S 4.425 Using the Safe and Cardspace functions in Windows 7

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

Windows 7 offers different network functions primarily intended for private users the use of which is enabled by default. This way, Windows 7 can be used to manage access data (Windows Credential Manager) for different resources, for example external computer systems and websites, and personal information (Windows Cardspace) for registering and logging in to websites and online services.

In order to ensure that the use of these functions within an institution does not cause any vulnerabilities, the risks must initially be weighed against the benefits regarding their use. If the decision regarding their use is positive, the use of the functions must be planned and implemented carefully.

Windows Credential Manager (Safe/vault)

Since version 7, the Windows operating system is equipped with a central storage location for credentials (access data) for different network resources, for example for other Windows systems, online services, and websites. The stored credentials are categorised in to Windows credentials, certificate-based credentials, and generic credentials.

Amongst others, this central storage of credentials entails the risks of unauthorised third parties being able to access the credentials storage, for example when the screen has not been locked. An unauthorised person could use the Save safe function in order to save all credentials to an external storage medium, for example, without having to authenticate himself as the current user and using a freely selected password. Then, the unauthorised person can use the Restore safe function in order to copy the credentials to his safe on a different system.

Therefore, it must be weighed up whether or not the benefit and time saved because of not having to enter the credentials every single time outweigh the described risk.

Within the framework of a policy, it should be defined whether or not saving the credentials in the so-called safe is allowed within the institution.

A prohibition can be implemented technically by means of a group policy. For this, the area Computer Configuration | Policies | Windows Settings | Security Settings | System Services in the group policy object editor must be used to disable the service Windows Credential Manager. With this service being disabled, storing credentials to the safe in a centralised manner is no longer possible.

Windows Cardspace

Only the information required for logging in to a service can be stored to the safe (user name, password, or certificate). In contrast, Windows Cardspace provides for an option of storing information required for registering or logging in to websites and online services in a centralised manner by means of so-called cards. When credentials are to be stored in Windows Cardspace, there must be a corresponding policy.

Two types of cards can be used: personal and managed cards.

Personal cards can be created by the users and complemented by personal information such as Christian name, name, and email address.

Managed cards can only be created by an institution and contain validated information, for example about a person or his/her account number. The user installs the managed card. The data referenced by the card remains stored locally on the IT system within the institution and is transferred to a service provider, e.g. an online book store, at the user's instigation. The service providers provide mechanisms for processing the CardSpace information, for example using .NET Framework.

Each card can be used with the most different online services and websites. For each card, the usage history and the period of validity of the card are stored.

The cards are stored to the IT system of the user in an encrypted manner. They can also transferred to external storage media in an encrypted manner. On the one hand, this provides for the option of backing up the cards and on the other hand, the cards can be decrypted and used on a different Windows system.

In order to prevent any unauthorised access to the cards, the institution and/or the user should define a PIN for each card and a password for card backup. If this information is lost, the cards can no longer be accessed and must be re-created or re-requested from the institution issuing the cards.

Unauthorised persons accessing these cards and using them improperly must be taken into consideration here as well. For instance, the related PINs can be captured via Keylogger or Social Engineering. Therefore, the use of Windows Cardspace must be weighed up beforehand.

In institutions where Windows Cardspace is of no use or where using Windows Cardspace is prohibited by the Windows 7 policy, this service should be disabled.

Windows Cardspace can be disabled in the group policy object editor in Computer Configuration | Policies | Windows Settings | Security Settings | System Services.

Training users on how to handle the Windows 7 functions

If the institution decides to use one of the two functions described above, the users must also be informed about the possible risks occurring during the use and trained on how to safely handle these functions (see S 3.28 Training on security mechanisms for users on Windows client operating systems).

Review questions:

© Federal Office for Information Security. All rights reserved.