[wpkg-users] WPKG Client settings
Tomasz Chmielewski
mangoo at wpkg.org
Fri Apr 3 10:52:13 CEST 2009
Berge Schwebs Bjørlo schrieb:
> On Wed, Apr 01, 2009 at 02:33:20PM +0200, Tomasz Chmielewski wrote:
>> Otherwise, any usernames/passwords could be revealed too easily.
>
> Isn't this just security-by-obscurity? With the proper OS privilege level
> (Administrator, LOCALSYSTEM or equivalent), you'll have access to the
> username and password anyway, just with a tad more hassle. Indeed, that
> hassle have bitten me during debugging before. (As I remember it, the
> password was obscured by some trivial, two-way "encryption" in a registry key
> somewhere.)
>
> The username and password security lies solely with the fact that a regular
> user account won't have access to the relevant parts of the registry. It'd be
> as secure (and a lot more admin-friendly) to just store the settings
> somewhere and let the OS handle access rights, like it does anyway, IMHO.
Sure - with proper privilege level, time and resources, no password is
secure.
For example, it is possible for someone who steals your laptop to remove
its hard disk, read interesting data and try to crack all user passwords
you might have.
That's why it's best to:
- use SYSTEM account for executing processes started by WPKG Client
- use credentials which only allow access to your %SOFTWARE% share (but
don't allow to log in)
Even better yet, with the latest testing release of WPKG Client, it is
possible to connect to a share with computer credentials. However, I'd
like to get more feedback about it (if/how it works).
--
Tomasz Chmielewski
http://wpkg.org
More information about the wpkg-users
mailing list