Disallow Password Save in VPN Client not honored
-
- Posts: 25
- Joined: Sun Feb 21, 2016 10:34 am
Disallow Password Save in VPN Client not honored
I'm using SoftEther VPN Server 4,19 build 9599 64 bit on Windows 2012 server. SoftEther VPN Client can save the password. Cannot impose to not save password and enter at connection time (it is a big security risk for notebook and mobile clients).
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Disallow Password Save in VPN Client not honored
Could you explain more detail?
-
- Posts: 2
- Joined: Mon Apr 18, 2016 8:19 am
Re: Disallow Password Save in VPN Client not honored
Think home user's, who install the VPN client into their own, private PC to access work from home. Those PCs aren't protected by hard drive encryption. Its even worse: they aren't protected at all by some password. (And even if the account has password, then resetting it is easy.)
On the same time the SoftEther VPN Client permits to save the password to simplify the connection establishment.
What will happen, it this PC gets stolen? Thief will not only gain access to the local files, but most probably to the remote ones too, because both the VPN username and password is saved, and the server side authentication uses NT domain or RADIUS authentication (IMHO quite common and practical option to use). This means that the thief will get access not only to the network, but also to the servers.
OK, the password isn't in plain text inside the config file, it is only obfuscated. But due to this, it is possible to transform it back into the plain text.
It would be good, if there are few additional config options available:
1. to disable password saving in client
2. to request client connection config verification in server
This implies sending the connection configuration (or hash of it) from client to server and server side verification.
On the same time the SoftEther VPN Client permits to save the password to simplify the connection establishment.
What will happen, it this PC gets stolen? Thief will not only gain access to the local files, but most probably to the remote ones too, because both the VPN username and password is saved, and the server side authentication uses NT domain or RADIUS authentication (IMHO quite common and practical option to use). This means that the thief will get access not only to the network, but also to the servers.
OK, the password isn't in plain text inside the config file, it is only obfuscated. But due to this, it is possible to transform it back into the plain text.
It would be good, if there are few additional config options available:
1. to disable password saving in client
2. to request client connection config verification in server
This implies sending the connection configuration (or hash of it) from client to server and server side verification.
-
- Posts: 25
- Joined: Sun Feb 21, 2016 10:34 am
Re: Disallow Password Save in VPN Client not honored
krs tell you about some important cases. The problem is that SoftEther VPN Server has an option for this in the security policy and we set in the Group Security Policy, but on client side is allowed to save the password, with no respect for Server Side configuration.
see in attach
Best Regards
see in attach
Best Regards
You do not have the required permissions to view the files attached to this post.
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Disallow Password Save in VPN Client not honored
It seems the policy is applied only standard password auth.
Did you use another auth method?
Did you use another auth method?
-
- Posts: 25
- Joined: Sun Feb 21, 2016 10:34 am
Re: Disallow Password Save in VPN Client not honored
Yes, Active Directory auth