________
Overview
By default, Windows stores the credentials, username and password hash, of the last 10 people that have logged into a Windows computer. This is a feature, known as cached credential storage, allows users to authenticate even if Active Directory (AD) is unavailable.
However, these cached credentials can be used to attack accounts that have authenticated in the past.
Additionally, Windows stores the password hashes of users. These hashes can be replayed against other systems with the same username and password combination. This attack is commonly referred to as "passing the hash".
Mitigations
One way to mitigate cached credential attacks is to prevent Windows from storing cached credentials. However, this has the downside of preventing AD logins if the network is unavailable. One can reduce the number of cached credentials, thereby lessening the number of credentials that can be stolen.
CPP highly recommends reducing the number of stored cached credentials to 1. This allows the last person that authenticated to login if the network is unavailable, but stores minimal login information. The number of cached credentials stored is controlled by the following registry key.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount
Keep in mind, if you login using a local account, e.g. not an AD account, you can always login.
Automated Implementation
By default, computers that join Active Directory have cached credential count to 1, via a domain GPO called IT-CachedCredentials1.
Manual Implementation
CPP has also created the following .reg file to set cached credentials to 1. Download the .reg file and double click it.
References
Below are links to information about cached credentials and pass-the-hash tools.
http://support.microsoft.com/kb/172931/
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://foofus.net/fizzgig/fgdump/
|
