Re: "Peter Miller" pcmiller61@yahoo.com, 02/26/2002 03:48 AM RE: Symantec LiveUpdate Hi All, In a similar vien would anyone with Symantec Ghost V7.0 installed like to comment on this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NGServer\params Ghost creates a special user account on the machine to run the service under but it seems it is storing the password for this account in plain text in the registry. Regards Peter ------------------------------------------------- Symantec Response This is not the same type of issue reported in the original posting by Javier Sanchez, "Javier Sanchez" jsanchez157@hotmail.com 02/25/2002 11:14 AM, Symantec LiveUpdate" During the installation process for Symantec Ghost Corporate Edition, the key in question is created with Administrator access only by default. Normal best practice procedures of administrators allowing "least privilege" access to normal system users would preclude access to any unauthorized registry information by anyone other than a user with administrator privileges. Unauthorized access to the system registry presents security concerns for any program(s), which use the registry to persist data. Protection of your system includes restricting physical access to your system and restricting administrative privileges. Symantec take the security of our products very seriously and appreciates the concerns of Mr. Miller. Symantec is constantly working to improve our products and we will be reviewing additional protective measures for this key in future upgrades. Please direct any Symantec product security concerns to SymSecurity at symsecurity@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec product names and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
