From: [email protected] [mailto:[email protected]] On Behalf Of David Connors Sent: Tuesday, 7 May 2013 12:45 PM To: ozDotNet Subject: Re: Windows forgetting app passwords
On Tue, May 7, 2013 at 12:32 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: I change my expired password when I VPN in and I cache my Google Drive passwords using the Windows credential manager is just 1 of <large number> of possibilities. At least where I’ve worked, no one uses the Windows credential manager (since it can’t really be managed in any way) I wasn't aware I had the choice ... ? G Drive and even Lync store their credentials using DPAPI (Lync prompts for them to hand them to my CX-600 for the Exchange features). As far as I understand it, the behaviour is DPAPI and up to the author of the app whether they use it or not. Tivoli Identity Manager etc. have pre-built add-ins for common apps (like Notes, browsers etc.) that “capture” your passwords, and fill in forms/app dialogues for you. As such, you never enter your password into the app yourself, so it never needs to be stored by the app in the credential store. I think most enterprises uses these type of systems because (a) they are extensible – you can ‘profile’ unsupported apps to add them and (b) they can be centrally managed. If your password needs to be reset for a system, that change can be pushed to your cache. On a semi-tangent: who puts their domain controllers “in the cloud”? (and how?) Domain controllers in a data centre I can understand, but surely a cloud offering (whether IaaS or PaaS) screams security issues. For us it is Domain Controllers in the data centre, but our office network is effectively treated as untrusted. We all VPN into our private 'company' network which is really just a number of guests on one of our servers in the DC we lease space in. No doubt you have your reasons not to, but wouldn’t a site-to-site VPN also avoid the issue? I suppose that’s the route many orgs go down – branch office sites have a site-to-site VPN to another site that has a DC. Cheers Ken
