10.21 Simplifying Windows 9x passwords

10.21.1 Background

Windows 95/98/ME workstations may use up to four separate passwords:

• A Windows login password - which may be required to log into the workstation, or may be optional (press Escape to bypass).
• An optional password used to protect the (optional) screen saver.
• A password used to log into Microsoft network services.
• A password used to log into network services from other vendors, such as Novell.

Each of these passwords is optional, and normally each of these passwords is managed separately.

Validation of each password and the ability to change each password is controlled by the following facilities:

• The registry names one password provider library (DLL) to manage each type of password.
• The Windows password is used to encrypt a password cache file in the Windows directory, with a .PWL filename extension.
• The screen saver password is stored in the registry.

10.21.2 Security

The Windows password cache is implemented using weak encryption. As a result, an intruder who can physically access a Windows 95/98/ME workstation, or who can read files from it, can retrieve its PWL files and decrypt them. This gives the intruder both the Windows login password and any network passwords stored in the PWL file.

The Windows screen saver password is stored in the registry using weak encryption. An intruder who has physical access to a Windows workstation or who can read its registry over the network can retrieve and decrypt this password.

Finally, the login prompt on a Windows 95/98/ME workstation can always be bypassed by rebooting the workstation from a floppy disk or CD-ROM, or restarting it in safe mode.

10.21.3 Simplified password management

Since the Windows password caching mechanism is insecure, and since it is difficult for users to manage multiple passwords, we recommend that Windows 95/98/ME workstations be configured so that the Windows and screen saver passwords are validated against the network provider: Microsoft, Novell or another vendor.

To enhance security, we recommend that password caching be disabled. You can also require mandatory password validation prior to Windows login. Use this only for workstations that are permanently attached to the network. This effectively disables the ability of users to bypass the login screen by pressing the Escape key.

Once P-Synch synchronizes passwords for the user of each workstation, password caching will become unnecessary, as Windows 95/98/ME will automatically attempt to use the user's first (login) password to access network resources, and this first attempt will succeed.

Implement these changes using the following registry changes:

To incorporate a Windows NT domain login into the workstation login prompt, and to change the initial workstation login from one using a local Windows password to one using password validation against a Windows NT domain:

REGEDIT4

[HKEY_LOCAL_MACHINE\Network\Logon]
"LMLogon"=hex:01,00,00,00

To alter the screen saver so that it authenticates users against the Microsoft network provider, rather than locally, run this .reg file:

REGEDIT4

[HKEY_LOCAL_MACHINE\
   System\
   CurrentControlSet\
   control\
   PwdProvider\
   SCRSAVE]
"ProviderPath"="msnp32.dll"
"UseMasterKey"=hex:01,00,00,00

To disable password caching:

REGEDIT4

[HKEY_LOCAL_MACHINE\
   SOFTWARE\
   Microsoft\
   Windows\
   CurrentVersion\
   Policies\
   Network]
"DisablePwdCaching"=hex:01,00,00,00

To disable ghosting:

REGEDIT4

   [HKEY_LOCAL_MACHINE\
      System\
      CurrentControlSet\
      Services\
      MSNP32\
      NetworkProvider]
   "LogonDisconnected"=hex:00,00,00,00

To require users to provide a valid network password at login, and prevent them from logging in by pressing the Escape key:

REGEDIT4

[HKEY_LOCAL_MACHINE\Network\Logon]
"MustBeValidated"=dword:00000000

Caution:

Use this only for workstations that are permanently attached to the network, to prevent problems with disconnected operation.

 

To prevent users from changing their Windows networking password:

REGEDIT4
   
   [HKEY_LOCAL_MACHINE\
     System\
     CurrentControlSet\
     Control\
     PwdProvider\
     MSNP32]
   "ChangePassword"=""

You can do this for the screen saver too (substitute SCRSAVE for MSNP32), but this disables the screen saver password entirely. That is, it will no longer prompt the user for a password at all.

To change the name of the "screen saver" password to reflect its new function as the windows networking login password:

REGEDIT4
   
   [HKEY_LOCAL_MACHINE\
     System\
     CurrentControlSet\
     Control\
     PwdProvider\
     SCRSAVE]
   "Description"="Microsoft Networking"

   [HKEY_LOCAL_MACHINE\
     System\
     CurrentControlSet\
     Control\
     PwdProvider\
     MSNP32]
   "Description"="**Do not change this password**"

10.21.4 Issues

You should be aware of the following issues:

• If you disable password caching, then there is no valid .PWL file, and the Windows password (used to decrypt .PWL files) is no longer relevant. Despite that, there is a bug in Windows 95 (KB Q172351) that lets Windows 95 users ``change'' their Windows password from the control panel.

  The simplest fix is to simply remove the password icon from the control panel.

• In win9x, the Change Screen Saver password through PASSWORD.CPL resets the UseMasterKey option of the ScreenSaver password provider in the registry back to hex:00,00,00,00, causing the screen saver to stop authenticating to the domain.

  Again, it's best to remove the password icon from the control panel.

• In Win98, when users changes their screen savers password directly (that is, not through the control panel), they:
  • Successfully change their passwords.
  • Get an error message: ``Incorrect password for Windows screen saver''.

    This error message is harmless (it is a `false positive').

  The new password will be effective for the screen saver after the user logs off then logs on again.

  This error message is caused by Windows 98 attempting to change the Windows password, despite the fact that password caching (and the related Windows password) is disabled. (This is documented in KB Q236881)

  We are not aware of any way to overcome this problem without re-enabling password caching (This is not recommended, since it is insecure and hard to support).

• The Windows 95/98/ME screen saver will prompt users for the password they typed to log into their workstation rather than their current network password. This has two important effects:
  • If a user was not required to enter a password at login (MustBeValidated above is set to 0), and that user logged in with no password, then the screen saver password will be blank.

  • If a user changed the password after logging in, then the screen saver password will still be the original workstation login password, rather than the new network password.

  To alter the screen saver so that it authenticates users against another password provider, copy the ProviderPath variable from that PWDPROVIDER registry hive (a sibling directory to SCRSAVE above) to the SCRSAVE directory's ProviderPath entry.

• If you disable password caching on Windows 9x clients, and you use Microsoft Outlook to access the Exchange server, Outlook will not be able to synchronize profiles. You can work around this using the PSCOPYPR utility. See Subsection HERE for more information.

10.21.5 Deployment

Read this subsection to learn how to:

• Make registry changes using the REGUTIL utility.
• Copy Microsoft Outlook profiles using the PSCOPYPR utility when password caching is disabled on a Windows 9x client.

10.21.5.1 Making registry changes:

Most of the registry changes detailed in Subsection HERE only take effect after the workstation has been restarted. Moreover, they should only be applied once, and a backup of the old registry keys that were changed should be kept.

P-Synch incorporates a utility called REGUTIL simplifying Windows 9x passwords which performs the following functions:

1. It checks whether it is being run on a Windows 95/98/ME workstation. If not, it exits.
2. It checks whether the above registry changes have already been made. If so, it exits.
3. If the changes have not yet been made, it:
   1. Makes a backup of the relevant registry keys.
   2. Makes the changes in the registry.
   3. Prompts the user to restart his/her workstation.

This utility can be added to a global network login script, in order to deploy these registry changes to an entire user population quickly, without visiting individual workstations.

The most common configuration is to:

• Disable password caching.
• Disable ghosting.
• Apply network login validation.
• Validate ScreenSaver to network.
• Allow users to change domain password from windows.

To get the above settings, run REGUTIL with the following arguments (on one line):

regutil [4]   -cachepw D -ghost D -domainlogin E -mustvalidate E -ssnetwork E

You may also include the [-noredundant E] option if you're running Windows 95, and you want to fix the error message when changing your screen saver password.

See Section HERE for more information about using the REGUTIL utility.

10.21.5.2 Copying Outlook profiles

If you use Microsoft Outlook to access the Exchange server, Outlook will not be able to synchronize profiles when you disable password caching.

P-Synch incorporates the PSCOPYPR utility, which can copy:

• All profiles on the local machine, with the same name as the orginal.
• Only the default profile on the, with the same name as the original.
• A specified profile with a new name.

This utility can be added to a global network login script, in order to copy profiles for an entire user population quickly, without visiting individual workstations. It creates a backup of the profile before copying it.

To synchronize all profiles, run PSCOPYPR with the following argument:

     pscopypr -all

See Section HERE for more information about using PSCOPYPR.