S 4.46 Use of the log-on password under WfW and Windows 95

Initiation responsibility: Administrators

Implementation responsibility: IT-user

If a new user logs on to a computer under WfW or Windows 95, he will be asked whether he would like to set up a code word list ([logonname].pwl) under his log-on name. This list will then record all the passwords which have to be transmitted by this user on connection with the resources of others. However, this only happens if this "caching" of passwords on the computer is explicitly permitted and the user also desires it in individual cases.

The WfW log-on password serves solely to protect this password list. Only on correct entry of the password belonging to the log-on name will this be decrypted and made available.

Protection of the stored code words with respect to the users of the same computer is only guaranteed by an individual log-on password, particularly when a WfW or Windows 95 computer is utilised by several users.

The respective password must be selected appropriately, changed regularly and deposited securely (see S 2.11 Provisions governing the use of passwords and S 2.22 Depositing of passwords).

Notes:

No log-on password is necessary under WfW if no passwords are stored in the password list by the user. Therefore, if password caching is deactivated on principle by the administrator via ADMINCGF.EXE under WfW, or via the system guidelines under Windows 95, the log-on password is superfluous. Even masquerading on the PC cannot be prevented with this authentication mechanism as every password list may be renamed, the original log-on name may be re-used and the original password list may then be changed back again.

However, if password caching is permitted and also used, the administrator must set the minimum length of the log-on password to 6 using ADMINCFG.EXE under WfW, or the system guidelines under Windows 95. Then entry of the password is obligatory when logging on under WfW and Windows 95 and cannot be deactivated. In exceptional cases, e.g. if the computer is only being utilised by one user and there is adequate access protection (BIOS password, screen lock, etc.), the log-on password may be deactivated. Deactivation is possible if the minimum length of the password is set to zero.

If passwords are inadvertently stored in the password list by the user, the file [logonname].pwl must be deleted.

Additional controls:

• Will the WfW or Windows 95 users be told that, in addition to password protection on the PC (e.g. BIOS password), the log-on password is also necessary for protection of the individual password list under WfW or Windows 95?