Open DemiMarie opened 2 years ago
GWeck
commented
2 years ago This is especially important for some versions of Windows - not sure which ones - because they may store the password in cleartext in the registry (value DefaultPassword in key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon).
DemiMarie
commented
2 years ago Even the ones that do not store the MD4 hash of the password, which is both equivalent to the password and very easy to brute-force.
GWeck
commented
2 years ago Microsoft never even heard of salting the password hash or of better algorithms. And this for a system that was derived from OpenVMS which did it right more than 10 years before. Shame on them!
DemiMarie
commented
2 years ago @GWeck Microsoft’s current recommendation is that individuals should log in via Microsoft accounts (which do use a better algorithm) and that domains should either use Windows Hello for Business or smart cards. Of those, I consider smart cards to be the only reasonable option.
Part of the problem is likely backwards compatibility, but another part of it might be Microsoft trying to push everything to Azure.
GWeck
commented
2 years ago According to the German security standard IT-Grundschutz, the use of a Microsoft account is explicitly forbidden:
SYS.2.2.3.A6 Integration of Online Accounts into the Operating System [User] (B)
Logging into the system and domain MUST ONLY be possible using an account of a self-
operated directory service. The ability to log in using local accounts SHOULD be reserved for
administrators. Online login accounts (e.g. Microsoft accounts or accounts from other
providers of identity management systems) MUST NOT be used because doing so transmits
personal data to the systems of the manufacturer.From a European point of view, this makes sense, as the transfer of personal data into a country that does not adhere to the GDPR is forbidden as long as there is no contractual agreement that the external partner obeys the GDPR. Currently, for a US firm like Microsoft, this is not possible due to the Cloud Act and several other laws. This is a long-standing legal battle, the outcome of which is more than unclear.
The use of services like Windows Hello probably falls into the same trap. So, as you say, smart cards are the only viable option, but sadly there is no widespread usage in the Windows world. That's a pity since they are supported since Windows 2000.
How to file a helpful issue
The problem you're addressing (if any)
Windows relies all over the place on user passwords being high-entropy secrets. This fails to hold in Qubes OS.
The solution you'd like
Windows qubes, other than StandaloneVMs, should have passwords for all user and service accounts set to random values at boot or disabled. Windows should be set to automatically log in the standard Qubes user locally without a password having to be provided.
The value to a user, and who that user might be
All users who use Windows VMs will have better security.