• Cached credentials is not a new bug

    Posted on May 1, 2025 at 12:40 CDT by Comment in the Forums

    Many years ago back in the Windows XP era, there was a security story indicating that you could log into a system with expired credentials. The issue relates to something that has to be balanced all the time.  Security.  Useability.

    Seeing a recent story in Ars Technica RDP lets you log in using revokes passwords is touching on exactly the same problem.

    If you need absolute security, especially in a domain/network setting, all of us should be setting a value to disable cached credentials. The idea behind this if you cannot connect to the domain controller, you shouldn’t be able to log onto the system. BUT. There’s that time when the Internet is down or there’s a configuration problem.

    Even more important for laptops is the need for a way to logon when offline.  As noted in the ITpro article,

    “Don’t set the number of logons to cache to 0 on mobile users’ laptops. These users would then be unable to log on with their domain credentials when away from the office. Although the CachedLogonsCount registry key doesn’t appear in the registry by default, Windows NT caches a set of 10 domain credentials by default. The maximum value for CachedLogonsCount is 50. When credential caching is disabled and no DC is available, a user can still log on to a machine via a local machine account.”

    Folks, the sky is not falling. Microsoft isn’t making stupid security choices (at least not here). This is, like many, one of the choices you have to make in a network to balance out the ability to do your job with being secure.  Sometimes there are no absolutes.

    Does this impact consumers? No. And if you have a local account with no password, you can’t RDP into that box in the first place. Also, I do not recommend opening up RDP to the open world in the first place. Does this impact businesses? Yes. But it’s not the threat or risk you think it is and it’s honestly nothing new.

    Windows Security
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.