Re: Domain user logon when network is not available

From: Ron Ruble (raffles2@att.net)
Date: 03/01/03

Next message: iglooo101: "http://www.netcelera.com/"

Previous message: chris@nospam.com: "Re: Domain user logon when network is not available"
In reply to: chris@nospam.com: "Re: Domain user logon when network is not available"
Next in thread: chris@nospam.com: "Re: Domain user logon when network is not available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Ron Ruble" <raffles2@att.net>
Date: Sat, 1 Mar 2003 12:57:50 -0500

<chris@nospam.com> wrote in message news:gif06v4cpvvdfq6afdn74bvtgmitroh332@4ax.com...
> On 28 Feb 2003 11:32:48 -0800, ksmith@aeoa.org (Kevin Smith) wrote:
<snip>

> It' called "cached credentials". NT by default remembers the last 10
> successful logins. A handy trick to log into a machine after your
> domain account is disabled is to simply unplug the network cable.
> Great MS security if you ask me, although this is handy for users who
> travel with their laptops.

You can disable caching of credentials.

It usually isn't done, so that you can access the system when
unexpected failures occur, but MS documents how to disable
this in the MSDN Kbase, under "Securing Windows NT
Installation".

"Disable Caching of Logon Credentials During Interactive Log On

The default configuration of Windows NT caches the last logon
credentials for a user who logged on interactively to a system.
This feature is provided for system availability reasons such as
if the user's machine is disconnected or none of the domain
controllers are online.

Even though the credential cache is well protected, in a highly
secure environments, customers may want to disable this feature.
This can be done by setting the following registry key:

Hive:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name:CachedLogonsCount
Type:REG_DWORD
Value:0"

Next message: iglooo101: "http://www.netcelera.com/"
Previous message: chris@nospam.com: "Re: Domain user logon when network is not available"
In reply to: chris@nospam.com: "Re: Domain user logon when network is not available"
Next in thread: chris@nospam.com: "Re: Domain user logon when network is not available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Vista SSO not working
... Same result (asked to login for app), except this time I wasn't even given the option to save the credentials. ... Manage your network passwords in the left panel, ... appear if SSO is working properly and you're using a Domain account. ...
(microsoft.public.windows.terminal_services)
conflicting credentials
... >administrative share C$ on the IIS server. ... >credentials gives error "Supplied Credentials conflict ... >the Domain account name untill I click apply. ... >account name turns into SID info. ...
(microsoft.public.win2000.security)
conflicting credentials
... shared home folder on the DC. ... administrative share C$ on the IIS server. ... credentials gives error "Supplied Credentials conflict ... the Domain account name untill I click apply. ...
(microsoft.public.win2000.security)
RE: Threat vector of running a service using a domain account
... Threat vector of running a service using a domain account ... Each time I've run cachedump for demonstration ... On Behalf Of Ali, Saqib ... I thought only interactive logon credentials are cached. ...
(Security-Basics)