Logon using cached credentials

[Guest]

Win XP - User login happens using cached credentials when a domain controller
cannot be contacted.

How secure is this login using cached credentials? What happens if the user
is removed from the central Active Directory store? Will the user still be
able to login in the workstation using locally cached credentials ? What are
the other disadvantages of using cached credentials apart from the fact that
the GPOs and other settings may not be in sych with the domain controller or
AD server?

 

[Lanwench [MVP - Exchange]]

In

Win XP - User login happens using cached credentials when a domain
controller cannot be contacted.

How secure is this login using cached credentials? What happens if
the user is removed from the central Active Directory store? Will the
user still be able to login in the workstation using locally cached
credentials ?

Yes. You can stop this from working entirely if you wish, via GPO. However,
it may screw up your laptop users!

What are the other disadvantages of using cached
credentials apart from the fact that the GPOs and other settings may
not be in sych with the domain controller or AD server?

I'm not sure how to answer that - personally, I think it's just fine.
Someone else may post.

You might also try posting in an Active Directory group for more help.

 

[Harry Johnston]

Win XP - User login happens using cached credentials when a domain controller
cannot be contacted.

How secure is this login using cached credentials?

If the computer is compromised, the user's password can't be directly recovered
from the cached credentials. However, it would be possible for the attacker to
try various possible passwords in an attempt to find the correct one - this is
usually called a dictionary attack. This is only a concern if the password is weak.

What happens if the user
is removed from the central Active Directory store? Will the user still be
able to login in the workstation using locally cached credentials ?

Yes, though (presumably) not when the workstation is on the network.

Harry.

 

[Guest]

Reasonably sure this works by way of hashing - that is, the computer stores a
scrambled version of the password (which cannot be descrambled) - when the
user types a login, this is likewise scrambled and the result compared to
the scrambled password. If they match, he is let in.

Although it sounds risky it's reasonably safe given a strong hashing-routine.

One possible issue is that a user detached from the network will continue to
be able to login indefinitely, even though the Admin has barred their domain
account. This could be a problem if a user has been dismissed but still has a
logon on a personal laptop. In this case the logon might allow access to
stored passwords in Outlook or the like for company mail, etc. Although good
practice would of course dictate that any associated mail-accounts etc. were
closed anyway.

 

[Harry Johnston]

Reasonably sure this works by way of hashing - that is, the computer stores a
scrambled version of the password (which cannot be descrambled)

Actually IIRC it hashes a combination of the username and the password.

Harry.

 

[kevin]

Yes, though (presumably) not when the workstation is on the network.

Harry.

I'm interested in the "presumably" qualifier here.

Could someone clarify whether the following is true:

User logs on to a system using a domain account, and logs off.
Sysadmin removes account from domain (or disables the account, or
changes the password).
User attempts to log on to domain account using original password).
Since the system has cached the user's credentials, it allows the
logon. However, simultaneously to this, the logon attempt is sent to
the domain controller.
The logon failure is received from the domain controller.
The user has the same local authorisation as he had before, but no
domain authorisation.

If the sysadmin hadn't done anything, the domain logon would succeed,
would replace the existing credentials, and the user would be fully
logged on to the system and domain.

Cheers,
kevin

 

[Guest]

Reasonably sure that if the domain-controller can be contacted, then the
absence of the user account will be noticed, and the logon will be refused.
Someone might like to verify that though.

Obviously nothing the admin does to the server will stop the computer being
used standalone, at least until the password expires at which time a
domain-logon becomes mandatory.