Results 1 to 9 of 9

Thread: Cached Credential Security Vulnurability

  1. #1
    Junior Member
    Join Date
    Oct 2009
    Location
    Oregon
    Posts
    2

    Exclamation Cached Credential Security Vulnurability

    In our network we run occasional Pen tests and upon our last results noticed that a breach was possible by cracking an admin's cached credentials and escalating permissions to do all sorts of "damage". We are trying to make a fix for this however here are the issues. We have laptops where people have to cache their credentials when they leave the DC.
    What would be the best way to harden our systems. I was thinking using OU's and specific GPO's like cached credential limit for laptops is 2 everyone else is 1 etc...
    Please help. Thank you!

  2. #2
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    Um.... correct me if I am wrong, but if the cached credentials are 'cracked' then surely the only damage that could be inflicted would be on that particular computer/laptop....

    As when using the cached credentials, any attempts to access domain/network resources would require authentication as the security token would have expired; and since the credentials are no longer current/valid access would not be granted.

    I was thinking using OU's and specific GPO's like cached credential limit for laptops is 2 everyone else is 1 etc...
    In this case, I think that disabling cached credentials would be the most secure option for all computer that do not leave the office and enabled for any laptops that are not able to reach the domain externally.... otherwise allow remote dial-up login for authentication or setup a local account for use outsite of the domain.

    [garbled comments about this post here] <--- You all know what I am thinking as 918 views to this post later and not one reply?


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  3. #3
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I was under the impression that the systems cached domain credentials, which could be cracked, and then used to login to a different machine on the network. I can use my domain login off of the network, so the hash has to be stored locally for me to authenticate. If they are able to break that hash, they can then use the password to log into a different machine, as that user. I could be way off here, but I think I see the validity of the post.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  4. #4
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    If they crack the cached credentials, then when the user logs back onto the network after being remote it will be compromised?
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  5. #5
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    Yep - so all in all, disable cached credentials. This way there is nothing to crack.

    This also means that network logon will not be possible unless the DC is within reach, so a local account would be the ideal method of logging on when outside of the domain network.

    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Stupid question - If you log in with a local account outside of the DC will you be able to download your e-mail? I know u can use HTTP for email downloading but will it work using a local profile versus a DC profile ...
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    Yea, you can still access your mail with a local account, however you will need to authenticate against the mail server with domain creds.
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  8. #8
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Stupid question as though i am trying to setup up my exchange mail at one ...

    Doh!

    +1 for being an idiot
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  9. #9
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    All good After all, the only real stupid question is the one you dont ask.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

Similar Threads

  1. Ethical Hacking!
    By E5C4P3 in forum AntiOnline's General Chit Chat
    Replies: 33
    Last Post: January 17th, 2008, 12:40 AM
  2. Microsoft plans Windows overhaul to fight hackers
    By tekno in forum Microsoft Security Discussions
    Replies: 61
    Last Post: October 15th, 2003, 07:51 AM
  3. NEWS: This weeks security news. 10/2/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: October 2nd, 2002, 09:32 PM
  4. NEWS: This Week in Security
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: July 18th, 2002, 04:36 AM
  5. Latest SANS Update
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: May 29th, 2002, 09:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •