In the last post of my stored Windows password series, I outlined what the Windows Vault is and what kinds of passwords it stores. Today, I will show you how you can manage stored Windows passwords in your network. First, let me explain why disabling stored Windows passwords might make sense in your environment.
Security risks of stored Windows passwords
Passwords that are stored on a computer are always a security risk. Even though the Windows Vault encrypts the passwords, you never can be sure that an attacker can’t get access by exploiting a security hole.
Even more problematic are stored passwords on mobile computers. If the system drive isn’t encrypted with BitLocker, an attacker can get access to a Windows password with a brute force attack. Once the attacker logs on to Windows, he has access to all the sites that are stored in the Windows Vault of the corresponding account.
In my view it is better to use a third party tool to store passwords because hackers usually focus only on integrated security mechanisms. My favorite free password saving tool is KeePass.
Disable stored Windows passwords
It is possible to disable caching of Windows Credentials (not Certificate-Based credentials and Generic Credentials) network wide through Group Policy. You can configure this GPO setting in Computer Configuration | Policies | Windows Settings | Security | Security Options: Network access: Do not allow storage of passwords and credentials for network authentication.
If this setting is enabled, you will see the message “Windows credentials have been disabled by your system administrators” in the Windows Credentials section of the Credential Manager. This setting is disabled by default, which means that Windows will store user names and passwords whenever the user selects “Remember my credentials”.
Delete stored Windows passwords
The Credential Manager allows you to remove specific credentials that you no longer want to be stored in the Windows Vault. I recommend checking which passwords Windows has already stored and delete those that pose a high security risk.
Notice that disabling password caching doesn’t delete credentials that have been stored before. All this setting does is to stop credentials from being used any longer. If you enable Windows Credentials caching again, all stored Windows passwords will also be available again.
If you want to ensure that no Windows passwords are saved in your network, you can either tell your users to delete all passwords in the Credential Manager or you delete the contents of the Windows Vault in all user profiles with a script. (See “Windows Vault storage location” in my last post.)
Working without stored Windows passwords
Also, note that disabling password caching doesn’t mean that users have to provide a user name and password whenever they map a folder to a network share. If the user is already authenticated, for example at an Active Directory domain, Windows will automatically use these credentials without prompting for a user name and password.
Only if the user selects “Connect using different credentials” will he or she require a user name and password. If storage of passwords and credentials for network authentication is enabled, the corresponding credentials will be stored in the Windows Vault and will always be used in the future for the corresponding network folder.