Disable Credential Caching

What is Credential Caching?

Credential caching in Windows refers to the practice of storing a user’s credentials (such as their username and password hash) on the local machine, allowing them to log in to a system even when the domain controller is unavailable. Disabling credential caching means configuring the system to no longer store these credentials locally, requiring users to authenticate with the domain controller each time they log in. This enhances security by ensuring that credentials are not available on the local machine if it is compromised, which is especially important in environments where physical security is a concern or where machines are often taken off the network.

Risks of Credential Caching being Enabled:

If credential caching is enabled, the following risks may be present:

  1. Credential Theft: If an attacker gains physical or remote access to a system, they could potentially extract cached credentials and use them to access other systems in the network.

  2. Lateral Movement: Cached credentials can be used by attackers to move laterally within a network, gaining unauthorized access to other machines and resources.

  3. Persistence of Old Credentials: Cached credentials may remain on a system even after a user’s account has been disabled or password changed, potentially allowing unauthorized access. Alternatively, this can lead to a threat actor guessing current credentials based upon the history of passwords they have as well.

Why this Remediation Effort is Important:

Disabling credential caching is crucial for reducing the attack surface in the client’s environment. By ensuring that credentials are not stored locally, you protect against scenarios where a machine is compromised, particularly when off the network or in physically insecure locations. This is particularly important in high-security environments or where machines are frequently used outside of a secure network.

Potential Implementation Impacts to Watch Out For:

  1. Login Failures Without Network Access: Users may be unable to log in to their machines when they are off the network or unable to reach the domain controller, which could be problematic in remote or mobile working scenarios.

  2. User Inconvenience: If a network connection is unstable or slow, users may experience delays or failures when attempting to log in, leading to frustration.

  3. Increased Support Requests: Disabling credential caching might increase the number of support requests from users who are unable to log in when away from the office or during network outages.

Technical Deployment: Creating a GPO for Disabling Credential Caching:

  1. Open Group Policy Management Console (GPMC):

    • Go to Start > Administrative Tools > Group Policy Management.

  2. Create or Edit a GPO:

    • Right-click the desired Organizational Unit (OU) or domain, and select Create a GPO in this domain, and link it here.

    • Name the GPO something descriptive, like “Disable Credential Caching”.

  3. Configure the GPO:

    • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

    • Locate the policy Interactive logon: Number of previous logons to cache (in case domain controller is not available).

    • Set the value to 0 to disable credential caching.

    • Apply the GPO.

  4. Deploy the GPO:

    • Once configured, deploy the GPO to the desired OUs or across the domain.

Implementation Tip:

  1. User Communication: Clearly communicate the change to users, especially those who may rely on cached credentials while working remotely. Provide guidance on how to handle situations where they cannot log in.

  2. Testing: Before deploying the GPO widely, test it in a controlled environment to understand the impact on users who may frequently work offline or in areas with unreliable network access.

References: