Windows Server 2003 caches UNC Password

[CDARS]

Hi,

I have a new installed Win 2003 Server. I connect to another server
(Win2K) just in order to copy some files after setup. I used UNC
(\\serevr\folder format) at Start / Run. A pop-up, captioned "Connect
to", appears prompting for user ID and password of the remote server.
All these make sense EXCEPT at the pop-up there is a checkbox
"Remember my password" which I checked.

I thought it will cache my password for the current session and when I
log-off it will be gone. Now it sticks to my machine no matter I
reboot / logout. That's a great security risk.

Questions:
1) How to remove the cached password from my server?
2) How to disable the checkbox from appearing?

Big thanks!

 

[Michael Bednarek]

On 23 Apr 2004 19:26:18 -0700, (e-mail address removed) (CDARS) wrote in
comp.os.ms-windows.programmer.win32,
comp.os.ms-windows.networking.windows,
comp.os.ms-windows.nt.admin.security, comp.os.ms-windows.nt.admin.misc:
[FU set to comp.os.ms-windows.nt.admin.security]

I have a new installed Win 2003 Server. I connect to another server
(Win2K) just in order to copy some files after setup. I used UNC
(\\serevr\folder format) at Start / Run. A pop-up, captioned "Connect
to", appears prompting for user ID and password of the remote server.
All these make sense EXCEPT at the pop-up there is a checkbox
"Remember my password" which I checked.

I thought it will cache my password for the current session and when I
log-off it will be gone. Now it sticks to my machine no matter I

I think it sticks to your user profile, not the machine.

reboot / logout. That's a great security risk.

Could you elaborate on why you think this is a security risk?

Questions:
1) How to remove the cached password from my server?

Remove the user profile. You didn't do this while logged in as
Administrator, right?

2) How to disable the checkbox from appearing?

Just don't tick it if you don't want the system to do what the label on
the tickbox says it will do.

 

[CDARS]

Hi,

Thanks for your advice. Now I understand that I am a beginner in
Win2k3 server...

Start => Control Panel => Stored User Names and Passwords

You can see a list of stored password by site. Just delete or edit as
you like.
As soon as there is a console controlling it, it is ok. Imagine you
have a server will some unknown passwords to other servers. Your
server can be the start-point for an attack.

Now a follow-up question:
I map a network drive and select "re-connect at logon". After logging
off the mapped drive is always disconnected. It prompts for a valid
password when you click on it, which of course the password I entered
was correct at the time I mapped the drive.

The problem is solved when I added the logon information at "Stored
User Names and Passwords". But I wonder should it be a correct
practice.

Any idea on this?

 

[Sten Westerback]

Hi,

Thanks for your advice. Now I understand that I am a beginner in
Win2k3 server...

Start => Control Panel => Stored User Names and Passwords

You can see a list of stored password by site. Just delete or edit as
you like.
As soon as there is a console controlling it, it is ok. Imagine you
have a server will some unknown passwords to other servers. Your
server can be the start-point for an attack.

Well.. many things are possibly possible.... but in this case the hacker
would first have to impersonate yourself and then happen to find out
which drive is connected to somewhere else with some specific account
and then find out what do to with the information on that share...

Now a follow-up question:
I map a network drive and select "re-connect at logon". After logging
off the mapped drive is always disconnected. It prompts for a valid
password when you click on it, which of course the password I entered
was correct at the time I mapped the drive.

The problem is solved when I added the logon information at "Stored
User Names and Passwords". But I wonder should it be a correct
practice.

No.. correct practice would be to have domain policy disable that
checkbox and you use an account that has the needed remote share
permissions by default. In addtion you "may" use Start->Run
\\server\share and have it ask for password for that session.
Such connections you can remove using
net use \\server\share /d

- Sten

 

[CDARS]

Hi,

Thanks for the advice. I wanna review more of my situation and see
what you may suggest.

2 Server. 1 Win2K, 1 Win2K3.
Win2K at WORKGROUP. W2K3 at AD Domain. (Strange but don't ask why.)
To copy files in daily schedule from Win2K3 to Win2K.
As you know, scheduled task cannot see mapped drive. Obviously I don't
want to code the password in the "net use" command in clear text.
Current Solution:
There is a operator account in the Win2K server. I create an entry at
the "Stored User Names and Passwords" for that account. Then at the

What would be the best practice for this situation?
Thanks.