-
October 1st, 2009, 06:21 PM
#1
Junior Member
Cached Credential Security Vulnurability
In our network we run occasional Pen tests and upon our last results noticed that a breach was possible by cracking an admin's cached credentials and escalating permissions to do all sorts of "damage". We are trying to make a fix for this however here are the issues. We have laptops where people have to cache their credentials when they leave the DC.
What would be the best way to harden our systems. I was thinking using OU's and specific GPO's like cached credential limit for laptops is 2 everyone else is 1 etc...
Please help. Thank you!
-
October 9th, 2009, 09:59 AM
#2
Um.... correct me if I am wrong, but if the cached credentials are 'cracked' then surely the only damage that could be inflicted would be on that particular computer/laptop....
As when using the cached credentials, any attempts to access domain/network resources would require authentication as the security token would have expired; and since the credentials are no longer current/valid access would not be granted.
I was thinking using OU's and specific GPO's like cached credential limit for laptops is 2 everyone else is 1 etc...
In this case, I think that disabling cached credentials would be the most secure option for all computer that do not leave the office and enabled for any laptops that are not able to reach the domain externally.... otherwise allow remote dial-up login for authentication or setup a local account for use outsite of the domain.
[garbled comments about this post here] <--- You all know what I am thinking as 918 views to this post later and not one reply?
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
October 9th, 2009, 10:59 PM
#3
I was under the impression that the systems cached domain credentials, which could be cracked, and then used to login to a different machine on the network. I can use my domain login off of the network, so the hash has to be stored locally for me to authenticate. If they are able to break that hash, they can then use the password to log into a different machine, as that user. I could be way off here, but I think I see the validity of the post.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
October 12th, 2009, 08:47 AM
#4
If they crack the cached credentials, then when the user logs back onto the network after being remote it will be compromised?
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 12th, 2009, 09:20 AM
#5
Yep - so all in all, disable cached credentials. This way there is nothing to crack.
This also means that network logon will not be possible unless the DC is within reach, so a local account would be the ideal method of logging on when outside of the domain network.
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
October 12th, 2009, 09:33 AM
#6
Stupid question - If you log in with a local account outside of the DC will you be able to download your e-mail? I know u can use HTTP for email downloading but will it work using a local profile versus a DC profile ...
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 12th, 2009, 10:07 AM
#7
Yea, you can still access your mail with a local account, however you will need to authenticate against the mail server with domain creds.
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
October 12th, 2009, 02:56 PM
#8
Stupid question as though i am trying to setup up my exchange mail at one ...
Doh!
+1 for being an idiot
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 13th, 2009, 05:19 AM
#9
All good After all, the only real stupid question is the one you dont ask.
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
Similar Threads
-
By E5C4P3 in forum AntiOnline's General Chit Chat
Replies: 33
Last Post: January 17th, 2008, 12:40 AM
-
By tekno in forum Microsoft Security Discussions
Replies: 61
Last Post: October 15th, 2003, 07:51 AM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: October 2nd, 2002, 09:32 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: July 18th, 2002, 04:36 AM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: May 29th, 2002, 09:27 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|