Debug logging by WinPE client-side scripts may display passwords


The debug log (which should really not be turned on by default in the shipping product) prints out the contents of variables that are stored on the client running the OSD task sequence. It does not decrypt anything in order to do this, and any person who wanted to could add a small command to do the same thing (the commands are published on TechNet). However, the fact that passwords can be logged in clear text is a secureity issue for some customers.
The scripts that perform this logging are being modified to remove any potential displaying of passwords.
See the attached Word doc for an explanation in greater detail.

file attachments

Closed Jun 3, 2010 at 8:04 PM by rhearn


wrote Jun 3, 2010 at 8:04 PM

Resolved with changeset 53641.

wrote Feb 13, 2013 at 10:45 PM

wrote May 16, 2013 at 5:21 AM