Security risks of stored Windows passwords RRS feed

  • General discussion

    • Security risks of stored Windows passwords :

    Passwords that are stored on a computer are always a security risk. Even though the Windows Vault encrypts the passwords, you never can be sure that an attacker can’t get access by exploiting a security hole. Even more problematic are stored passwords on mobile computers. If the system drive isn’t encrypted with an encryption solution, an attacker can get access to a Windows password with a brute force attack. Once the attacker logs on to Windows, he can gain himself an admin access which allows him to do “Whatever he wants” literally .

    i need an expert to provide me with all security & none-security advantage & disadvantage of enabling “Do not allow storage of passwords and credentials for network authentication” feature from group policy .

    • Changed type Salman KSZ Monday, June 9, 2014 5:38 AM
    Thursday, May 29, 2014 1:35 PM

All replies

  • The Network access: Do not allow storage of passwords and credentials for network authentication page explains the behaviour of this option:

    Possible values

    • Enabled

      Credential Manager does not store passwords and credentials on the computer.
    • Disabled

      Credential Manager will store passwords and credentials on this computer for later use for domain authentication.

    If you enable the policy, Credential Manager (aka Windows Vault) will not cache passwords and credentials locally on the computer. As per that page, the best practice is to enable the policy -- storing credentials locally could allow for an attacker to collect the credentials.

    Further down the page there is the Security Considerations section which contains most of what I was about to write here. It details how an attacker could exploit the cached credentials and explains that by enabling this policy users will need to reenter their credentials when accessing resources outside of the Active Directory domain (i.e websites).

    Tuesday, June 10, 2014 9:03 PM
  • Beware! Although this security settings is a great idea, there can be major impacts to scheduled jobs. Unlike service accounts that save their credential information in the registry, the windows task scheduler saves credential information in the Windows vault. If you do not allow storage of passwords, task scheduler jobs that use a user account to execute will fail. 

    I am currently facing this issue with my client. So far, all I can think to workaround this issue is to create an exclusion security group and ensure the members of the exclusion group have deny - apply group policy. 

    I'd love to know how others are dealing with this issue.

    It would be nice if Microsoft created a new security setting allowing an exclusion list for accounts in the domain. This way the GPO could be applied to all servers, and a simple exclude list of accounts could be maintained. 

    Ernie Prescott

    Friday, March 16, 2018 1:24 PM