Re: Local Caching
- From: "Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 30 Jul 2005 00:05:52 +0200
"Keith" <Keith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:938C26B0-F765-4A73-B0B6-82A4133857D3@xxxxxxxxxxxxxxxx
Where is the user's password cached when you have a GPO setting on Interactive logon: Number of previous logons to cache (in case domain controller is not available)? Is it store in LSASS secrets?
If we set our server to not store local cache of user's password what
application or other things will break? I u nderstand that if you turn that
off and there is no domain controller available that you will be unable to
logon to that server in that domain...But what other hidden gotchas are out
there that I might not be thinking of?
Hello Keith,
it's stored in the local credential cache - the Data Protection API stores the credentials in non-reversible encryption (the same place where EFS-Certificates are stored). This is secure against breaking it, but not secure against brute force attacks (so it's still important that your users are educated to use good and long enough passwords). It's stored with the profile data, and the policy you mention keeps the whole profile of the user. If you use roaming profiles you don't have anything to loose but being able to log on with the cached credentials, meaning that a DC and GC must be available when trying to log in.
Sincerely,
Ulf B. Simon-Weidner
.
- Prev by Date: Re: Report of dial up users
- Next by Date: Re: 2 Existing DC's on 2k, replaced by 2 new DCs on 2k3, FAQ?
- Previous by thread: Re: Report of dial up users
- Next by thread: Re: 2 Existing DC's on 2k, replaced by 2 new DCs on 2k3, FAQ?
- Index(es):
Relevant Pages
|
