Manage stored Windows passwords

In the last post of my stored Windows password series, I outlined what the Windows Vault is and what kinds of passwords it stores. Today, I will show you how you can manage stored Windows passwords in your network. First, let me explain why disabling stored Windows passwords might make sense in your environment
Profile photo of Michael Pietroforte

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.
Profile photo of Michael Pietroforte

Security risks of stored Windows passwords ^

Passwords that are stored on a computer are always a security risk. Even though the Windows Vault encrypts the passwords, you never can be sure that an attacker can’t get access by exploiting a security hole.

Even more problematic are stored passwords on mobile computers. If the system drive isn’t encrypted with BitLocker, an attacker can get access to a Windows password with a brute force attack. Once the attacker logs on to Windows, he has access to all the sites that are stored in the Windows Vault of the corresponding account.

In my view it is better to use a third party tool to store passwords because hackers usually focus only on integrated security mechanisms. My favorite free password saving tool is KeePass.

Disable stored Windows passwords ^

It is possible to disable caching of Windows Credentials (not Certificate-Based credentials and Generic Credentials) network wide through Group Policy. You can configure this GPO setting in Computer Configuration | Policies | Windows Settings | Security | Security Options: Network access: Do not allow storage of passwords and credentials for network authentication.

Group Policy Do not allow strorage of passwords and credentials for network authentication

If this setting is enabled, you will see the message “Windows credentials have been disabled by your system administrators” in the Windows Credentials section of the Credential Manager. This setting is disabled by default, which means that Windows will store user names and passwords whenever the user selects “Remember my credentials”.

Delete stored Windows passwords ^

The Credential Manager allows you to remove specific credentials that you no longer want to be stored in the Windows Vault. I recommend checking which passwords Windows has already stored and delete those that pose a high security risk.

Credential_Manager_Delete_Stored_Windows_Passwords

Notice that disabling password caching doesn’t delete credentials that have been stored before. All this setting does is to stop credentials from being used any longer. If you enable Windows Credentials caching again, all stored Windows passwords will also be available again.

If you want to ensure that no Windows passwords are saved in your network, you can either tell your users to delete all passwords in the Credential Manager or you delete the contents of the Windows Vault in all user profiles with a script. (See “Windows Vault storage location” in my last post.)

Working without stored Windows passwords ^

Also, note that disabling password caching doesn’t mean that users have to provide a user name and password whenever they map a folder to a network share. If the user is already authenticated, for example at an Active Directory domain, Windows will automatically use these credentials without prompting for a user name and password.

Only if the user selects “Connect using different credentials” will he or she require a user name and password. If storage of passwords and credentials for network authentication is enabled, the corresponding credentials will be stored in the Windows Vault and will always be used in the future for the corresponding network folder.

Share
-1+1 (No Ratings Yet)
10 Comments
  1. avatar
    Sami 6 years ago

    This will also disable the certificate-based credentials. I havent found a solution to only disable the windows credentials. Have you?

  2. Profile photo of Michael Pietroforte
    Michael Pietroforte 6 years ago

    Sorry no. And I somehow doubt that it is possible. Perhaps you can write a script that deletes stored passwords regularly.

  3. avatar
    Masi 6 years ago

    Hi, do you know how to disable the Generic Credentials Store, the one who pop’s up when you have to sign in to a website? or give proxy credentials? In GPO or as reg-key.
    thanks in advance

  4. avatar
    Rory 6 years ago

    Is there a way to have the policy enabled (disable the saving of domain creds) and still auto attach to a network share with a different domain account? I need to login to a machine with a domain account that gives me admin permissions but need a drive mapped that I can only get to with a regular user account.

  5. avatar
    Will 5 years ago

    Will making this change in any way prevent users from logging on to their laptops when not connected ot the domain, such as when they take their compute rhome at night?

  6. avatar
    Anh Le 4 years ago

    Is there a way to also disable the Generic Credentials via GPO. I’ve disabled the Windows Credentials per your instructions above but it did not disable the Generic Credentials. Please advise.

    Thank you and thank you for the article. It really helps.

  7. avatar
    dee 4 years ago

    I am not sure the claim about running a brute force attack on a MD5 is true.

    You claimed ” you can run a brute force attack on MD5 to get at a password”

    MD5 is not reversible.

  8. Profile photo of Michael Pietroforte
    Michael Pietroforte 4 years ago

    dee, with an brute force attack you just try different passwords and generate the corresponding hash values until you found the one in the password file.

  9. avatar
    samith 4 years ago

    Dear all,

    I have window XP sp3, and have 2 user account
    1. is Administrator account, this user account store and remember the Network username and passwords credential.
    2. is the simple user account, this user account can’t sotre and remember the Network username and passwords credential, after we restart the computer.

    Anyone know how to solve this problem, cos in my company so many user that complain about this when they to access the network share resource or Network printer, it alway promt for username and password.

    I am waiting for you all to help me.

    thanks

  10. avatar
    Tom 3 years ago

    Disabling storage of credentials kills the ability to run scheduled tasks…

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2016

Log in with your credentials

or    

Forgot your details?