"Normal", non admin users can access HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}

multiOTP / multiOTPCredentialProvider

multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support

Apache License 2.0

228 stars 75 forks source link

"Normal", non admin users can access HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} #81

Closed lisbkooklyn closed 1 year ago

lisbkooklyn commented 1 year ago

"Normal", non admin users can access HKEY_CLASSES_ROOT\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} and look for "excluded_account" key. This reduce security of this project. Removing "users" group form access list fix problem and dose not break anything.

multiOTP commented 1 year ago

Hello lisbkooklyn, Read access to HKEY_CLASSES_ROOT\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} is needed for some features, like CredUI (RunAs) feature. "excluded_account" is a "legacy" key that can be superseeded easily by the "without2fa" feature. If you want to exclude some accounts from 2FA without using "excluded_account", you can give this accounts a "without2fa" token, which will not ask for a 2FA, and this information will not available in the registry. Regards,

lisbkooklyn commented 1 year ago

Thank you for quick reply. Amazing project. Donate some money and will ask other people who will use this project do the same.

multiOTP commented 1 year ago

Hello lisbkooklyn, Thanks for your feedback and your donation. Regards,