Check or Attack Name: RRASPasswordFix

When Routing and Remote Access Service (RRAS) is installed on your computer and you are using the Dial-Up Networking client software to connect to a server, a dialog box requests the user's User ID and password for the server. In the same dialog box is the Save Password check box, which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the check box is selected or not.

In general, caching security credentials on a computer is not a good security practice. Cache files can easily be decrypted, or users with access to the machine can access unauthorized systems without authentication.

Apply the Windows NT 4.0 post-SP5 RRASPassword-fix update.

Windows NT 4.0 Service Pack 5 (SP5) users, apply the RRASPassword-fix update:

1. Open a web browser.
2. Go to ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/RRASPassword-fix/.
3. View the readme.txt for versions and install instructions.
4. Download the appropriate patch for your operating environment.
5. Find the patch file you downloaded to your computer.
6. Double-click its icon to start the installation.
7. Follow the installation directions.

Microsoft Knowledge Base Article Q233303, DUN Credentials Cached When Save Password Not Selected with RRAS, http://support.microsoft.com/support/kb/articles/q233/3/03.asp