Unencrypting Lync Passwords

All Your Passwords Are Belong To Us.

I stumbled across the Lync Client Password Recovery tool today. It looks like this was released on March 12, 2012.

The very scary thing about this tool is that it will quickly and painlessly unencrypt every Lync password stored on every one of your users’ desktops. And since these passwords are live user accounts on your network, this tool can be very dangerous in the wrong hands.

I have a Lync Standard Edition in my lab that I used for testing this tool. I ran it on one of my Windows 7 workstations that I use for testing Lync. My output was very similar to the one seen on the tool’s webpage – that is to say, it was scary. Note that I only have Windows 7 machines available so I can’t verify if this issue also exists on XP/Vista.

I am not a fan of what you could see if I hadn't blurred those pieces out.

I am guessing this is a giant security hole that Microsoft needs to fix.

The application appears to be pulling the data out of Windows Vault (aka Credential Manager).  I was able to verify this on a test system. I went to Windows Vault, deleted an account, and then ran LyncPass again. This time, it did not show the username or password of that Lync user.

I then set the “SavePassword” setting for Lync to Zero (disabled). This can be done via Group Policy by setting the following value. This disables the ability for Lync to save the password (which also includes the username):

You can also do this on a one-off basis by setting the registry key at    HKEY_CURRENT_USERSoftwareMicrosoftCommunicator. If it doesn’t already exist, create a new reg_dword called “SavePassword” and make sure it is set to 0 (0x00000000).

Make sure you’ve deleted the value out of Windows Vault. To access WindowsVault (on Windows 7) hit the Windows Key and type “vault” into the “search programs and files” box at the bottom of the start menu. After having deleted the entry, Log in to Lync and then run LyncPass. You should not see this account in the output. You should also not see this account added to Windows Vault.

Within Windows Vault, look for entries similar to these.

So, to remediate this, clear out every Lync-related Windows Vault entry and then set the Group Policy to prevent saving the password. If you have more than about 50 desktops, this isn’t very feasible, not to mention upsetting your users by making them log in every time. And if your SIP URI does not match your USN, then they need to enter in domainusername as well as their password.

Until Microsoft comes up with something to address this Mack Truck sized security hole, there isn’t much I can offer to help remediate this other than following industry standard desktop security protocols.

—————————————

Updates:

I sent an e-mail to the 1 person I know in Microsoft about this. He responded with this:

I passed it along to one of our Privacy Champions and he said he saw/reported it on Monday and would follow-up on it again.

So that is good news.

—————————————

I spent a ton of time trying to replicate this whole thing based on some of the comments below.

• The user does not need to be in the Vault for the Saved Password feature to work.
• It adds a user to Vault the very first time they try to login to Lync, even if the login credentials are garbage. I just tried logging in with banana@distressler.com (a user who doesn’t exist) and made up a password. That fake user is now in my vault! And I can see that fake users fake password with the LyncPass utility.

• I’ve tested with several variations of CU’s and reboots and other options. And the basic result I seem to come up with is that once a user has been in the Vault, they never get added again. Again, it appears to me that Saved Password does not rely on Vault. I haven’t done exhaustive testing but it appears the “fix” for this is to delete the values out of Windows Vault (Credential Manager).

I have not done full testing on this. I still don’t know if this is an issue on XP or Vista. It is an issue on Windows Server 2008 R2. I quickly tested on Windows 8 and it does not appear to use the Vault there. My “fake user” test failed. So go ahead and upgrade your enterprise to Win8 really quickly. That’ll fix this issue (and raise about 37,000 new ones!).

And the only passwords this utility is showing are the Lync passwords and none of the others I have in my vault.