Mon, Dec 20 2004 7:42
Is having "cached credentials" enabled a security risk?
Just to bring up to the top of the blog a comment about having “cached credentials” turned on in your network that I referred to in the prior post. A recent post to Russ Cooper's Ntbugtraq questioned the “security“ of having cached credentials enabled, but Russ failed to post in any information regarding the “flip side“ of disabling the setting. Keep in mind that if you totally disable cached credentials, any laptop off the domain will not be able to log into that domain profile, thus disabling “cached credentials” [the ability to log into a “non existent domain until the domain comes back online] shouldn't be done [if at all down here in SBSland] unless you are mandidated by having to follow some misguided Department of Defense guidelines or something. It's going to cause you way way more headaches than any security value you might think you are gaining.
From the Threats and Countermeasures guide.....
Interactive logon: Number of previous logons to cache (in
case domain controller is not available)
The Interactive logon: Number of previous logons to cache (in case domain
controller is not available) setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally so that, in the event a domain controller cannot be contacted on subsequent logons, a user can still log on. This setting determines the number of unique users whose logon information is cached locally.
If a domain controller is unavailable and a user’s logon information is cached, the user is prompted with the following message: A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.
If a domain controller is unavailable and a user’s logon information is not cached, the user is prompted with this message:
The system cannot log you on now because the domain is not available.
The possible values for this Group Policy setting are:
? User – defined number (between 0 and 50)
? Not defined
The number assigned to this setting indicates the number of users whose logon information the servers caches locally. If the number is set to 10, then the server caches logon information for 10 users. When an eleventh user logs on to the computer, server overwrites the oldest cached logon session.
Users who access the server console will have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the systems’ registries which are spread across numerous physical locations.
Set Number of previous logons to cache (in case domain controller is not available) to 0. Setting this value to 0 disables the local caching of logon information. Additional countermeasures include enforcing strong password policies and physically securing the computers.
Users will be unable to log onto any computers if there is no domain controller available to authenticate them. Organizations may want to set this to 2 for end – user systems, especially for mobile users. Setting this value to 2 means that the user’s logon information will still be in the cache even if a member of the IT department has recently
logged onto their computer to perform system maintenance. This way, those users will be able to log onto their computers when they are not connected to the corporate network.
Filed under: Security