Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Disable cached credentials via GPO?

  • 05-08-2013 03:21PM
    #1
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators, Paid Member Posts: 11,203 Mod ✭✭✭✭


    I've got a fileserver exporting user shares via SMB. As part of a project I'm trying to get a bunch of bespoke legacy kit with attached Windows boxes all connected to a private network, such that users can mount their home directories on the fileserver and move data that way rather than via removable storage.

    The problem is, I know that on at least some of these machines, there are currently shared user accounts. I can't trust the users to log off/reboot between sessions, which will introduce the problem of one user being able to access another's account by the fiendish technique of attempting to map it - because even with the "Network access: Do not allow storage of passwords and credentials for network authentication" GP set, it doesn't seem to be possible to disable caching within the active logon session. As far as I can work out from this TechNet article this is because the credentials are being stored in LSASS process memory.

    The only thing I can find is the frankly ludicrous notion of opening Credential Manager and deleting the credentials there (which can't be done from the command line/by a script, as far as I can tell), then using net use * /delete /y in a batch file to drop the connections. Which is no good - I need something I can automate into a single script for users to run, or preferably to run on a timed basis. Anything requiring more than minimum effort from users, or which doesn't happen automatically, is guaranteed to fail.

    Has anyone found a useful way of resolving this?


Comments

  • #2
    Torqay
    Closed Accounts Posts: 5,835 ✭✭✭Torqay


    Don't know if this is useful in your scenario, but...

    Apparently, "a 15-character password or greater will completely break the algorithm, and thus Windows cannot calculate and store the LM hash in memory (or on disk)". Source

    This might also be helpful.


  • #3
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 96,053 Mod ✭✭✭✭Capt'n Midnight


    Torqay wrote: »
    Don't know if this is useful in your scenario, but.../QUOTE]

    nobody should be still using LM hash in this day and age !


  • #4
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators, Paid Member Posts: 11,203 Mod ✭✭✭✭Fysh


    Torqay wrote: »
    Don't know if this is useful in your scenario, but...

    Apparently, "a 15-character password or greater will completely break the algorithm, and thus Windows cannot calculate and store the LM hash in memory (or on disk)". Source

    This might also be helpful.

    Cheers, I'll spend some time reading and see whether I can get anything useful from those links :)


Advertisement