Subscribe via e-mail: Cached domain logon allows users to log on to a Windows Active Directory domain even if no domain controller is available or if the client is offline and has no network connection. As useful as this feature is, it also has some downsides, which I will discuss in this post. I will also show you how you can disable cached domain logon and how you can improve security by changing the default configuration. Everything I say in this post applies to Windows XP, Windows Vista, and Windows 7.
How cached domain logon works
Cached domain logon only works if the user has logged on once with a valid password. Windows will then store the MD5 (see comments below) hash of this password on the local disk. If the PC has no connection to an Active Directory domain controller the next time the same user logs on, Windows will authenticate the user locally using the locally stored password hash.
By default, Windows stores the password hashes of the last 10 logons. Thus, if multiple users share a PC, it is possible that the cached domain logon fails even though the user has logged on this machine before.
The main advantage of a cached domain logon is that users have access to their desktop when the network or all domain controllers are down. For mobile users, it means that they can log on with their domain account when they have no access to the corporate.
Disadvantages of cached domain logon
However, cached domain login has several disadvantages. First of all, locally stored password hashes are a significant security risk. This is especially true for notebooks that users can take with them. If the laptop ends up in the wrong hands, an attacker can run a brute force attack to find out the local administrator password. Considering that admins often log on with the domain administrator password to solve local computer problems, this is serious threat for your whole network.
You can reduce this risk by setting the number of previous logons to 1 (see below). This will ensure that the password hash of the administrator account is deleted after the user logs on because only one password hash will be stored on the disk. This way, an attacker would only be able to crack the password of a normal domain user. An even better way would be to encrypt the system drive with BitLocker.
Another disadvantage of a cached domain logon is that network connection problems can stay undetected for some time because the user doesn’t realize that he or she is working offline. Only if you work with roaming user profiles, will you get a message that there was a problem with your roaming profile:
However, many users just ignore this message, and this means that new domain policies cannot not be deployed, Windows updates are not installed, and antivirus signatures won’t be updated. If the PC comes online again after months, it will pose a severe security risk.
Moreover, in some environments it might not be desirable that users to log on if the network is offline; for example, because they can’t work anyway if they can’t access their remote applications or data. It helps the service desk personal if users can tell that they were not able to log on. You know, the kind of help desk call where a user insists that the email server must be down, not knowing that the cleaning lady unplugged the network cable.
How to disable cached domain logon
To disable cached domain logon, you can change the cachedlogonscount registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to 0. You can also use the Local Security Policy snap-in or change the cached domain logon settings network wide through Group Policy. You’ll find the setting “Interactive logon: Number of previous logons to cache (in case domain controller is not available” under Computer Configuration | Security Settings | Local Polices | Security Options.
Once you have set cached domain logon to 0, you have to reboot the computer. This will delete all locally stored password hashes. In the future will get this message whenever they try to log on without an available domain controller: “There are currently no log on servers available to service the logon request”.
But don’t confuse the cached domain logon password with the stored credentials in the Windows Vault. This will be the topic of my next post.
Is it possible to limit how long logons can be cached before Windows “expires” them (unless it re-establishes contact with a Domain Controller)?
This would certainly make sense, but I haven’t found such a setting during my tests.
One thing I hate about Vista/7 that XP had is one can’t change the stored domain password in Credential Manager if the domain is offline.
I think for security reasons it is better if a domain controller confirms the password change. Also, cached domain logon is only for worst case scenarios. This is not the time when users should change their passwords. However, it would make sense if one could delete the cached password hash with credential manager.
hello,
the cached password is not encrypted in MD5 but MD4 (twice), and crypted with the login name. So rainbow table are not useful, except for the english “administrator”.
The local administrator can always be enabled/changed, i guess you was thinking of the domain administrator account.
You can prevent storing the LM hash to help, and crypt the whole disk with bitlocker
http://support.microsoft.com/kb/913485
Mathieu, thanks. I think I have read somewhere that it is MD5 since Vista. I changed the article, just to be sure.