1

I understand that when windows caches user credentials, these can sometimes be used by malicious parties to access other machines once a machine containing cached credentials is compromised, a method known as "pass the hash"[1]. For this reason I would like to get control over what's cached to reduce the risk of cached credentials being used maliciously.

It is possible to prevent all caching by zeroing HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount, but this is too indiscriminate: laptops users need to be able to login when away from the network. What I would like to do is prevent the caching of credentials of certain users, such as administrators -- is there any way to do that in Windows XP?

  1. http://www.lbl.gov/cyber/systems/pass-the-hash.html
kdt
  • 1,400
  • 3
  • 22
  • 34

3 Answers3

1

The best practice, as it mentioned in many articles on the subject is to set CachedLogonsCount=1. When the user logs into their laptop the admin credentials will be flushed. Be sure to explain to the user that they need to login while connected to the network before leaving or they'll be locked out.

Also it's worth noting that Pass-The-Hash doesn't work on Kerberos. It's recommended you disable NTLM auth wherever it's convenient.

Recent Developments:
Programs that take advantage of GPUs (graphics cards) to crack NTLM passwords are becoming more popular, and extremely fast. A 7 character NTLM password can be cracked in <20 minutes with a reasonable home computer. Disabling NTLM Caching is becoming more important as recovering the password from the hash becomes easier (which could then be used for Kerberos, http-digest, or other authentication methods).

With the rise of cloud computing, cracking NTLM passwords in the cloud has made it possible to 'rent' the resources to crack almost any NTLM hash in a reasonable amount of time (though at sum expense). Given these developments, everyone should be re-evaluating their password length and complexity policies; limiting the use and storage of NTLM hashes; and carefully evaluating (or guessing) how much a nefarious organization (competitor) would pay to get access to your systems.

Chris S
  • 77,945
  • 11
  • 124
  • 216
0

You best bet is to delete all caches after using administrator then let the user log back on.

In order to view the cached credentials in the registry launch regedit as system (unless you change permissions on the key that is to be modified)

Log on as an admin, load up a command prompt and type:

at xx:xx /interactive "regedit.exe" which uses system as it's owner

navigate to HKLM\SECURITY\CACHE

Overwrite the data in NL$1 to 10 with zeroes. Don't delete them and don't play with any other keys.

I haven't actually done it but you should also be able to schedule reg.exe commands to do the same thing.

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • That is a useful option, but it would be even better to never store the credentials at all in order to remove the window of opportunity for them to be captured. – kdt May 21 '10 at 16:09
  • Your question specificlly states you don't want to stop all caching – Jim B May 21 '10 at 17:00
  • I don't want to stop all caching *for all users*. I want to completely stop caching for certain users. – kdt May 24 '10 at 07:43
0

gpo settings on laptops vs desktops!

tony roth
  • 3,884
  • 18
  • 14
  • Although I want laptops to cache their owner's credentials, I also want the laptops to *not* cache admin credentials in the same way as I don't want the desktops to. – kdt May 21 '10 at 16:08
  • what are you worried about, is it the lost laptop issue and concerns with the data or inappropriate software installs? deleting the cache won't help the 1st one. – tony roth May 21 '10 at 17:54