?
Solved

How can the value in the "DefaultPassword" part of the registry be encrypted?

Posted on 2012-08-22
14
Medium Priority
?
4,518 Views
Last Modified: 2012-09-01
How can the value in the "DefaultPassword" part of the registry be encrypted?

This registry key is located in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon portion of the registry.

As you can see in the attached screenshot, my default logon password of "Password123" is visible to whoever browses to this part of the registry using regedit.

I need to have an entry in this "DefaultPassword" part of the registry so that my computer will automatically logon every time that the OS boots up.

The operating system is Windows Server 2008 R2.

How can I encrypt this password so that it won't be visible to whomever browses to this part of the registry?
Default-password-registry-key-ne.png
0
Comment
Question by:Knowledgeable
  • 4
  • 4
  • 2
  • +4
14 Comments
 
LVL 47

Accepted Solution

by:
David earned 544 total points
ID: 38324024
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 184 total points
ID: 38324074
I don't think the registry or parts of it can be encrypted, at least not for what you want. But if security is of interest I also don't see any reason to have the server automatically log on to itself as a user. You should manually have to logon for while you actually work on it, and when finished you should log back off.

You could of course also create a GPO so that non-administrative users can't start regedit, and then they won't be able to browse it.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 364 total points
ID: 38324084
i dont think you can make it obscured, even Windows stated it is in plaintext.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa378750(v=vs.85).aspx

The Windows Sysinternals Suite includes a tool named Autologon that you can use to configure computers to automatically log on to a specific account. The benefit of using this tool is that it encrypts the password, whereas the values shown in Table 1 in store the password in plain text. The Sysinternals Autologon tool supports only 32-bit versions of Windows 7, however.

http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx

Alternatively it can be stored securely by running the mentioned Windows function, but can be a hassle

http://msdn.microsoft.com/en-us/library/windows/desktop/aa378826(v=vs.85).aspx

It stated for computers running one of the Windows Server 2003 or Windows XP operating systems, not sure if it is applicable for Windows 2008.

HowverBut there is another sysinternal tool worth trying - "Autologon " [3]
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 29

Assisted Solution

by:Michael Pfister
Michael Pfister earned 184 total points
ID: 38324094
AutoLogon, as posted by breadtan, stores the password encrypted in the Protected Storage

http://technet.microsoft.com/en-us/sysinternals/bb963905

Still, if someone can get access to the computer, the password can be decrypted by some tools, so its not 100% safe
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 544 total points
ID: 38324360
AutoLogon works on Windows 2008 R2. I know from personal experience. The protected storage isn't 100% safe, and it can be accessed via hacker tools, but it's a real hassle. I have tried. :-)

You can't protect reading the registry as rindi proposes, because it might be read remotely, or through programming APIs, so restricting access to regedit is not good protection.
0
 
LVL 22

Assisted Solution

by:Larry Struckmeyer MVP
Larry Struckmeyer MVP earned 180 total points
ID: 38324404
All the necessary services for a server OS to perform its roles/functions run without logon.

Please explain why you would want the server to logon under any circumstances?.  The only time it should be logged on is when an administrator is actively performing maintenance.  As soon as the maintenance is finished the administrator should log off.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 544 total points
ID: 38324450
There are lots of 3rd party apps that require an interactive logon session to run. It sucks that there are so many niche market developers that don;t know how to write software to run as a service, but we are stuck because we need to functionality. This includes large vendors such as Avaya. Heck, there is even software that drives a display, and that obviously needs to be logged in. I always try to minimize the number of computers that autologon, but many times we need it. The physical/virtual consoles are always well secured.
0
 
LVL 3

Expert Comment

by:Darkworld1000
ID: 38324487
How can the value in the "DefaultPassword" part of the registry be encrypted?
0
 
LVL 47

Assisted Solution

by:David
David earned 544 total points
ID: 38324774
It think you're all missing something . according to the article I posted the only reason this entry is there to begin with is because autologin was once turned on, and that happened to be the password.

So just remove autologin, then change the password and whatever data that is there will be stale.

But encrypting it??  Nope.  Talk to Bill gates.  maybe Win2012 fixes this boneheaded security flaw.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 364 total points
ID: 38325128
Simply said that defaultpassword is never going to be encrypted in registry at least if you are using what the OS is offering for autologon. Want to clarify on the point of local protected area, the LSA method is done through "control userpasswords2" applet. But as mpfister and kevinhsieh mentioned, LSA protected storage is not secure. See this tool

http://nirsoft.net/utils/pspv.html

Likewise as dlethe said, I also see that most secure is not to even autologon (of course you make some risk assessment and stakeholder understand that). els you need customised in your own GINA or CredProv. Btw, security by obscurity is no security, it is just making it harder but not impossible.

Password are normally stored in hash format (salted) and would be more secure as compared to what we discussed in autologon, sadly it is not good for auto login...and password should be changed at period - not going to be static (esp for users). Just look at the amount of password cracking and break (even in some hash) known openly...
0
 
LVL 47

Assisted Solution

by:David
David earned 544 total points
ID: 38325430
So there you have it.   The answer is that there is no way to encrypt the password. If you want security, use a different O/S or disable autologin.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 544 total points
ID: 38326284
I have to disagree with dlethe. The logon credentials are not stored in the registry, so that is part one. The second part is that the credentials are encrypted. So that is part two of the OP question. The fact is that the decryption key has to be stored by the OS unless there is a hardware based encrypted vault. Anytime the system has access to the decryption keys, the encrypted data is vulnerable. That is a fundamental fact of computer systems and changing OS won't help that. Maybe if the OS supported storing the autologon password in a TPM module it would be secure. You could manually enter in a decryption key at boot, but that defeats the purpose, now doesn't it. ;-P
0
 
LVL 47

Expert Comment

by:David
ID: 38326418
Kevin, then how does one solve the original question. The MSFT info I saw shows it in the free and clear.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38326436
Delete the info in the registry and use autologon. I don't think that autologon will clear the old information from the registry. Autologon stores the information in Protected Storage, which is encrypted but not invulnerable to extraction.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question