This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). Default: Disabled. Countermeasure: Disable the Store password using reversible encryption for all users in the domain setting. Potential Impact: If your organization uses either the CHAP authentication protocol through remote access or IAS services or Digest Authentication in IIS, you must configure this policy setting to Enabled. This setting is extremely dangerous to apply through Group Policy on a user-by-user basis, because it requires the appropriate user account object to be opened in Active Directory Users and Computers. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption (2) REG: ### (3) WMI: root sopcomputer#RSOP_SecuritySettingBoolean#Setting#KeyName = 'ClearTextPassword' And precedence=1

[enabled/disabled]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption (2) REG: ### (3) WMI: root\rsop\computer#RSOP_SecuritySettingBoolean#Setting#KeyName = 'ClearTextPassword' And precedence=1