IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.46 Use of the log-on password under WfW and
Windows 95
Initiation responsibility: Administrators
Implementation responsibility: IT-user
If a new user logs on to a computer under WfW or Windows 95, he will be
asked whether he would like to set up a code word list ([logonname].pwl)
under his log-on name. This list will then record all the passwords which have
to be transmitted by this user on connection with the resources of others.
However, this only happens if this “caching“ of passwords on the computer is
explicitly permitted and the user also desires it in individual cases.
The WfW log-on password serves solely to protect this password list. Only on
correct entry of the password belonging to the log-on name will this be
decrypted and made available.
Protection of the stored code words with respect to the users of the same
computer is only guaranteed by an individual log-on password, particularly
when a WfW or Windows 95 computer is utilised by several users.
The respective password must be selected appropriately, changed regularly
and deposited securely (see S 2.11 Provisions governing the use of passwords
and S 2.22 Depositing of passwords).
Notes:
No log-on password is necessary under WfW if no passwords are stored in the
password list by the user. Therefore, if password caching is deactivated on
principle by the administrator via ADMINCGF.EXE under WfW, or via the
system guidelines under Windows 95, the log-on password is superfluous.
Even masquerading on the PC cannot be prevented with this authentication
mechanism as every password list may be renamed, the original log-on name
may be re-used and the original password list may then be changed back
again.
However, if password caching is permitted and also used, the administrator
must set the minimum length of the log-on password to 6 using
ADMINCFG.EXE under WfW, or the system guidelines under Windows 95.
Then entry of the password is obligatory when logging on under WfW and
Windows 95 and cannot be deactivated. In exceptional cases, e.g. if the
computer is only being utilised by one user and there is adequate access
protection (BIOS password, screen lock, etc.), the log-on password may be
deactivated. Deactivation is possible if the minimum length of the password is
set to zero.
If passwords are inadvertently stored in the password list by the user, the file
[logonname].pwl must be deleted.
Additional controls:
- Will the WfW or Windows 95 users be told that, in addition to password
protection on the PC (e.g. BIOS password), the log-on password is also
necessary for protection of the individual password list under WfW or
Windows 95?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000