WFWG: Password Caching and How It Affects LAN Manager Security

Last reviewed: January 15, 1996
Article ID: Q92588
The information in this article applies to:
  • Microsoft Windows for Workgroups version 3.1

SUMMARY

Windows for Workgroups version 3.1 uses share-level security. As a result, when you type a password to start the network, the only purpose this serves is to provide access to the network from the workstation.

The access granted provides reconnection services to shares to which the workstation was previously connected. If these connections were password protected on a share-level basis, then these passwords were saved in a password cache and are only accessible if the correct password was entered when the network was started. You must type the correct password for a given user name, or the network does not start.

MORE INFORMATION

If an alternate user name is typed at the login prompt, then the reconnection services are still provided, but you are prompted to enter a password to any shares that are secured by one. If you do not know the share password, then you are not allowed to reconnect.

When using LAN Manager connectivity with Windows for Workgroups, user-level security is implemented for all LAN Manager servers. If there is a server available during logon, then it validates the user by checking for the correct user name and user-level password. If the user is not validated during logon, then any LAN Manager server that is set up to use user-level security validates the user name and user-level password before it allows connection. If you do not give the correct password, you can connect but only with guest privileges.

User-level security is implemented when a server is set up with restrictions that govern who can access the server. These restrictions, may include the time of day that the user has access to the server, the files and subdirectories the user may access, and the level of rights the user is granted (such as read, write, create, and delete).

Share-level security serves to restrict connections to a specified drive that has been set up as a share. Security is established by assigning a password to the drive. There are two levels of privileges that can be granted: read only and full access.

Windows for Workgroups has built-in functionality to store passwords to shares that are secured by a password. This feature is optional, and is only implemented when the user chooses to enter a password when starting the network. Null is a valid password and if used, the user is not prompted for the password. It is only implemented for LAN Manager logon if the user selects the check box that saves the password in the password cache.

If password caching is enabled, Windows for Workgroups saves the LAN Manager logon and user-level passwords in the cache so that the next time the user tries to log on or connect to a server the user is not prompted for the password. It is also possible to choose not to save an individual connection's password. Within File Manager this is done by clearing the option that saves the password in the password cache. Password saving can also be prevented when making the connection at the MS-DOS command prompt by using the SAVEPW:NO command. For example, type:

   net use \\server\share password \savepw:no

To disable password caching and prevent your PWL file from being accessed, add the following line to the [NETWORK] section of the System.ini file:

   PasswordCaching=no


KBCategory: kbnetwork kbusage
KBSubcategory: wfw wfwg
Additional reference words: 3.10


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: January 15, 1996
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.