Microsoft’s official Group Policy blog
Have you ever wanted to configure a preference item to include a specific user name and password? You can do so in several types of preference items, but you should first consider the security ramifications of embedding a user name and password in a preference item.
Are passwords in preference items secure?A password in a preference item is stored in SYSVOL in the GPO containing that preference item. To obscure the password from casual users, it is not stored as clear text in the XML source code of the preference item. However, the password is not secured. Because the password is stored in SYSVOL, all authenticated users have read access to it. Additionally, it can be read by the client in transit if the user has the necessary permissions.
Because passwords in preference items are not secured, we recommend that you carefully consider the security ramifications when deciding whether to store passwords in preference items. If you choose to use this feature, we recommend that you consider creating dedicated accounts for use with it and that you do not store administrative passwords in preference items.
Where can you use passwords?You can use passwords in the following types of preference items:
For the user name in a Data Source, Mapped Drive, Scheduled Task, Immediate Task, or Service preference item, you can specify a local user account on multiple computers using the format .\UserName, or a domain account using the DomainName\UserName format.
So, yes, you can configure some types of preference items to include a user name and password, but because the password is merely obscured rather than secured, you should carefully evaluate the security ramifications for your situation to determine whether it is appropriate to use this feature.
Linda MooreTechnical Writer, Group Policy
(Reposted and updated on 22 April 2009)
You Had Me At EHLO... : Understanding Exchange 2007 Memory Usage and its use of the Paging File SeanDaniel.com
So, then... In what way are they not secure? Are you saying that the password could potentially be extracted from the AES 256-encrypted string eventually given enough time, or are you saying that the password-changing algorithms might not be secure enough for some scenarios if someone has enough access to the syetem?
I guess what I'd like to be able to do is determine to a reasonable extent whether my current kludgy hack is more secure than GPP.
Если вы попробовали вкус Group Policy Preference, то уже не сможете от них отказаться. А если так,...