set or using of them can be canceled with the aid of check box window "Password protected".
2. The value stores "0". In this case, the password protection is compulsorily disabled.
3. When the value is "1" the passwords for screen savers are compulsorily enabled.

If the "ScreenSaverIsSecure" value is present in "Software\Policies\Microsoft\Windows\Control Panel\Desktop" system registry key and it stores any of "1" or "0" values, it means that the policy is in active state and the check box window is blocked. On the other hand, it will be impossible to enable or disable password protection until the value is deleted from the registry.

The above-described policy "No Screen Saver" has the priority over this policy. If the policy "No Screen Saver" is enabled state, the system ignores the state of "Password protect the screen saver" policy.

Allow only bitmapped wallpaper

This system policy, having the range of Current User, allows using only bitmapped images of bmp-format for the Desktop wallpaper. It ought just now to mention that it can be applied for Windows 98, ME, 2000 and XP. The policy will work in Windows 95 and NT, with Explorer 4.0x or higher installed together with the "Active Desktop". And, on condition, that the "Active Desktop" is not disabled by the system policy. It is related to the "Active Desktop" management and that is why its consideration is out of topic of present article.

The DWORD "NoHTMLWallPaper" value, stored in "Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" key in HKEY_CURRENT_USER hive, responds for state of this policy. This value accepts two states "1" or "0". The "0" value or its absence disables the system policy.

Disable Changing Wallpaper

This system policy, having also the range of Current User, prohibits from Desktop wallpaper changing. Like previous policy, it is related to the policies for "Active Desktop" management and works in Windows 98, ME, 200 and XP. "Disable Changing Wallpaper" can be applied in Windows 95 and NT, when Internet Explorer 4.0x is installed with the "Active Desktop".

The DWORD "NoChangingWallpaper" value, located in "Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" key, in HKEY_CURRENT_USER hive. This value can have two states: "1", when the policy is enabled, or "0" (absence of value), when the policy is not activated. If the "Active Desktop" is not installed or it is disabled by the policy, this policy is ignored.

Disable Display in Control Panel

This policy prohibits Display application from launching and using. When it is activated, it will be necessary to work directly with registry by means Regedit or third-party vendors utilities to change the Display settings. Its range is Current User. The message is appeared, while attempt to launch Display application, explaining that Administrator disabled Display.

DWORD "NoDispCPL" value accepts two of Boolean values: "1" or "0". Its "0" value or its absence disables the system policy. The value "1" activates the system policy. This value is stored in "Software\Microsoft\Windows\CurrentVersion\Policies\System" key, in HKEY_CURRENT_USER hive.

The implementation in Activity and Authentication Analyzer

In order to see the state of some of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, later Display and find in the right list items corresponding to these policies named:

• Disable Screen Saver while Disk Defragmenter Active
• No screen saver
• Password protect the screen saver

In order to see the state of some of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Active Desktop and find in the right list items corresponding to these policies named:

• Allow only bitmapped wallpaper
• Disable Changing Wallpaper

To see the state of Disable Display in Control Panel policy or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel and find in the right list item corresponding to the policy named:

• Disable Display in Control Panel