Windows Cached Credentials/Security Verifier

[k41zen at live.co.uk (k41zen)]

So does it dump the first entry added to the table as the "oldest", or  
does it dump the "oldest" entry that hasn't been used/updated?


On 16 Oct 2009, at 22:40, Scott Webster wrote:

> I have tested this before, it definitely dumps the oldest.
>
> From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom- 
> bounces at mail.pauldotcom.com] On Behalf Of k41zen
> Sent: Friday, October 16, 2009 1:47 PM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] Windows Cached Credentials/Security Verifier
>
> Thanks for the info. I'm in security so I'm against any cached creds  
> but also do understand the business requirement for them.
>
> I'm also against services requiring domain creds too when running  
> and as the supplier has two services on the laptop plus probably an  
> admin account to build/configure it they are left with two spare  
> which isn't a lot. Then comes compliance/VA testing which probably  
> takes up the remaining two.
>
> I was really after exactly how it works when the table/quota is  
> filled.
>
> I'm back in the office on Monday and will try out a number of tools  
> to dump out the cached creds table and see what happens.
>
> On 16 Oct 2009, at 20:57, Michael Dickey wrote:
>
>
> I don't know the exact mechanics, but I believe it drops the oldest  
> one.
>
> If you have access to domain machines and accounts, you could  
> probably test this. If you set the number down to 2 and grab  
> yourself 3 logins, you could start to verify which one is bumped off  
> as you get to the third one.
>
> Personally, setting this value to 5 is no better than the default  
> value of 10. I personally prefer to use 1. This pretty much means  
> the primary user will be the only cached credential. If you have  
> concerns about your admin staff then being locked out, you could  
> make a case for 2. But really, it's those admin credentials you  
> really don't want lingering all over. For any non-mobile systems  
> that you expect to always be on a domain-enabled network, you could  
> make a good case for 0.
>
> On Fri, Oct 16, 2009 at 9:30 AM, k41zen <k41zen at live.co.uk> wrote:
> So the business wants users to be able to log onto laptops using
> cached domain credentials whilst they are offline.
>
> The supplier has limited the number of cached credentials/security
> verifier's available to 5.
>
> My question is how is the "security verifier's table" (for want of a
> better description) managed? If it is full and as a 6th unique account
> I logon connected to the domain, which entry gets overwritten? Does it
> overwrite the oldest verifier that hasn't been logged on recently?
> Does it overwrite the first one in the table?
>
> I'm finding little info on the algorithm used (if any).
>
> Grateful for any insight.
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091017/1042ba21/attachment.htm