>Approved-By: [EMAIL PROTECTED] >X-Mailer: Internet Mail Service (5.5.2650.21) >Date: Sun, 31 Oct 1999 17:00:43 -0500 >Reply-To: Technical discussions regarding security bugs that pertain >to Microsoft networks <[EMAIL PROTECTED]> >From: "No�l, Richard" <[EMAIL PROTECTED]> >Subject: Caching of passwords revealed after installing SP6 >To: [EMAIL PROTECTED] > >I found something disturbing today. I installed SP6 on an NT4 SP5 server >that I've been using as a PPTP client for the past couple of years. After >installing SP6, I found that the setting for saving passwords for at least >PPTP dial-up has been enabled which is a feature I never, never use. While >this is bad, the disturbing part revealed by installing SP6 is that even >though I never used the "Save password" feature with PPTP, my password was >in fact being cached. I know this because the first four PPTP dial-up >connections I tried (i.e. four different PPTP servers) all immediately >connected and authenticated without prompting me for credentials. Two >others failed to connect immediately because the cached password did not >match the current password for my domain account. > >If any of you get a chance, could you pls verify this behavior. > >Thanks, >Richard
