Local Caching

TheMSsForum.com: The Microsoft Software Forum

Where is the user's password cached when you have a GPO setting on
Interactive logon: Number of previous logons to cache (in case domain
controller is not available)? Is it store in LSASS secrets?

If we set our server to not store local cache of user's password what
application or other things will break? I u nderstand that if you turn that
off and there is no domain controller available that you will be unable to
logon to that server in that domain...But what other hidden gotchas are out
there that I might not be thinking of?
Top

Re: Local Caching by Karl

Karl
Sat Jul 30 08:00:46 CDT 2005


"Keith" <Keith@discussions.microsoft.com> wrote in message
news:FE0E24EB-46AE-4421-92BC-50191250765A@microsoft.com...

> If we set our server to not store local cache of user's password what
> application or other things will break? I u nderstand that if you turn
that
> off and there is no domain controller available that you will be unable to
> logon to that server in that domain...But what other hidden gotchas are
out
> there that I might not be thinking of?

I'm not aware of anything else that will break... except that very rarely
you may encounter a problem that is fairly easily fixed by unplugging the
network cable and logging in with cached credentials, and fairly difficult
to fix if this is not an option. The most recent example was an
incompatability with Sophos antivirus and Windows 2000 post SP-4 rollup 1.
Another example is if you use a utility to change all the local
administrator passwords on all your systems remotely across the network
[such as a batch file with the CUSRMGR.EXE command] and something goes wrong
to make the password not work so that you cannot log in locally.

You may know this, but I want to make sure you know that the setting we're
discussing ONLY affects and caches passwords when users log in locally at
the console. This setting and password caching does not apply when logging
in across the network. When the domain controller is down, you won't be
able to log into a server remotely unless you use an ID and password that is
set up as a local account on that target server [or your locally cached
domain ID and password happens to exactly match a local account on that
target server].



Top

Re: Local Caching by clark

clark
Sat Jul 30 11:33:01 CDT 2005

cached hashes are stored here: hklm\security\cache\nl$x where x is a decimal
number. this registry entry comes from %systemroot%\system32\config\security
Top

Re: Local Caching by Roger

Roger
Sat Jul 30 15:20:38 CDT 2005

Unless you have some requirement whereby you want to insist that
domain account logins cannot happen unless the domain controller(s)
can be contacted, then you are better off just leaving the credential
caching alone, IOW if your concern is about the strength of the cache
storage and whether it presents a vulnerability to your environment,
I would not be worried if I were you, the caching is quite strong .
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Keith" <Keith@discussions.microsoft.com> wrote in message
news:FE0E24EB-46AE-4421-92BC-50191250765A@microsoft.com...
> Where is the user's password cached when you have a GPO setting on
> Interactive logon: Number of previous logons to cache (in case domain
> controller is not available)? Is it store in LSASS secrets?
>
> If we set our server to not store local cache of user's password what
> application or other things will break? I u nderstand that if you turn
that
> off and there is no domain controller available that you will be unable to
> logon to that server in that domain...But what other hidden gotchas are
out
> there that I might not be thinking of?
>
>


Top

Re: Local Caching by Karl

Karl
Sat Jul 30 16:36:54 CDT 2005

I agree completely. For almost all environments, changing this setting will
not increase your security and has the potential to cause significant
inconveniences for you and your users. This setting only applies to people
who have physical access to your computer, and in that case, those people
have a large variety of ways to get into that computer and will no doubt
crack the computer eventually. If you're really concerned about people with
physical access to your computes breaking in, that's pretty hard to prevent,
but there are a lot of other more important settings and countermeasures to
worry about first. Encrypting the entire hard disk partition with a third
party encryption software, for example.


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OGCEhQUlFHA.2396@TK2MSFTNGP12.phx.gbl...
> Unless you have some requirement whereby you want to insist that
> domain account logins cannot happen unless the domain controller(s)
> can be contacted, then you are better off just leaving the credential
> caching alone, IOW if your concern is about the strength of the cache
> storage and whether it presents a vulnerability to your environment,
> I would not be worried if I were you, the caching is quite strong .
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Keith" <Keith@discussions.microsoft.com> wrote in message
> news:FE0E24EB-46AE-4421-92BC-50191250765A@microsoft.com...
> > Where is the user's password cached when you have a GPO setting on
> > Interactive logon: Number of previous logons to cache (in case domain
> > controller is not available)? Is it store in LSASS secrets?
> >
> > If we set our server to not store local cache of user's password what
> > application or other things will break? I u nderstand that if you turn
> that
> > off and there is no domain controller available that you will be unable
to
> > logon to that server in that domain...But what other hidden gotchas are
> out
> > there that I might not be thinking of?
> >
> >
>
>


Top