Just as a side note, local password caching need never be to a local file on a
disk. If the operating system supports "pinning" memory pages (as WinNT and
after all do) then a password may be put into a pinned page. The password
may then be read from that page via some method of ipc.
The benefits of this is that a pinned page is never swapped out of memory so
an attacker cannot remove the HD and check the swap space. The password is
lost when the process owning that page dies (or the computer is forcibly
powered off).
Note that for the user to not need to enter a passphrase for every Kerberose
ticket issued Kerberose must use some sort of credential caching.
I am fairly sure (though not 100%) that Windows does not cache in local files
any sort of network security credentials.
Hope this is helpful!
Sam
On Saturday 30 August 2003 04:49, fala83 (at) libero (dot) it [email concealed] wrote:
> In my opinion a system wouldn'n cache password locally.
> E.g. Sysadmin logs in into a workstation and password will be stored
> locally. An attacker could retrieve his password and login into the whole
> network whit administrative privileges. It is not completely safe.
> I'd rather prefer use Kerberos, using his tickets to access network
> resource without caching password.
> Anyway if the password must be stored locally, it must be!
>
> >Todd Shubert wrote:
> >
> > What exactly is the "right security policy"? Wouldn't not storing the
> > password provide problems for users, specifically laptop users, that
> > require the use of cached credentials?
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security
> Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
------------------------------------------------------------------------
---
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
------------------------------------------------------------------------
---
Hash: SHA1
Just as a side note, local password caching need never be to a local file on a
disk. If the operating system supports "pinning" memory pages (as WinNT and
after all do) then a password may be put into a pinned page. The password
may then be read from that page via some method of ipc.
The benefits of this is that a pinned page is never swapped out of memory so
an attacker cannot remove the HD and check the swap space. The password is
lost when the process owning that page dies (or the computer is forcibly
powered off).
Note that for the user to not need to enter a passphrase for every Kerberose
ticket issued Kerberose must use some sort of credential caching.
I am fairly sure (though not 100%) that Windows does not cache in local files
any sort of network security credentials.
Hope this is helpful!
Sam
On Saturday 30 August 2003 04:49, fala83 (at) libero (dot) it [email concealed] wrote:
> In my opinion a system wouldn'n cache password locally.
> E.g. Sysadmin logs in into a workstation and password will be stored
> locally. An attacker could retrieve his password and login into the whole
> network whit administrative privileges. It is not completely safe.
> I'd rather prefer use Kerberos, using his tickets to access network
> resource without caching password.
> Anyway if the password must be stored locally, it must be!
>
> >Todd Shubert wrote:
> >
> > What exactly is the "right security policy"? Wouldn't not storing the
> > password provide problems for users, specifically laptop users, that
> > require the use of cached credentials?
>
> ------------------------------------------------------------------------
---
> KaVaDo provides the first and only integrated Web application scanner and
> firewall security suite that prevent Web applications attacks, the most
> common form of online exploitation. Download a FREE whitepaper on Security
> Policy Automation for Web Applications.
> http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
> ------------------------------------------------------------------------
---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/U+46uabcSIn58XwRAr07AKDOAisF5Qi4P44w28pW6L0GXKRIDQCfX3Ao
s+h3neeLY5uuZ5LOmaQsM7w=
=g3bc
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
---
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
------------------------------------------------------------------------
---
[ reply ]