For years users have wanted to save time and effort when accessing servers on the network, Web sites requiring credentials, etc. So, there have been options in the operating system to save usernames and passwords for faster and easier access. I am sure you have seen this, either in a prompt or a check box, asking you to save the password. In Windows you have the ability to store the credentials for resources that you access often, or just don't want to have to remember the password. Although this is a time saving option, you might want to reconsider using this feature due to security issues.
Where Can I Find This Feature?
This feature started around Windows XP and has evolved since that time. The evolution is in the name and features that are provided for the feature. In Windows XP the feature was called Stored User Names and Passwords. You could access this feature from the Advanced tab within the User Accounts dialog box. On the Advanced tab you will click on the Manage Passwords button to access the Stored User Names and Passwords interface.
Windows 7 changes this slightly as there is now a different interface, different name for the feature, etc. Also, passwords are stored in a different way in Windows 7, which is in a vault. To access these stored credentials, or to store a credential yourself, you can go to the User Accounts snap-in in Control Panel, then select the Manage your credentials option on the left panel, as shown in Figure 1.
Figure 1: Manage My Credentials within User Accounts snap-in
In essence, this opens up the Credential Manager, which can also be run from the Start Search text box when clicking on the Start button. When you store credentials on a Windows 7 computer, they are stored in C:\Users\UserName\AppData\Roaming\Microsoft\Credentials. The files that store the credentials are encrypted, so that is at least a benefit!
Note here that ALL credentials that are created in the Credential Manager create a file in the Credentials folder under the user profile listed above. However, when credentials are input for Windows Credentials, they are also stored in C:\Users\UserName\AppData\Local\Microsoft\Vault.
Windows Vault Command
In order to access the Vault of passwords on a Windows 7 (and Windows Server 2008 R2) computer, you can use the vaultcmd.exe command from a command prompt. This tool allows you to manage the credentials that are in the vault and even create new ones. You can see the list of switches that are available for vaultcmd in Figure 2.
Figure 2: Vaultcmd command and switches.
If we put these commands to use, you can see how the credentials are stored and accessed. In our example, we are going to store credentials logged on as a user named xpuser. Xpuser is a domain user in the beyondtrust.demo domain. This user has already stored credentials for a domain controller named server1. The credentials that this user has stored are for a domain user (which happens to be a domain administrator) named Derek.
To see the credentials of the currently logged on user you can run the set command with the username switch, which can be seen in Figure 3.
Figure 3: Currently logged on user using set command.
Using the vaultcmd command, we can see the credentials that this user has already saved. This is accomplished by using the list switch, which can be seen in Figure 4.
Figure 4: Vaultcmd command using the list switch.
You can then view the contents of each vault by using the listproperties switch, followed by the listcreds switch to see the credentials within each vault. Both can be seen in Figure 5.
Figure 5: Vaultcmd command using both the listproperties and listcreds switches.
As you can see from all of these commands using vaultcmd, the contents of the vaults can be easy to access. Again, notice that the passwords are not displayed, but these "alternate credentials" can be leveraged by anyone that can gain access to this computer with the user xpuser logged in.
Reasons to Not Use This Feature
We have seen how the vault stores the credentials and how the vaultcmd command can access these credentials and information about them. However, is this feature safe to use? Consider the following scenario.
Xpuser has stored credentials on his Windows 7 computer for when he needs to access Server1, which is a domain controller. The credentials saved using Credential Manager are for Derek, which Derek is a domain administrator. If xpuser ever leaves the computer, in this case named xpclient, unlocked, anyone that walks up to xpclient can access Server1 as a domain administrator also.
In our scenario, which is what we exposed using vaultcmd above, you can clearly see that this can be an issue. To prove this, let's look closer at our scenario. Our user, xpuser, has logged in and walked away from the computer. Another user, Betty, walks up to xpclient, with xpuser logged in, and attempts to make a connection to server1. You can see in Figure 6 that this connection is easily made.
Figure 6: Connection to server1 with xpuser logged in, but credentials saved to server1.
As you can see, with just the user logged in and the credentials saved, the would be attacker can gather all the info they need with vaultcmd and then exploit the computer that has the saved credentials.
Credential Manager and the ability to save credentials to a Windows 7 computer is powerful, but possibly a huge exploit. Often the users that will be using this feature are not within the IT group, but they certainly could be causing a significant security hole within your organization. Even if the user is not in the IT group, but might be in finance, HR, or an executive, the fact that credentials are saved to the computer becomes an issue as described in this article. For years users have wanted ways to have their username and password saved to the computer or in some way that they are not responsible for typing in their credentials each time. However, there are obvious risks to this feature, which need to be weighed in the environment they are being saved. For corporations, saving credentials is not a good idea due to the exposure of the desktops and the fact users can't be trusted to not lock their computer when they walk away from it.