Three questions on designed choices which IMHO reduce security posture of these settings

[zxcvxzcv-johndoe]

Hello,

I have three questions:

1. Why this disables Keepass update check at start up?
2. Why doesnt this uncheck "Remember master password (in encrypted form) of a database while its open"
3. Is this designed for people who only have one Windows account which is local administrator? Wouldn't it make more sense to remove NTFS permission inheritance (and modify permission) from KeePass.config.enforced.xml instead of making your account owner of the C:\Program Files\KeePass Password Safe 2 folder? As to make sure your normal (non-Admin) account cannot edit the KeePass.config.enforced.xml and remove those protections.

[onSec-fr]

Hello,

Thanks for your comments about this projet

1. I've chosen to disable automatic updates in case the official sources are corrupted. We've already seen this happen on some community projects. If we're looking for maximum security, we need to audit and validate a healthy version, and then keep control over all future modifications. Of course, this means that the user or organization becomes responsible for making updates themselves when a new vulnerability is discovered, for example.

2. I've never paid much attention to this parameter. I'm not sure whether it would protect against certain forms of attack. It could also make certain functionalities unavailable : https://sourceforge.net/p/keepass/discussion/329220/thread/62b0b650/#4f0f. It could be added to the configuration file like this: <RememberWhileOpen>false</RememberWhileOpen> Have you been able to test this setting and see if it is indeed effective? If not, I'll try to take some time to play with it. Anyway thanks for the input!

3. Depending on the configuration of the machine and the user account, modifying ACLs is not always effective. Indeed, by default, only administrators can modify the contents of C:\Programs, but not necessarily if Keepass is installed in another location. In any case, I consider that if the attacker has compromised the user's workstation, he will be able to attack KeePass in one way or another. We can only reduce the attack surface :-) In a corporate environment, it might be a good idea to harden the ACLs of the enforced file with only certain administrator groups (but not local users or admins).

[zxcvxzcv-johndoe]

Thanks,

Regarding the second point, disabling "Remember master password (in encrypted form) of a database while its open" should protect against KeeThief (about halfway https://avantguard.io/en/blog/attacking-and-hardening-keepass ) and similar attacks.

I think the warnings about shit breaking up are not really relevant for most use cases, for example we haven't noticed any issues in our company in last few years although install base is quite small.

And also there's the warning in https://sourceforge.net/p/keepass/discussion/329220/thread/62b0b650/#4e05 "Users who don't use features that require the master password can turn off this option. If turned off, certain features like KDB export don't work, and KeePass shows a detailed error message (mentioning the option) in such a case. We might see some plugins crashing when the option is turned off (when the plugin expects the master password to be there without checking it), but in this case we can simply instruct the users to turn on the option again."

...but the plugins are already disabled with the KeePass.config.enforced.xml so for example that part doesn't apply.