Cached domain logon allows users to log on to a Windows Active Directory domain even if no domain controller is available or if the client is offline and has no network connection. As useful as this feature is, it also has some downsides, which I will discuss in this post. I will also show you how you can disable cached domain logon and how you can improve security by changing the default configuration. Everything I say in this post applies to Windows XP, Windows Vista, and Windows 7.

How cached domain logon works

Cached domain logon only works if the user has logged on once with a valid password. Windows will then store the MD5 (see comments below) hash of this password on the local disk. If the PC has no connection to an Active Directory domain controller the next time the same user logs on, Windows will authenticate the user locally using the locally stored password hash.

(more…)

Windows Vault, in Windows 7, is the new name for Stored User Names and Passwords in Vista and Windows XP. In this article, I will explain what kinds of passwords are stored in the Windows Vault and in my next post I will describe how you can disable password caching.

Credential Manager

You can access the Windows Vault through the Credential Manager. The easiest way is by just typing “Credential Manager” in the Windows 7 Start Menu search prompt. You can also access the Credential Manager through the Control Panel: -> User Accounts -> User Accounts. The link to the Credential Manager can be found in the left navigation bar.

(more…)

In the last post of my stored Windows password series, I outlined what the Windows Vault is and what kinds of passwords it stores. Today, I will show you how you can manage stored Windows passwords in your network. First, let me explain why disabling stored Windows passwords might make sense in your environment.

Security risks of stored Windows passwords

Passwords that are stored on a computer are always a security risk. Even though the Windows Vault encrypts the passwords, you never can be sure that an attacker can’t get access by exploiting a security hole.

Even more problematic are stored passwords on mobile computers. If the system drive isn’t encrypted with BitLocker, an attacker can get access to a Windows password with a brute force attack. Once the attacker logs on to Windows, he has access to all the sites that are stored in the Windows Vault of the corresponding account.

(more…)

In the last three articles in my series on stored passwords, I mainly discussed Windows-related passwords. Today, I will focus on saved Internet Explorer passwords.

The two types of saved Internet Explorer passwords

I already mentioned in my post about the Windows Vault that some saved Internet Explorer passwords can be managed with the Credential Manager. These are HTTP authentication passwords, that is, passwords that are used to authenticate against a Web server (Internet Information Server, Apache, etc.). Passwords that are used to log on to a Web site with an HTML form (through a content management system) are not stored in the Windows Vault.

You can make out the difference between these two authentication forms easily. HTTP authentication always prompts a separate dialog window in Internet Explorer where you have to enter the credentials. HTML authentication is usually integrated within the Web page. This also makes clear why these passwords are not stored in the Window Vault.

(more…)

Nirsoft’s Network Password Recovery is a free tool that supports Windows password recovery from the Windows Vault in Windows 7, Vista, and Windows XP.

In my article about the Windows Vault I outlined why it is a security risk to store network passwords with Windows integrated functions on PCs. I think Nirsoft’s Network Password Recovery is a perfect tool to demonstrate to Windows admins that the Windows Vault is not really a vault in the literal sense.

(more…)

Rate this tool: (3 votes, average: 4.33 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools