Cached domain logon allows users to log on to a Windows Active Directory domain even if no domain controller is available or if the client is offline and has no network connection. As useful as this feature is, it also has some downsides, which I will discuss in this post. I will also show you how you can disable cached domain logon and how you can improve security by changing the default configuration. Everything I say in this post applies to Windows XP, Windows Vista, and Windows 7.
- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
How cached domain logon works ^
Cached domain logon only works if the user has logged on once with a valid password. Windows will then store the MD5 (see comments below) hash of this password on the local disk. If the PC has no connection to an Active Directory domain controller the next time the same user logs on, Windows will authenticate the user locally using the locally stored password hash.
By default, Windows stores the password hashes of the last 10 logons. Thus, if multiple users share a PC, it is possible that the cached domain logon fails even though the user has logged on this machine before.
The main advantage of a cached domain logon is that users have access to their desktop when the network or all domain controllers are down. For mobile users, it means that they can log on with their domain account when they have no access to the corporate.
Disadvantages of cached domain logon ^
However, cached domain login has several disadvantages. First of all, locally stored password hashes are a significant security risk. This is especially true for notebooks that users can take with them. If the laptop ends up in the wrong hands, an attacker can run a brute force attack to find out the local administrator password. Considering that admins often log on with the domain administrator password to solve local computer problems, this is serious threat for your whole network.
You can reduce this risk by setting the number of previous logons to 1 (see below). This will ensure that the password hash of the administrator account is deleted after the user logs on because only one password hash will be stored on the disk. This way, an attacker would only be able to crack the password of a normal domain user. An even better way would be to encrypt the system drive with BitLocker.
Another disadvantage of a cached domain logon is that network connection problems can stay undetected for some time because the user doesn't realize that he or she is working offline. Only if you work with roaming user profiles, will you get a message that there was a problem with your roaming profile:
However, many users just ignore this message, and this means that new domain policies cannot not be deployed, Windows updates are not installed, and antivirus signatures won't be updated. If the PC comes online again after months, it will pose a severe security risk.
Moreover, in some environments it might not be desirable that users to log on if the network is offline; for example, because they can't work anyway if they can't access their remote applications or data. It helps the service desk personal if users can tell that they were not able to log on. You know, the kind of help desk call where a user insists that the email server must be down, not knowing that the cleaning lady unplugged the network cable.
How to disable cached domain logon ^
To disable cached domain logon, you can change the cachedlogonscount registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to 0. You can also use the Local Security Policy snap-in or change the cached domain logon settings network wide through Group Policy. You'll find the setting "Interactive logon: Number of previous logons to cache (in case domain controller is not available" under Computer Configuration | Security Settings | Local Polices | Security Options.
Once you have set cached domain logon to 0, you have to reboot the computer. This will delete all locally stored password hashes. In the future will get this message whenever they try to log on without an available domain controller: "There are currently no log on servers available to service the logon request".
But don't confuse the cached domain logon password with the stored credentials in the Windows Vault. This will be the topic of my next post.