Re: cached login credentials

---

• From: "Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx>
• Date: Tue, 31 Jul 2007 10:18:00 -0700

---

As Jesper and I describe in our book (http://www.protectyourwindowsnetwork.com), cached credentials:

* Are stored not in LSA but in the security hive, a better place for storing secrets
* Are _not_ your ID/password or the hash of your password, but instead a hash of the hash, salted with your user name (in practicality, this makes them nearly impervious to ordinary password cracking tools)
* Require running attack tools in SYSTEM context: meaning the bad guy already has complete control of your computer anyway, so who cares?

There's way too much fretting and worrying over this. Without cached credentials, laptop computers become completely useless when not connected to the domain--and this, then, destroys the very reason that laptops exist.

If you're really worried about cracking passwords, then set password policies that require certain complexity or--better--a minimum length of at least 15 characters (then you can ignore complexity). Now you can eliminate password cracking attacks from your list of worries, because the time required to crack them stretches into the hundreds of millions of years.

(Actually, password cracking attacks really aren't even that interesting. "Pass-the-hash" attacks, where the bad guy already has hashes of passwords, _are_ interesting: see the "Should I be concerned about password cracking?" section in Jesper's article at http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx.)

In your note, you quote Immutable Law #3 (http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx). Not to sound flippant, but the best way to thwart this attack is to make sure you don't get your laptop stolen. There is, of course, a mitigation for this, too: BitLocker Drive Encryption in Windows Vista Business (if you have Software Assurance), Enterprise, and Ultimate editions.

One other point that might matter: here at Microsoft, we don't disable or tweak the settings. We leave the number of cached credentials set to the default (10), and we require strong passwords. Soon we'll be moving to corp-wide smartcard logon and finally getting rid of passwords.

Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley


"msb-2007@xxxxxxxxxxxxx" <msb2007nospamnospam@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:7E81A5D6-B936-4A55-BEA4-FFC85650B6D4@xxxxxxxxxxxxxxxx

I know this is a topic that has been argued about in security circles for
some time...

However, I haven't been able to find an answer to this particular question:

If a user logs into a domain machine using "normal" domain user access
credentials, and uses runas to do priviledged operations (assume they use
domain admin account credentials), is a credential cached anywhere for the
domain admin account?

Background: if I login to a machine directly with a domain admin account,
the domain admin credentials will be cached locally. While these credentials
are somewhat protected through Microsoft's approach with encrypted
"verifiers", they are not completely secure from a determined attacker. Lots
of argument about how difficult it would be, but I'm confident there is an
attack vector there. The old adage "if I have physical access to your
machine, there is no telling what I can do" applies.

I understand that there is a registry key (CachedLogonsCount=0) that can be
set to disallow the caching of credentials, but that doesn't really work well
when the computer is a laptop that needs to be useable when disconnected from
the domain. My ultimate goal is to ensure that our security practices for
domain adminstrators don't expose the corporate network to additional risk
when a laptop is stolen.


Regards!

-Matt

.

---

• Follow-Ups:
  • Re: cached login credentials
    • From: msb-2007@nospam.nospam

• Prev by Date: How to allow user to install the printer& fax drivers but not software
• Next by Date: Re: cached login credentials
• Previous by thread: How to allow user to install the printer& fax drivers but not software
• Next by thread: Re: cached login credentials
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: cached login credentials ... , it takes longer to investigate an attack and clean up after it than it does simply to nuke-and-pave, flatten-and-rebuild, whatever. ... then over time through precision monitoring of network ... Anything that does an interactive logon will store cached credentials, ... > domain admin account credentials), is a credential cached anywhere for> the ... (microsoft.public.windowsxp.security_admin) Re: cached login credentials ... domain admin account credentials), is a credential cached anywhere for the ... but the best way to thwart this attack is to make ... sure you don't get your laptop stolen. ... (microsoft.public.windowsxp.security_admin) Re: cached login credentials ... it takes longer to investigate an attack and clean up after it than ... in my network (egads! ... credentials, and uses runas to do priviledged operations (assume they ... domain admin account credentials), is a credential cached anywhere for ... (microsoft.public.windowsxp.security_admin) Re: cached login credentials ... administrator accounts is a good mitigation. ... then over time through precision monitoring of network ... you have a way to limit exposure to this sort of expanded attack originating ... Anything that does an interactive logon will store cached credentials, ... (microsoft.public.windowsxp.security_admin) RE: Account lockout ... Microsoft CSS Online Newsgroup Support ... >Yes I think your Cached Credentials on your laptop are overwritten' theory ... >> Credentials on your laptop are overwritten. ... the AutoUpdate service logged on as a service rather ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windowsxp.security_admin  > 2007-07