Tip

Restricting cached credentials in Windows

James Michael Stewart, Contributor

Windows operating systems, including 2000, XP, and 2003, cache the logon credentials for the last 10 users. This allows for the user to re-logon at a later date even if the domain controller cannot be accessed at the time of logon. While this does represent a fault tolerance to DC downtime and network congestion, it is a poor state of security. When users are logged on using cached credentials, they are using out-of-date security credentials. New group memberships, changes to GPOs, changes to user rights, etc. are not applied. This is a serious threat to any truly secured environment.

To disable cached credentials, simply alter the appropriate

    Requires Free Membership to View

GPOs so that every system in the environment has the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Number of previous logons to cache (in case domain controller is not available)" to 0 logons (from the default of 10).

Another important issue in regards to cached logons is unlocking a workstation. A workstation can become locked if the screen saver requires the user's password to resume to the desktop or if the Lock Computer command from the Task Manager's Shutdown menu or the logoff dialog box is used. In either case, the default is for the local system to verify the user's password based upon cached credentials. Even if the system is configured not to retain cached credentials, the currently logged on user's credentials are cached in active memory because the user is logged onto the workstation. Just as with the issue of domain logon via cached credentials, if a workstation is unlocked using cached credentials, a domain controller is not consulted.

To force the workstation to consult a domain controller when unlocking, set the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Require Domain Controller authentication to unlock workstation" to Enabled.

It should be obvious that while these settings are important for domain users in general, they are especially important for administrative level user accounts. In a truly secure environment, any time a logon event occurs (including unlocking a workstation) you want a domain controller to be contacted. Relying upon cached credentials may be more efficient, but it is not more secure.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


 

This was first published in June 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.