PWL Files Question

Just a quick question:

I have a network of Win98 clients connecting to a Win2k server. The way it is now, I have it setup so that there is a batch file on each client which runs automatically at startup. This does a 'net use' to connect to the user's personal drive and the network 'common' drive. To use this batch file the user has to enter their username in the 'Microsoft Networking Logon' box without a password. They then enter their password when the batch file prompts them ('The password for \\server\whatever is incorrect...). The main reason for setting it up like this was because if the user entered the password into the MS Networking box at the start, this password is saved in the PWL file and used to connect to the shares automatically.

The lack of security here is that the SAM on a Win2k box is harder to crack than a PWL file. It would be preferable to have all the passwords stored solely on the server, rather than in the PWL files on each client where it would take 5 seconds to figure the passwords out.

I tried write-protecting the PWL files when they had no passwords in them, but when one logs in again with a username which has been assigned to one of these PWL files, a new PWL file is created e.g. old user = 'smithb.pwl', new user = 'smith000.pwl'.

What I want to know, is if there is any way to lock PWL files from saving passwords, and simply use them for username purposes.

There may be a *very* simply answer to this, but if there is I'm not sure what it is. Any help would be greatly appreciated :)

Just a quick question:

I have a network of Win98 clients connecting to a Win2k server. The way it is now, I have it setup so that there is a batch file on each client which runs automatically at startup. This does a 'net use' to connect to the user's personal drive and the network 'common' drive. To use this batch file the user has to enter their username in the 'Microsoft Networking Logon' box without a password. They then enter their password when the batch file prompts them ('The password for \\server\whatever is incorrect...). The main reason for setting it up like this was because if the user entered the password into the MS Networking box at the start, this password is saved in the PWL file and used to connect to the shares automatically.

The lack of security here is that the SAM on a Win2k box is harder to crack than a PWL file. It would be preferable to have all the passwords stored solely on the server, rather than in the PWL files on each client where it would take 5 seconds to figure the passwords out.

I tried write-protecting the PWL files when they had no passwords in them, but when one logs in again with a username which has been assigned to one of these PWL files, a new PWL file is created e.g. old user = 'smithb.pwl', new user = 'smith000.pwl'.

What I want to know, is if there is any way to lock PWL files from saving passwords, and simply use them for username purposes.

There may be a *very* simply answer to this, but if there is I'm not sure what it is. Any help would be greatly appreciated :)

Disable the password caching by your client boxes. You can do this using a tool called Cain 2.0 or you can manualy edit the registry. After disabling the password caching just delete all the pwl files and they will not be created again.

Here's how it can be done:
add this key to the registry:

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\Network\DisablePwdCaching =1

This document from sans explains it better: http://rr.sans.org/win/PWL.php

Disable the password caching by your client boxes. You can do this using a tool called Cain 2.0 or you can manualy edit the registry. After disabling the password caching just delete all the pwl files and they will not be created again.

Here's how it can be done:
add this key to the registry:

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\Network\DisablePwdCaching =1

This document from sans explains it better: http://rr.sans.org/win/PWL.php