Manage stored Windows passwords

Michael PietroforteMVP By Michael Pietroforte - Thu, June 3, 2010 - 10 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Articles in this series

Stored Windows Passwords

In the last post of my stored Windows password series, I outlined what the Windows Vault is and what kinds of passwords it stores. Today, I will show you how you can manage stored Windows passwords in your network. First, let me explain why disabling stored Windows passwords might make sense in your environment.

Security risks of stored Windows passwords

Passwords that are stored on a computer are always a security risk. Even though the Windows Vault encrypts the passwords, you never can be sure that an attacker can’t get access by exploiting a security hole.

Even more problematic are stored passwords on mobile computers. If the system drive isn’t encrypted with BitLocker, an attacker can get access to a Windows password with a brute force attack. Once the attacker logs on to Windows, he has access to all the sites that are stored in the Windows Vault of the corresponding account.

In my view it is better to use a third party tool to store passwords because hackers usually focus only on integrated security mechanisms. My favorite free password saving tool is KeePass.

Disable stored Windows passwords

It is possible to disable caching of Windows Credentials (not Certificate-Based credentials and Generic Credentials) network wide through Group Policy. You can configure this GPO setting in Computer Configuration | Policies | Windows Settings | Security | Security Options: Network access: Do not allow storage of passwords and credentials for network authentication.

Group Policy Do not allow strorage of passwords and credentials for network authentication

If this setting is enabled, you will see the message “Windows credentials have been disabled by your system administrators” in the Windows Credentials section of the Credential Manager. This setting is disabled by default, which means that Windows will store user names and passwords whenever the user selects “Remember my credentials”.

Delete stored Windows passwords

The Credential Manager allows you to remove specific credentials that you no longer want to be stored in the Windows Vault. I recommend checking which passwords Windows has already stored and delete those that pose a high security risk.

Credential_Manager_Delete_Stored_Windows_Passwords

Notice that disabling password caching doesn’t delete credentials that have been stored before. All this setting does is to stop credentials from being used any longer. If you enable Windows Credentials caching again, all stored Windows passwords will also be available again.

If you want to ensure that no Windows passwords are saved in your network, you can either tell your users to delete all passwords in the Credential Manager or you delete the contents of the Windows Vault in all user profiles with a script. (See “Windows Vault storage location” in my last post.)

Working without stored Windows passwords

Also, note that disabling password caching doesn’t mean that users have to provide a user name and password whenever they map a folder to a network share. If the user is already authenticated, for example at an Active Directory domain, Windows will automatically use these credentials without prompting for a user name and password.

Only if the user selects “Connect using different credentials” will he or she require a user name and password. If storage of passwords and credentials for network authentication is enabled, the corresponding credentials will be stored in the Windows Vault and will always be used in the future for the corresponding network folder.

Series NavigationWindows Vault - Saved Internet Explorer passwords

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

10 Comments- Leave a Reply

  1. Sami says:

    This will also disable the certificate-based credentials. I havent found a solution to only disable the windows credentials. Have you?

  2. Sorry no. And I somehow doubt that it is possible. Perhaps you can write a script that deletes stored passwords regularly.

  3. Masi says:

    Hi, do you know how to disable the Generic Credentials Store, the one who pop’s up when you have to sign in to a website? or give proxy credentials? In GPO or as reg-key.
    thanks in advance

  4. Rory says:

    Is there a way to have the policy enabled (disable the saving of domain creds) and still auto attach to a network share with a different domain account? I need to login to a machine with a domain account that gives me admin permissions but need a drive mapped that I can only get to with a regular user account.

  5. Will says:

    Will making this change in any way prevent users from logging on to their laptops when not connected ot the domain, such as when they take their compute rhome at night?

  6. Anh Le says:

    Is there a way to also disable the Generic Credentials via GPO. I’ve disabled the Windows Credentials per your instructions above but it did not disable the Generic Credentials. Please advise.

    Thank you and thank you for the article. It really helps.

  7. dee says:

    I am not sure the claim about running a brute force attack on a MD5 is true.

    You claimed ” you can run a brute force attack on MD5 to get at a password”

    MD5 is not reversible.

  8. dee, with an brute force attack you just try different passwords and generate the corresponding hash values until you found the one in the password file.

  9. samith says:

    Dear all,

    I have window XP sp3, and have 2 user account
    1. is Administrator account, this user account store and remember the Network username and passwords credential.
    2. is the simple user account, this user account can’t sotre and remember the Network username and passwords credential, after we restart the computer.

    Anyone know how to solve this problem, cos in my company so many user that complain about this when they to access the network share resource or Network printer, it alway promt for username and password.

    I am waiting for you all to help me.

    thanks

  10. Tom says:

    Disabling storage of credentials kills the ability to run scheduled tasks…

Please share your thoughts in a comment!

Login

Lost your password?