
	Home > Windows Server Tips > Windows Systems and Network Administration > Restricting cached credentials in Windows

Windows Server Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

WINDOWS SYSTEMS AND NETWORK ADMINISTRATION

Restricting cached credentials in Windows

James Michael Stewart, Contributor
06.02.2004
Rating: -3.40- (out of 5)

Digg This!

StumbleUpon

Del.icio.us

Windows operating systems, including 2000, XP, and 2003, cache the logon credentials for the last 10 users. This allows for the user to re-logon at a later date even if the domain controller cannot be accessed at the time of logon. While this does represent a fault tolerance to DC downtime and network congestion, it is a poor state of security. When users are logged on using cached credentials, they are using out-of-date security credentials. New group memberships, changes to GPOs, changes to user rights, etc. are not applied. This is a serious threat to any truly secured environment.

To disable cached credentials, simply alter the appropriate GPOs so that every system in the environment has the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Number of previous logons to cache (in case domain controller is not available)" to 0 logons (from the default of 10).

Another important issue in regards to cached logons is unlocking a workstation. A workstation can become locked if the screen saver requires the user's password to resume to the desktop or if the Lock Computer command from the Task Manager's Shutdown menu or the logoff dialog box is used. In either...

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Microsoft Windows Network Security
	Are security concerns over cloud computing unfounded?
	Balancing Windows security with reasonable password policies
	Windows AppLocker in R2: Turning conventional security wisdom on its head
	Using software restriction policies in Windows
	IIS gets patched, SQL Server not so much
	Windows Server Security Guide
	Free Windows security tools every admin must have
	Common causes of Windows server security vulnerabilities
	Cutting the cost of Windows identity and access management
	Group Policy Object modeling simplifies network security

Windows Server Security

BitLocker in R2 provides data protection for semi-protected servers

Balancing Windows security with reasonable password policies

Windows AppLocker in R2: Turning conventional security wisdom on its head

Windows Server Security Guide

Free Windows security tools every admin must have

Common causes of Windows server security vulnerabilities

Top Windows server hardening standards and guidelines

Windows server hardening: How much is enough?

Overlooked security in Windows Server 2008

Easing security concerns with Server Core for Windows 2008

Windows Systems and Network Administration

Troubleshooting Windows application crashes or hangs

Converting VMware ESX machines to Hyper-V format

Using DFSR for SYSVOL replication in Windows Server 2008

Top 25 Windows PowerShell commands for administrators

Key DFS improvements in Windows Server 2008 R2

Free Windows security tools every admin must have

Group Policy makes strides in Windows Server 2008 R2

Quick tips for troubleshooting NTFS permissions

Common causes of Windows server security vulnerabilities

Cutting the cost of Windows identity and access management

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

case, the default is for the local system to verify the user's password based upon cached credentials. Even if the system is configured not to retain cached credentials, the currently logged on user's credentials are cached in active memory because the user is logged onto the workstation. Just as with the issue of domain logon via cached credentials, if a workstation is unlocked using cached credentials, a domain controller is not consulted.

To force the workstation to consult a domain controller when unlocking, set the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Require Domain Controller authentication to unlock workstation" to Enabled.

It should be obvious that while these settings are important for domain users in general, they are especially important for administrative level user accounts. In a truly secure environment, any time a logon event occurs (including unlocking a workstation) you want a domain controller to be contacted. Relying upon cached credentials may be more efficient, but it is not more secure.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Rate this Tip
To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member.
Submit a Tip

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Server Room Design - Planning, Cooling, Maintenance

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2004 - 2009, TechTarget \| Read our Privacy Policy