Password cache files accessible

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: nbsmbpwl
Platforms: Windows for Workgroups: 3.11, Windows 95
Description:

Windows 95, Windows for Workgroups, and DOS network clients cache passwords on the hard drive in files with the .PWL file extension. These password cache files are weakly encrypted and easily broken, and must not be accessible on a shared file system. In updated or patched versions of Windows 95, the encryption is stronger.
Remedy:

Turn off file sharing on the host if it is not needed, or restrict sharing to the parts of the drive that are necessary to be shared. Apply the latest service patches for your operating system.

Windows 95: Remove file and print sharing. To remove file and print sharing from Windows 95:

  1. Open the Network control panel.
  2. From Configuration, click File and Print Sharing.
  3. Disable 'I want to be able to give others access to my files.' and disable 'I want to be able to allow others to print to my printer(s).'
  4. Click OK and restart the computer. The Windows 95 machine no longer allows shares to exist or be created.

Windows NT: Perform the following actions:

Apply the latest Windows NT 4.0 Service Pack:

  1. Open a web browser.
  2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
  3. Find the installation program you downloaded to your computer.
  4. Double-click the program icon to start the installation.
  5. Follow the installation directions.

—AND—

Remove unnecessary shares. Choose one of these options:

  • Remove the share from a local computer:
    1. From the local computer, open Windows NT Explorer.
    2. Navigate to the shared folder.
    3. Right-click the shared folder name and select Sharing to display the Properties dialog box.
    4. To disallow access to all users, select the Not Shared check box.
    5. Click OK.
  • Remove the share from a remote computer:
    1. From a remote computer, open the Server Manager.
    2. Select the host name from the list.
    3. From the Computer menu, select Shared Directories to display the Shared Directories dialog box.
    4. Select the NetBIOS share.
    5. Click Stop Sharing.
    6. Click OK.
  • Remove the share from the command line. From a command prompt, type: net share sharename /delete
References:

The NT Shop, Windows Client Password Caching Problems, http://www.ntsecurity.net/security/pswcache.htm
X-Force Logo
Know Your Risks