Re: Testing two bank laptops. winxp vpn client

From: lion nagar (lionbsd@gmail.com)
Date: Sun Feb 12 2006 - 19:52:31 EST


hi,
well first they should protect their windows login, as only this user
will be able to use the saved vpn connection with the username and
password. they should also consider encryption to the whole HDD
(safeguard could be used for example) which adds to the protection of
the data if the laptop was stolen.

they should have a timeout for locking out the laptop 5 minutes should
do the less the better :)

now if you really want to try ( i am not sure it will work) you can try this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
add a DWORD Value Name: DisableSavePassword Value Type: REG_DWORD Value Data: 1

this should disable to option to save password for dial up
connections, i guess it might work for the VPN connection too.

however i notice cisco vpn client have the option of saving the
password too, which basically make sense if you ask me, for stuff like
this i don't like the users to know the passwords for certain services
(email for example)

imagine the person have to type in a strong password every time, a
person behind him can have it or even worse can get a hold of a piece
of paper the user wrote on (cause it too complicated for him) together
with your vpn server ip.
then you won't even notice when something is wrong and you will get
compromised, while when the person's laptop was stolen he can call
right away to TECH and have his vpn account disabled.

hope it helps in a way,

LionBSD
www.shukipel.com

On 2/12/06, Bob WIlliams <sopiaz57@gmail.com> wrote:
> Hey All,
>
> I have a client who wants two bank laptops tested. I want to do some
> reasearch on a fix for a problem I know they are vulnerable too. They
> use the WIN xp VPN client which saves the password, giving someone who
> steals the laptop an easy way into the corporate network.
>
> Does anyone know how I can disable this feature so employees cant save
> the password?
>
> Thanks in advance//
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT