Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Disable cached credentials via GPO?

  • 05-08-2013 2:21pm
    #1
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,106 Mod ✭✭✭✭


    I've got a fileserver exporting user shares via SMB. As part of a project I'm trying to get a bunch of bespoke legacy kit with attached Windows boxes all connected to a private network, such that users can mount their home directories on the fileserver and move data that way rather than via removable storage.

    The problem is, I know that on at least some of these machines, there are currently shared user accounts. I can't trust the users to log off/reboot between sessions, which will introduce the problem of one user being able to access another's account by the fiendish technique of attempting to map it - because even with the "Network access: Do not allow storage of passwords and credentials for network authentication" GP set, it doesn't seem to be possible to disable caching within the active logon session. As far as I can work out from this TechNet article this is because the credentials are being stored in LSASS process memory.

    The only thing I can find is the frankly ludicrous notion of opening Credential Manager and deleting the credentials there (which can't be done from the command line/by a script, as far as I can tell), then using net use * /delete /y in a batch file to drop the connections. Which is no good - I need something I can automate into a single script for users to run, or preferably to run on a timed basis. Anything requiring more than minimum effort from users, or which doesn't happen automatically, is guaranteed to fail.

    Has anyone found a useful way of resolving this?


Comments

  • #2
    Torqay
    Closed Accounts Posts: 5,835 ✭✭✭Torqay


    Don't know if this is useful in your scenario, but...

    Apparently, "a 15-character password or greater will completely break the algorithm, and thus Windows cannot calculate and store the LM hash in memory (or on disk)". Source

    This might also be helpful.


  • #3
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,563 Mod ✭✭✭✭Capt'n Midnight


    Torqay wrote: »
    Don't know if this is useful in your scenario, but.../QUOTE]

    nobody should be still using LM hash in this day and age !


  • #4
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,106 Mod ✭✭✭✭Fysh


    Torqay wrote: »
    Don't know if this is useful in your scenario, but...

    Apparently, "a 15-character password or greater will completely break the algorithm, and thus Windows cannot calculate and store the LM hash in memory (or on disk)". Source

    This might also be helpful.

    Cheers, I'll spend some time reading and see whether I can get anything useful from those links :)


Advertisement