This document was generated from CDN thread
Created by: Erik Lauterbach on 21-04-2009 08:33:50 PM
TSP stores the username AND password information encrypted in registry. So I'm not able to change the log in settings for the TSP from remote. But the user cannot configure the TSP because of this is only possible for admin users. Why is the username encrypted? It is not a secret information at all.... I found out there is a dll called encryptpassword.dll in "bin" directory inside the TSP install folder. I got the functions via Dependency Walker: They are called AddUserNameToReg and PasswordEncrypt (if I remember right) but I cannot get the function parameters and return values. I tried it with trial and error but with no success. Does anyone know a solution???
Subject: RE: Encrypted Username
Replied by: David Staudt on 21-04-2009 09:25:39 PM
Officially speaking, updating the TAPI user/password is not supported. Upcoming releases are roadmapped to include remote silent-install functionality which should accomplish what you need, including provisioning username/password.
Subject: RE: Encrypted Username
Replied by: Erik Lauterbach on 22-04-2009 06:49:00 AM
But what is the cause of not supporting it? Storing an encrypted password is ok but why are they encrypting the username, too? It could be so easy to admins, but isn't atm.
Quote: "Upcoming releases are roadmapped to include remote silent-install functionality which should accomplish what you need, including provisioning username/password."
Do you mean we could set the username/pw with an msi option while install? So username is not changable after installation again. If a user changes his working PC we then have to reinstall the TSP with new user credentials? This won't help.
Subject: RE: Encrypted Username
Replied by: David Staudt on 22-04-2009 01:48:32 PM
What I've gathered of the reasoning is:
-TAPI is a system-wide Windows service, and modifying the TSP credentials effects all users on the system - consider a Terminal Services type multi-user scenario. This means TAPI user credential configuration should be an admin-level task.
- Storing user credentials in the registry in plain-text would not be a good idea. Encrypting the username is possibly not quite as necessary, but updating a plain-text username isn't much use without the password
- Providing and documenting the encryptian algorhythm greatly reduces the effective security of the encryptian scheme, enabling easy brute-force attacks, etc.
The intention of the remote/silent-install enhancements in the future is to enable remote admin/policy services to mass install/upgrade and update (username/password) the TSP without user intervention. What is your use-case, and what specifically do you need to accomplish it?
Subject: RE: Encrypted Username
Replied by: Erik Lauterbach on 27-04-2009 06:58:09 PM
Ok, that's quiet clear. Passwords should stay secure.... but even íf not, the TSP registry settings are stored in HKLM so it IS already an admin task!
Our scenario is exactly what you consider in the next release - to be able to update/change the user credentials. Think about a computer where multiple users have access and all should work with their own telephone settings/number. Or think about a person which is changing working place from one computer to another so two machines have to be reconfigured. This should be able from remote! Atm this is not possible.
Btw I found out the username is stored binary in an REG_SZ key, character after character with three 00 between each char and seven 00 at the end. There is no real encryption in use
Created by: Erik Lauterbach on 21-04-2009 08:33:50 PM
TSP stores the username AND password information encrypted in registry. So I'm not able to change the log in settings for the TSP from remote. But the user cannot configure the TSP because of this is only possible for admin users. Why is the username encrypted? It is not a secret information at all.... I found out there is a dll called encryptpassword.dll in "bin" directory inside the TSP install folder. I got the functions via Dependency Walker: They are called AddUserNameToReg and PasswordEncrypt (if I remember right) but I cannot get the function parameters and return values. I tried it with trial and error but with no success. Does anyone know a solution???
Subject: RE: Encrypted Username
Replied by: David Staudt on 21-04-2009 09:25:39 PM
Officially speaking, updating the TAPI user/password is not supported. Upcoming releases are roadmapped to include remote silent-install functionality which should accomplish what you need, including provisioning username/password.
Subject: RE: Encrypted Username
Replied by: Erik Lauterbach on 22-04-2009 06:49:00 AM
But what is the cause of not supporting it? Storing an encrypted password is ok but why are they encrypting the username, too? It could be so easy to admins, but isn't atm.
Quote: "Upcoming releases are roadmapped to include remote silent-install functionality which should accomplish what you need, including provisioning username/password."
Do you mean we could set the username/pw with an msi option while install? So username is not changable after installation again. If a user changes his working PC we then have to reinstall the TSP with new user credentials? This won't help.
Subject: RE: Encrypted Username
Replied by: David Staudt on 22-04-2009 01:48:32 PM
What I've gathered of the reasoning is:
-TAPI is a system-wide Windows service, and modifying the TSP credentials effects all users on the system - consider a Terminal Services type multi-user scenario. This means TAPI user credential configuration should be an admin-level task.
- Storing user credentials in the registry in plain-text would not be a good idea. Encrypting the username is possibly not quite as necessary, but updating a plain-text username isn't much use without the password
- Providing and documenting the encryptian algorhythm greatly reduces the effective security of the encryptian scheme, enabling easy brute-force attacks, etc.
The intention of the remote/silent-install enhancements in the future is to enable remote admin/policy services to mass install/upgrade and update (username/password) the TSP without user intervention. What is your use-case, and what specifically do you need to accomplish it?
Subject: RE: Encrypted Username
Replied by: Erik Lauterbach on 27-04-2009 06:58:09 PM
Ok, that's quiet clear. Passwords should stay secure.... but even íf not, the TSP registry settings are stored in HKLM so it IS already an admin task!
Our scenario is exactly what you consider in the next release - to be able to update/change the user credentials. Think about a computer where multiple users have access and all should work with their own telephone settings/number. Or think about a person which is changing working place from one computer to another so two machines have to be reconfigured. This should be able from remote! Atm this is not possible.
Btw I found out the username is stored binary in an REG_SZ key, character after character with three 00 between each char and seven 00 at the end. There is no real encryption in use