Sam Hartman via RT wrote: > However, many of the other examples are cases where reusing keys would > significantly harm security. The AFS case is particularly alarming. > Pushing out the same key for anonymous cell access would decrease > security by allowing anyone with this key to impersonate the cell. I wouldn't be thrilled with this use case either and I'm sad it was brought up. The AFS Client Service is going to add a feature that permits it to use the Windows host principal to obtain tokens. The Windows host principal is either keyed during the domain join operation or with KSETUP. In either case, the host password is stored in a protected part of the HKLM hive which is only accessible to the SYSTEM account. This hive can be encrypted on local disk and when that functionality is enabled, a password must be entered before Windows will boot. > > I'm also concerned about whether group policy has the appropriate > confidentiality protection for this use. How is group policy pushed > to a machine? Is it encrypted in transit? Can a machine find out the > group policy of someone else? In Vista, group policy data is pushed to machines over TLS. I would need to go back to verify that XP does the same. Group Policy data is pushed to all the machines which are members of the group. A single machine account can be treated as a group of one member. Policy data associated with a single machine will only be sent to that machine. Obviously, domain administrators will have the ability to view or manipulate that data. It should be noted that group policy can also be used to push out applications or configuration files. Therefore, creating a registry based keytab does not increase the risk of abuse. It simply puts the key data in a location that is more likely to be secured than a file.