Windows Tip: Are cached credentials secure?
Send your Windows question to Mitch today! | See other Windows tips
A reader recently contacted me concerning a previous tip Troubleshooting Cached Logons where I shared a script that could be used to query your event logs to determine whether your machine is currently logged on using cached credentials. When you try to log onto your domain and your Windows XP computer can't contact a domain controller, your computer uses cached credentials to authenticate. These credentials are cached locally on your machine from a previous successful domain authentication, and are designed to enable you to log onto domain members when domain controllers are unavailable.
The reader told me that he heard from "some security experts" that storing domain credentials locally on client machines like this poses a security vulnerability since anyone who can gain access to your computer can run a password cracker against these stored credentials and extract your domain username and password from them. But how serious a vulnerability is this? To find the answer, I cracked open one of my all-time favorite books, Protect Your Windows Network: From Perimeter To Data by Jesper M. Johansson and Steve Riley.
Steve and Jesper make the following points concerning how Windows implements caching of domain credentials. First, cached credentials are stored in the Security hive and not in LSA Secrets (a much less secure place for storing credentials). Second, cached credentials doesn't actually store your credentials (username and password) or even the NT hash of your credentials. Instead, it stores them as the hash of a hash, salted with your username, and this makes them very difficult to crack using a password cracker. And finally, to crack cached credentials an attacker would need to run a password cracker under the LocalSystem account, in which case they have complete control of your machine anyway so you've got more important things to worry about, right?
If you're still worried however concerning the security of cached credentials, you can do two things to mitigate the risks. First, use Group Policy to force users to use strong passwords as this will make trying to crack cached credentials unfeasible due to the length of time needed to crack them. And second, you can use Group Policy to disable credential caching on machines that don't need it. For example, cached credentials should be disabled on all your servers and probably all your desktop computers also -- only mobile users really need them so they can log onto their laptops when they're away from the office.
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
