Windows Password accessible via Remote Registry queries

Article:TECH149940  |  Created: 2010-08-30  |  Updated: 2012-04-19  |  Article URL http://www.symantec.com/docs/TECH149940
Article Type
Technical Solution


Issue



When using the PGP Whole Disk Encryption Single Sign-On (SSO) feature, the PGP Disk driver caches user credentials in the pre-boot environment, PGP BootGuard, and passes to the Windows logon process, automatically logging a user into Windows. Using the SSO feature, users are required to enter credentials only once, at PGP BootGuard, to log in to Windows automatically. 

Once the Winlogon process starts, the credentials cached at this stage are used to automatically authenticate the user into the Windows profile. Although this information is never written to the physical disk at any stage of this process, as part of the mechanism, this information is provided by PGP Whole Disk Encryption to authenticate the user at Windows Logon. 
In environments where logon banners are used, the logon process is halted until the user clicks OK to the logon banner. Before the information is cleared from memory, PGP Whole Disk Encryption passes along the credentials to mimic a logon process. This entire process never involves writing user credentials either to the physical disk or to the Windows Registry database on the physical disk. 
If a user does not click OK to the logon banner, the user password can be displayed via Remote Registry processes. Viewing a user’s system via Remote Registry requires Administrative-level permissions to see this information using this method. 

Once the user clicks OK to the logon banner, the computer completes the login process and the password is then removed from memory.


Environment



Note: This type of behavior is similar to what happens when auto-logon has been enabled in Windows without PGP installed on the system.


Solution



PGP Desktop 10.1.0 through 10.1.2 provides improved security of password handling when using PGP Whole Disk Encryption with SSO.  This setting is disabled by default and is enabled by modifying a Windows registry Value.

PGP Whole Disk Encryption 10.2 MP5 and above includes new SSO functionality for Vista, Windows 7 and Server 2008.
Instead of using the Winlogon and registry hooks to pass credentials cached at PGP BootGuard, PGP Whole Disk Encryption caches credentials and passes them using Credential Provider.
Using this method, there is no chance for the password to be viewed via Remote Registry processes.


Windows XP
To enable the registry value
  1. Click Start>Run.
  2. Type regedit and click OK.
  3. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP\ folder.
  4. Right-click the SSOCheckPID value and select Modify.
  5. Type 1 for the Value data and click OK.
  6. Close the Registry Editor.
Windows Vista & Windows 7
To enable the registry value
  1. Click Start.
  2. Type regedit in the Start Search field, and then click the regedit result in the Programs list.
  3. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP\ folder.
  4. Right-click the SSOCheckPID value and select Modify.
  5. Type 1 for the Value data and click OK.
  6. Close the Registry Editor.
 

Note: If SSO needs to be completely disabled in PGP Whole Disk Encryption, please do so via the PGP Universal Server Consumer Policy
 
Deny encryption of disks to existing Windows Single Sign-On password.”

 

 



Legacy ID



2221


Article URL http://www.symantec.com/docs/TECH149940


Terms of use for this information are found in Legal Notices