On Tue, May 7, 2013 at 12:32 PM, Ken Schaefer <[email protected]> wrote:
> I change my expired password when I VPN in and I cache my Google Drive > passwords using the Windows credential manager is just 1 of <large number> > of possibilities. At least where I’ve worked, no one uses the Windows > credential manager (since it can’t really be managed in any way) > I wasn't aware I had the choice ... ? G Drive and even Lync store their credentials using DPAPI (Lync prompts for them to hand them to my CX-600 for the Exchange features). As far as I understand it, the behaviour is DPAPI and up to the author of the app whether they use it or not. Anyway, at least I understand the issue I can work around it by just resetting my password with CTRL+ALT+DEL before it expires so LSASS sees the change and re-does all of the encryption for app-based secrets. > – 3rd party solutions like TIM are common, plus many don’t use Windows > username/password for VPN authentication, and a minority use pre-user auth > VPN – so there’s a few ways to avoid the issue (not to mention most people > are in the office at least some of the time) > [ ... ] > On a semi-tangent: who puts their domain controllers “in the cloud”? (and > how?) **** > > Domain controllers in a data centre I can understand, but surely a cloud > offering (whether IaaS or PaaS) screams security issues. > For us it is Domain Controllers in the data centre, but our office network is effectively treated as untrusted. We all VPN into our private 'company' network which is really just a number of guests on one of our servers in the DC we lease space in. David.
