While working on a Windows 10 lab, I discovered a weakness in the provisioning engine responsible for handling PPKG files.
Let’s say, you want you use PPKG files to provision a local admin account, you secure the PPKG file and install it to Window 10 (1507 version).
Imagine, your IT dept. gave you a brand new Windows 10 and used PPKG to install a local admin account.
If you’re logged in as a standard user, you can actually read the local admin password stored in clear text in configuration files. D’oh!
dir C:\ProgramData\Microsoft\Provisioning -inc *.xml -rec | sls 'password' -context 1,1
It appeared that the ACLs on “C:\ProgramData\Microsoft\Provisioning” allowed standard users to read the content.
There’s also another kind of file that stores the password in clear text:
dir C:\ProgramData\Microsoft\Provisioning -inc *.provxml -rec | sls 'password'
I’ve found that only Windows 10 RTM (1507 branch/Threshold1/10.0.10240) is at stake and that the issue has been addressed in the Threshold2 branch (1511 or 10.0.10586). The latest report I had from Microsoft about this issue also confirmed these findings.
I don’t know if the ACL on the Provisioning directory are corrected if you upgraded from the 1507 branch to the 1511 branch.
If you run 1507 LTSB version, I don’t know if you’re safe…