Subscribe via e-mail: - Cached domain logon
- Windows Vault
- Manage stored Windows passwords
- Saved Internet Explorer passwords
- FREE: Network Password Recovery – Windows password recovery
In the last post of my stored Windows password series, I outlined what the Windows Vault is and what kinds of passwords it stores. Today, I will show you how you can manage stored Windows passwords in your network. First, let me explain why disabling stored Windows passwords might make sense in your environment.
Security risks of stored Windows passwords
Passwords that are stored on a computer are always a security risk. Even though the Windows Vault encrypts the passwords, you never can be sure that an attacker can’t get access by exploiting a security hole.
Even more problematic are stored passwords on mobile computers. If the system drive isn’t encrypted with BitLocker, an attacker can get access to a Windows password with a brute force attack. Once the attacker logs on to Windows, he has access to all the sites that are stored in the Windows Vault of the corresponding account.
In my view it is better to use a third party tool to store passwords because hackers usually focus only on integrated security mechanisms. My favorite free password saving tool is KeePass.
Disable stored Windows passwords
It is possible to disable caching of Windows Credentials (not Certificate-Based credentials and Generic Credentials) network wide through Group Policy. You can configure this GPO setting in Computer Configuration | Policies | Windows Settings | Security | Security Options: Network access: Do not allow storage of passwords and credentials for network authentication.
If this setting is enabled, you will see the message “Windows credentials have been disabled by your system administrators” in the Windows Credentials section of the Credential Manager. This setting is disabled by default, which means that Windows will store user names and passwords whenever the user selects “Remember my credentials”.
Delete stored Windows passwords
The Credential Manager allows you to remove specific credentials that you no longer want to be stored in the Windows Vault. I recommend checking which passwords Windows has already stored and delete those that pose a high security risk.
Notice that disabling password caching doesn’t delete credentials that have been stored before. All this setting does is to stop credentials from being used any longer. If you enable Windows Credentials caching again, all stored Windows passwords will also be available again.
If you want to ensure that no Windows passwords are saved in your network, you can either tell your users to delete all passwords in the Credential Manager or you delete the contents of the Windows Vault in all user profiles with a script. (See “Windows Vault storage location” in my last post.)
Working without stored Windows passwords
Also, note that disabling password caching doesn’t mean that users have to provide a user name and password whenever they map a folder to a network share. If the user is already authenticated, for example at an Active Directory domain, Windows will automatically use these credentials without prompting for a user name and password.
Only if the user selects “Connect using different credentials” will he or she require a user name and password. If storage of passwords and credentials for network authentication is enabled, the corresponding credentials will be stored in the Windows Vault and will always be used in the future for the corresponding network folder.
This will also disable the certificate-based credentials. I havent found a solution to only disable the windows credentials. Have you?
Sorry no. And I somehow doubt that it is possible. Perhaps you can write a script that deletes stored passwords regularly.
Hi, do you know how to disable the Generic Credentials Store, the one who pop’s up when you have to sign in to a website? or give proxy credentials? In GPO or as reg-key.
thanks in advance
Is there a way to have the policy enabled (disable the saving of domain creds) and still auto attach to a network share with a different domain account? I need to login to a machine with a domain account that gives me admin permissions but need a drive mapped that I can only get to with a regular user account.
Will making this change in any way prevent users from logging on to their laptops when not connected ot the domain, such as when they take their compute rhome at night?
Is there a way to also disable the Generic Credentials via GPO. I’ve disabled the Windows Credentials per your instructions above but it did not disable the Generic Credentials. Please advise.
Thank you and thank you for the article. It really helps.
I am not sure the claim about running a brute force attack on a MD5 is true.
You claimed ” you can run a brute force attack on MD5 to get at a password”
MD5 is not reversible.
dee, with an brute force attack you just try different passwords and generate the corresponding hash values until you found the one in the password file.
Dear all,
I have window XP sp3, and have 2 user account
1. is Administrator account, this user account store and remember the Network username and passwords credential.
2. is the simple user account, this user account can’t sotre and remember the Network username and passwords credential, after we restart the computer.
Anyone know how to solve this problem, cos in my company so many user that complain about this when they to access the network share resource or Network printer, it alway promt for username and password.
I am waiting for you all to help me.
thanks