Yep - so all in all, disable cached credentials. This way there is nothing to crack.

This also means that network logon will not be possible unless the DC is within reach, so a local account would be the ideal method of logging on when outside of the domain network.

CTO