Global Protect Saving User Credentials Security?

Reply
Highlighted
L4 Transporter

Global Protect Saving User Credentials Security?

After reviewing a few documents, I'm hearing that doing this is not a best practice....  If I choose to do so, does anyone know where those credentials are saved and how they are saved  in the agent on the endpoint? 

 

I'm guessing encrypted cookies are the way to get around this with longer validity times?

L6 Presenter

Re: Global Protect Saving User Credentials Security?

theyy are saved and encrypted on the device under current user reg settings.

 

HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings\LatestCP

 

Mac stuff is stored in local keychain.

 

we do not class username and password as an acceptable auth method, so not an issue or concern for us.

 

L4 Transporter

Re: Global Protect Saving User Credentials Security?

It must be a security concern if Palo is suggesting that this is not a best practice I'm guessing? But the encrypted cookie is a better "workaround" of sorts from saving the user from login prompts?

L6 Presenter

Re: Global Protect Saving User Credentials Security?

@Sec101 , Hi.

 

where have you seen this suggestion.  i have browsed the gen help files and can't see such advice.

L6 Presenter

Re: Global Protect Saving User Credentials Security?

I only ask because if it was a VPN access concern then why would they not suggest the same for SSO and certificate authentication as once you are logged into the device then access is available without adding further credentials.

 

or.. do they feel that they have not encrypted securely enough.....

 

 

i'm also wondering if this is more directed at OTP authentication as using the stored credentials would cause the gateway auth to fail every time.

 

 

 

 

L4 Transporter

Re: Global Protect Saving User Credentials Security?

best practices assessment tool is where I saw it.  You may be correct on this, as the reference for cookie auth does directly mention OTP. 

I wonder what the encryption settings are for storing the username/password, or if that is propietary?  I'm not sure I've read anything regarding this however.  Any further detail on how this is stored/secured on the endpoint?

L6 Presenter

Re: Global Protect Saving User Credentials Security?

well this is what it looks like...    so i assume this is not a ceaser cypher...

 

䱎䵌塮桹奔灮灊睷㕯汄㈫歱㑬婒佈偗浵ㅇ䑌䑉䝰㴴

L4 Transporter

Re: Global Protect Saving User Credentials Security?

ha.  Nice.  I wonder what it is?  Probably too picky, but am curious on it now....

L6 Presenter

Re: Global Protect Saving User Credentials Security?

well it's almost lunchtime over at washington DC so somebody will jump in with the answer, I know who it will be, but  lets see,,,,,

L4 Transporter

Re: Global Protect Saving User Credentials Security?

Bumping this post- to see if anyone else responds.  Are there benefits to using an ecrypted cookie, vs. flatout saving the credentials? If not, how does the agent save the user credentials on  the machine itself?  -I believe we've determined that if "save users credentials" is on- the users credentials are encrypted on the local machine in the registery, but how are they encrypted, and is that any better/or safter than using the encrypted cookie for auth bypass?

 

  I noticed there was just a warning out -Vulnerability Note VU#192371- about GP and other agents storing cookies insecurely, but i'm guessing if your using an encrypted cert for auth bypass- this shouldn't matter?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!