Saved Internet Explorer passwords
The two types of saved Internet Explorer passwords
I already mentioned in my post about the Windows Vault that some saved Internet Explorer passwords can be managed with the Credential Manager. These are HTTP authentication passwords, that is, passwords that are used to authenticate against a Web server (Internet Information Server, Apache, etc.). Passwords that are used to log on to a Web site with an HTML form (through a content management system) are not stored in the Windows Vault.You can make out the difference between these two authentication forms easily. HTTP authentication always prompts a separate dialog window in Internet Explorer where you have to enter the credentials. HTML authentication is usually integrated within the Web page. This also makes clear why these passwords are not stored in the Window Vault.
Internet Explorer uses its auto-complete feature to manage passwords that you have to enter in HTML forms. The advantage is that you can use different accounts for a specific Web site. You just have to start typing the user name, and Internet Explorer will fill out the form fields for the user name and the password automatically.
Manually disable Internet Explorer saved passwords
As mentioned in my last posts, storing passwords always poses a risk, especially if you use functions integrated in Windows. If your organization values security above all, then you should consider disabling Internet Explorer saved passwords.
Users can turn off this feature themselves if they don’t want to be bothered by the AutoComplete feature. In Internet Explorer 8, you will find the AutoComplete settings in the Content Tab under Tools | Internet Options.
Disable Internet Explored saved passwords with Group Policy
If you don’t trust your users in these matters, you might want to disable Internet Explorer saved passwords network-wide with Group Policy. The name of the GPO settings is “Turn on the auto-complete feature for user names and passwords on forms.” You can find it under User Configuration | Administrative Templates | Windows Components | Internet Explorer. You have to disable this setting if you want to disallow Internet Explorer saved passwords.If you just don’t want new passwords to be saved and allow users to be able to still use old credentials, you can enable this GPO setting and leave the “Prompt me to save passwords” option unchecked.
Notice that you can’t pre-configure these settings with the Group Policy Preferences because the Content tab is missing here. These security relevant settings should be enforced with policies.
Delete saved Internet Explorer passwords
Notice that disabling saved Internet Explorer passwords won’t delete the passwords. If you change the GPO setting to “not configured” again, then users will be able to use their old stored passwords. Users can delete saved Internet Explorer passwords at the General tab in Internet Options by deleting the corresponding Browsing History.Saved Internet Explorer passwords storage location
If you don’t want to rely on your users, then you can delete all saved Internet Explorer passwords with a script. Windows stores the Internet Explorer password in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms.Recover saved Internet Explorer passwords
Of course, the Internet Explorer passwords are encrypted in the Registry. However, it is not a big deal to recover these passwords with third-party tools. This can be useful if a user forgot the password and can’t log on after you disabled Internet Explorer saved passwords. A good free tool to recover saved Internet Explorer passwords is IE Passview. Of course, you can’t recover the passwords with this tool if you already deleted the stored passwords in the Registry.
How to reset a Microsoft account password (connected account)
Michael Pietroforte is a Microsoft Most Valuable Professional (MVP) with more than 28 years of experience in system administration.
FREE: NetWrix Privileged Account Manager – Password Manager
NetWrix Privileged Account Manager is a free password manager that maintains and protects the privileged user accounts in Active Directory, servers and other systems that are commonly used by multiple members of an IT department to manage hardware devices, servers or applications.
FREE: Account Lockout Tools – View lockout status and unlock account
With the free Microsoft utilities LockoutStatus and Acctinfo of the Account Lockout and Management Tools, you can quickly access a user account's lockout status, unlock the account, and reset the password.
AutoAdministrator – Part 4: Remote editing: Passwords, Registry, files, ODBC
AutoAdministrator allows you to remote change passwords, remote Windows registry editing, remote file copy, and to remote edit the ODBC configuration.
FREE: Secret Server – Central password management for admins
Secret Server from Thycotic is a mighty, web-based password management software that allows you to store securely all critical passwords in a central database. When I started with system administration (must have been a century ago), one of the biggest sins was writing down passwords. Those times are long gone. The number of passwords each [...]
SysKey – Prevent Windows password cracks
The SysKey utility, also called the SAM lock tool, is a built-in Windows tool that allows you to secure the Security Accounts Management (SAM) Database. It can be helpful for preventing hackers from cracking Windows passwords, and it is also a way to stop some cleaning lady cracks. I will first show you what you [...]
3 ways how to prevent cleaning lady hacks
I think the Kon-Boot “hack tool” demonstrates perfectly that hacking a Windows machine can easily be performed by a cleaning lady if she has been equipped with the right boot CD. In only a few seconds, she could create a new account with admin privileges. The good woman doesn’t even have to stop shoving her [...]12 ways how to reset the Windows administrator password – Windows 7, Vista, Windows XP
No worries if you forgot the admin password. Here are 12 ways to reset the Windows administrator password on Windows 7, Vista and Windows XP. Rest assured, one way will work for you.Kon-Boot – The fastest way to remove a Windows password
Update: I published a new guide that explains how to reset the Windows 8 administrator password without the need of any third-party tools. It appears that removing Windows passwords on a machine where you lost the administrator password has become my passion. Kon-Boot is probably the fastest and easiest way to remove a Windows password. All you [...]
Offline enable the built-in administrator account in Windows 7 and Vista
Update: Also read Offline enable the Windows 8 administrator account. In my last my post I described how to offline edit the Registry of a Windows installation through Windows PE or Windows RE. Today, I will give you the procedure to offline enable the built-in administrator account. This can be useful when you have to [...]
FREE: Service and Scheduled Task User Manager – Change service accounts passwords
Submitted by Martin Schvartzman – Blog: Scripts, Utilities and Tips for the SysAdmin Sometimes, SOX regulations, customer agreement or your boss, forces you to have the password periodically changed for all service accounts and/or accounts running scheduled tasks. So instead of having a detailed list of who (the user account) runs what (the service or [...]
Free password recovery tool – Cain & Abel
According to the developers, Cain & Abel is a password recovery tool for Windows. This is a big understatement, though—it is a multi-purpose security tool. So what does this tool offer besides password recovery? A network enumerator, a remote registry editor, a network sniffer, a route table manager, a password cracker, a password decoder, a [...]
FREE: NTPWEdit – Reset Windows 7 password
If you boot from a Windows PE stick or DVD you can use the free tool NTPWEdit to access the Windows SAM database to reset the Windows 7 password.
FREE: Network Password Recovery – Windows password recovery
Nirsoft’s Network Password Recovery is a free tool that supports Windows password recovery from the Windows Vault in Windows 7, Vista, and Windows XP. In my article about the Windows Vault I outlined why it is a security risk to store network passwords with Windows integrated functions on PCs. I think Nirsoft’s Network Password Recovery [...]
Manage stored Windows passwords
In the last post of my stored Windows password series, I outlined what the Windows Vault is and what kinds of passwords it stores. Today, I will show you how you can manage stored Windows passwords in your network. First, let me explain why disabling stored Windows passwords might make sense in your environment. Security [...]
Windows Vault
Windows Vault, in Windows 7, is the new name for Stored User Names and Passwords in Vista and Windows XP. In this article, I will explain what kinds of passwords are stored in the Windows Vault and in my next post I will describe how you can disable password caching. Credential Manager You can access [...]
Cached domain logon
Cached domain logon allows users to log on to a Windows Active Directory domain even if no domain controller is available or if the client is offline and has no network connection. As useful as this feature is, it also has some downsides, which I will discuss in this post. I will also show you [...]
FREE: NetWrix Bulk Password Reset – Change the local administrator password network wide
The built-in administrator password on desktop computers is probably one of the weakest points in every corporate network. A while back, I gave some hints on how to treat the local administrator password. The most important advice certainly is to change the password regularly. Since Windows still doesn’t come with the built-in functionality to reset [...]
FREE: JiJi Self Service Password Reset – Allows end users reset their password
Submitted by Santhosh – Blog: JiJi Technologies With JiJi Self Service Password Reset(JSSPR), end-users now have the ability to securely reset their own Active Directory passwords without having to involve highly technical helpdesk professionals. JSSPR lowers end-user downtime, end-users no longer have to wait for a member of the helpdesk staff to reset their forgotten [...]
FREE: KeePass – Open source password manager
Submitted by Howard Jares KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in a database, which is locked with one master key or a key file. So you only have to remember one single master password or select [...]
FREE: GFI WebMonitor – Web filtering for ISA Server
Submitted by Edward Lansink – Blog: GFI Tech blog GFI WebMonitor Freeware is a freeware web filtering and web security solution for ISA Server, ideal for SMBs. It lets administrators monitor what websites users are currently browsing and what files are being downloaded in real-time. Through user and site bandwidth monitoring features, the administrator has [...]
FREE: Passgen – Set unique administrator passwords on multiple machines
Update: It appears the tool is no longer available. But you can still download it here. In my last post, I gave some advice on how to manage the built-in administrator account on desktops in a corporate network. Today, I will introduce a great tool, passgen, that was originally published in Steve Riley and Jesper [...]How to handle the built-in administrator account
Some days ago, I wrote an article about the alleged superpowers of the built-in administrator account. As it turned out, the local administrator has more or less the same privileges as the other administrator accounts, but this doesn’t mean that it doesn’t require extra care. In this article, I will share some tips on how [...]FREE: Specops Password Policy Basic – Fine-Grained Password Policies
Fine-grained password polices are certainly an important enhancement of Windows Server 2008. Whereas in Windows Server 2003 domains, you can only have one policy for all user groups, Windows Server 2008 domains’ fine-grained password polices allow you to configure password and lockout polices for different sets of users. The only problem with this new feature [...]
The myth about the standard user in Windows Vista and Windows 7
Last week, I discussed some popular myths about the built-in Administrator account. Today, I will talk about a related myth. This myth isn’t spread by secret revealers, Microsoft’s marketing is the origin of this rumor. It is about this big change that UAC (User Account Control) supposedly brought to the Windows world. Security expert have [...]The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7
Some days ago, I stumbled across an article over at MS Windows Vista Compatible Software that explains how to enable or disable the Windows 7 built-in Administrator account. At first I thought that Microsoft must have changed something in Windows 7 with regard to the local administrator account. However, after reading the article, it became [...]
FREE: NetWrix Password Expiration Notifier
Submitted by Alex Vovk Password Expiration Notifier periodically checks all users in the specified Active Directory domain to detect whose passwords are about to expire in a specified number of days, and then sends customizable notification e-mails to the account owners. The tool also sends summary reports to system administrators by e-mail. Armed with this [...]
FREE: DocLock – Password encryption tool for Windows Mobile
In former times, making note of passwords was the worst sin for a sys admin. It turned out that many were tempted to use passwords that were easy to remember and therefore often too weak. There are ways to create passwords that are easy to memorize and difficult to crack by brute force attacks. However, [...]
Windows XP vs. Windows Vista – Security
I have been asked to write an article about the Windows Vista vs. XP issue for the German magazine Computerwoche. They translated an InfoWorld article by Randall C. Kennedy which is one of the best Vista bashing articles I’ve read so far. After reading it, I was attracted by the challenge to defend the Vista [...]
FREE: SuRun – Run programs with local admin right
Submitted by Jeff Botts (The website is in German but has a translation link at the top.) This is a great tool allowing users with standard rights to run programs with local admin privileges. It is based on SuDown and integrated in the Windows shell. Just right click on the icon of the program you [...]Is Windows (XP and Vista) five times as secure as Mac OS X?
Larry Dignan from ZDNet compared the vulnerabilities of Mac OS X with Windows XP and Windows Vista in 2007. The results are devastating for Apple. According to Dignan, Mac OS X had five times more vulnerabilities than Windows (XP+Vista). It is even more surprising that OS X had 234 highly critical vulnerabilities whereas Windows had [...]Hackers at Microsoft
Microsoft has a new blog: hackers at microsoft. No, these hackers are not trying to hack into Google to steal the latest search engine technologies. They are good hackers, the white hat hackers.Windows Server 2008: Fine-grained password policies
Password polices are an essential part of any security strategy. Most users tend to use too weak passwords because they are easier to memorize, thereby, endangering your whole network. In a Windows 2000/2003 domain you can only enforce one password and lockout policy for all users. Windows Server 2008 enables you now to use multiple [...]
Only 50 percent of IT managers upgrade to Vista because of its improved security
An InformationWeek article discusses a new study that provides information on what IT managers think about Vista’s improved security. Only half of the 300 respondents are impressed by Vista’s new security features, it seems. Even more interesting is that only 14% “are eager to use UAC”.Impressive 90 days Vista vulnerability report or counting trap?
Last week, when I reported about this new Symantec study comparing different operating systems with respect to the vulnerabilities detected in the second half of 2006, I wondered when will the first study come out that includes Vista. I just stumbled across 90 days Vista vulnerability report of Jeff Jones, Microsoft security strategy director. There [...]Vista x64 vs. Vista x86 – 32 bit or 64 bit Vista edition?
Update: I am working on a new series about the Vista x86 vs. Vista x64 issue. The first one covers the speed issue. The other article in this series will follow soon. You might also be interested in my post about the 3GB barrier. The discussion there is interesting. But now go ahead and read [...]Why and when it makes sense to use the outbound filter of Windows Firewall in Vista
Sometime ago there was a debate on 4sysops about the use of outbound filtering for personal firewalls. Some argued that once malware got started on the desktop, it is already too late to stop it with a personal firewall. I recently tested the outbound filter of Vista’s firewall. In my view, it makes sense for [...]
Windows Vista’s new security features
Paul Thurrott wrote an excellent article about Vista’s new security features. After reading it, you might get the impression that Vista’s improved security is reason enough to get rid of your XP machines as soon as possible.Windows Vista was hacked, so what!
Preston Gralla reported that during the Black Hat security conference hackers managed to crack into Windows Vista. He acknowledged that any new OS is more prone to security leaks. The longer an OS has been made available, then the more of its security holes are found which are then patched.Infinite Password Generator: one Password is enough
How many passwords do you use? I’ve already given up counting mine. The list just keeps getting longer and longer, since i use a new password for every application or web site. (I hope you do this too.) Of course, it’s hard to remember all of them. So I save them in an encrypted file [...]
Windows Vista security improvements
There is a new white paper titled Microsoft Windows Security Advancements (Word file). Usually, I only skim the papers from vendors because I simply don’t have time to read all this marketing blahblah. Of course, there is lots of self-adulation in this 25-page paper from Microsoft. However, it contains more useful information than usual.Passwordsaver: securing passwords without computer
The major problem with any password-saving software is that passwords have to be loaded into the computer’s memory when you want to access them. This is a security risk. Passwordsaver (PWS) is a USB stick that solves this problem. It doesn’t show the passwords on the computer screen, but on its own tiny display.
Is Windows Vista’s firewall crippled?
There is an on going debate [1] [2] ever since Microsoft announced that outbound filtering in Windows Vista’s firewall will be turned off by default. Obviously, Microsoft again valued usability above security. Whereas I understand it in this context, I was a bit surprised how Microsoft staff justified this move.RunAsLimitedUser: Run applications with limited user rights
RunAsLimitedUser is a nifty RunAs tool that is so easy to use even for lazy admins. You probably know that Windows comes with a built-in RunAs feature. So-called security experts usually recommend that as a sysop you should only start applications with Administrator privileges when it’s necessary. The most secure way is to work with [...]
Integrating PuTTY in WinSCP
WinSCP is an Open Source SFTP Client while PuTTY is a free SSH client. Both are must-have tools for Linux Administrators who manage their servers from a Windows client. I guess, there aren’t many sysops out there who don’t know these tools. This blog post describes how one can integrate PuTTY in WinSCP.
FREE: Steganos Locknote – Password saver and text encryption
How do you secure your passwords? As a sys admin you probably have countless accounts and I hope you don’t use the same password for all of them. I use by far too many passwords to remember them all. Writing them down is the only solution.
