security problem

[nrandom]

Configuring wireless connectivity using both papers posted on zeroshell.net, causes a potential security problem.

Windows caches the username and password. This means the second time you connect it will automatically logon. Also, MS says this is by design.

For schools that have several students using the same notebook, this means the first user to logon has their username and password used automatically by the other users.

If you were to walk away from the notebook, and the screen saver had not executed, then anyone could logon to network with cached credentials.

Does anyone know how to clear this cache other than the MS suggestion that user edits regedit each time. I know we can not rely on that approach.

Fulvio, isn’t this a serious issue? Would really like to hear your opinion.

regards

[imported_fulvio]

I have not understood if you use Captive Portal authentication or WPA/WPA2 with 802.1x.
In the first case the possibility to cache the passwords is a feature of the web browser and you are able to decide if you want to use it. In any case, by using the tools of the browser you can remove any cached password.
In the latter case, I don’t know if it is possible to disable the MSChapv2 password caching in the PEAP.
If it is not possible you shouldn’t use the Windows XP’s integrated supplicant, but install another one that supports PEAP authentication.

Regards
Fulvi

[Author]

Posts