Re: RAS 'save password' problems...

[noam () ZSOFT COM (Noam Ben-Yochanan)]

> ---------- Forwarded message ----------
> Date: Thu, 19 Mar 1998 14:09:44 -0800
> From: martin Dolphin <mdolphin () POBOX COM>
> To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
> Subject: RAS 'save password' problems...
>
> THE PROBLEM:
> Windows NT allows users to save their RAS credentials by using the 'Save
> Password' checkbox when making a dial-up connection. Credentials saved in
> this manner are stored in the
> HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasCredentials!SID#0 registry
> key.  These credentials can be enumerated using the LSA secrets code.  (As
> identified by Paul Ashton in a prior submission to NTBugtraq)

  I've written code using the RasGetEntryDialParams() function. Here's
Microsoft's description of this function:

---begin description---
The RasGetEntryDialParams function retrieves the connection information
saved by the last successful call to the RasDial or
RasSetEntryDialParams function for a specified phone-book entry.
---end description---

  Another function which is supposed to supersede this function is
RasGetCredentials(). Here's the description for this function:

---begin description---
The RasGetCredentials function retrieves the user credentials associated
with a specified RAS phone-book entry.
---end description---

  In both cases the clear-text password is a field in the retrieved
record. No need to access the regitry, no need to use the LSA secrets
code. I think Microsoft thought they should provide such a feature for
purposes of automatic dialup connections - to avoid the need for user
input. This might sound a bit funny, but if the password isn't saved, a
human has to enter it manualy, but a program can just use one of the
aformentioned functions. Microsoft seemingly makes a distinction between
the privilages of a user and those of a program (i.e. programmer).

Noam Ben-Yochanan
noam () zsoft com