Re: RAS 'save password' problems...

Noam Ben-Yochanan (noam@ZSOFT.COM)
Sun, 22 Mar 1998 18:11:50 +0200

> ---------- Forwarded message ----------
> Date: Thu, 19 Mar 1998 14:09:44 -0800
> From: martin Dolphin <mdolphin@POBOX.COM>
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: RAS 'save password' problems...
>
> THE PROBLEM:
> Windows NT allows users to save their RAS credentials by using the 'Save
> Password' checkbox when making a dial-up connection. Credentials saved in
> this manner are stored in the
> HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasCredentials!SID#0 registry
> key. These credentials can be enumerated using the LSA secrets code. (As
> identified by Paul Ashton in a prior submission to NTBugtraq)

I've written code using the RasGetEntryDialParams() function. Here's
Microsoft's description of this function:

---begin description---
The RasGetEntryDialParams function retrieves the connection information
saved by the last successful call to the RasDial or
RasSetEntryDialParams function for a specified phone-book entry.
---end description---

Another function which is supposed to supersede this function is
RasGetCredentials(). Here's the description for this function:

---begin description---
The RasGetCredentials function retrieves the user credentials associated
with a specified RAS phone-book entry.
---end description---

In both cases the clear-text password is a field in the retrieved
record. No need to access the regitry, no need to use the LSA secrets
code. I think Microsoft thought they should provide such a feature for
purposes of automatic dialup connections - to avoid the need for user
input. This might sound a bit funny, but if the password isn't saved, a
human has to enter it manualy, but a program can just use one of the
aformentioned functions. Microsoft seemingly makes a distinction between
the privilages of a user and those of a program (i.e. programmer).

Noam Ben-Yochanan
noam@zsoft.com