Disallow Password Save in VPN Client not honored

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
roxy
Posts: 25
Joined: Sun Feb 21, 2016 10:34 am

Disallow Password Save in VPN Client not honored

Post by roxy » Fri Mar 25, 2016 1:58 pm

I'm using SoftEther VPN Server 4,19 build 9599 64 bit on Windows 2012 server. SoftEther VPN Client can save the password. Cannot impose to not save password and enter at connection time (it is a big security risk for notebook and mobile clients).

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Disallow Password Save in VPN Client not honored

Post by thisjun » Fri Apr 15, 2016 8:21 am

Could you explain more detail?

krs
Posts: 2
Joined: Mon Apr 18, 2016 8:19 am

Re: Disallow Password Save in VPN Client not honored

Post by krs » Mon Apr 18, 2016 8:58 am

Think home user's, who install the VPN client into their own, private PC to access work from home. Those PCs aren't protected by hard drive encryption. Its even worse: they aren't protected at all by some password. (And even if the account has password, then resetting it is easy.)
On the same time the SoftEther VPN Client permits to save the password to simplify the connection establishment.

What will happen, it this PC gets stolen? Thief will not only gain access to the local files, but most probably to the remote ones too, because both the VPN username and password is saved, and the server side authentication uses NT domain or RADIUS authentication (IMHO quite common and practical option to use). This means that the thief will get access not only to the network, but also to the servers.
OK, the password isn't in plain text inside the config file, it is only obfuscated. But due to this, it is possible to transform it back into the plain text.

It would be good, if there are few additional config options available:
1. to disable password saving in client
2. to request client connection config verification in server

This implies sending the connection configuration (or hash of it) from client to server and server side verification.

roxy
Posts: 25
Joined: Sun Feb 21, 2016 10:34 am

Re: Disallow Password Save in VPN Client not honored

Post by roxy » Mon Apr 18, 2016 2:05 pm

krs tell you about some important cases. The problem is that SoftEther VPN Server has an option for this in the security policy and we set in the Group Security Policy, but on client side is allowed to save the password, with no respect for Server Side configuration.

see in attach

Best Regards
You do not have the required permissions to view the files attached to this post.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Disallow Password Save in VPN Client not honored

Post by thisjun » Tue May 10, 2016 7:10 am

It seems the policy is applied only standard password auth.
Did you use another auth method?

roxy
Posts: 25
Joined: Sun Feb 21, 2016 10:34 am

Re: Disallow Password Save in VPN Client not honored

Post by roxy » Tue May 24, 2016 10:58 am

Yes, Active Directory auth

Post Reply