Everhart,Glenn From: Walter Schittek [schittek@POST.MED.UNI-MARBURG.DE] Sent: Thursday, April 02, 1998 10:46 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Disabling of Caching of Logon Credentials does not work Normally, the logon credentials of the last interactive users of an NT Workstation are cached so that the users can work locally if no domain controller is available. For highly secure environments, Microsoft describes (Securing Windows NT Installation, October 23, 1997 (the actual version up to now), http://www.microsoft.com/ntserver/guide/secure_ntinstall.asp) how this caching can be disabled: In HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, DWORD-Value CachedLogonsCount has to be set to 0. I've done this at a workstation immediateliy after installing NT, but when no domain controller is available, NT shows exactly the same behaviour as with activated cache: A message appears that the domain controller is not available and that the user can work locally based on cached logon credentials (free translation from german). This happens with more than one account. But that means that in spite of the registry setting logon credentials are cached on disk!!! (From where a criminal could copy them, crack the passwords and use the accounts from any PC). Microsoft does not mention any additional measures to be taken for disabling the caching. Even clearing the value CachePrimaryDomain does not stop the caching. Does anyone of you have experiences with disabling caching of logon credentials or have solved the same problem? I had posted this mail on the ntsecurity mailing list 3 days ago but got no usable answer up to now. I think this is to call a security related NT bug, or - at least - wrong documentation. Walter Schittek -- Walter Schittek I Hausanschrift: Klinikum der Philipps-Universitaet Marburg I Baldingerstrasse Personalabteilung I 35043 Marburg D - 35033 Marburg I I Tel.: 06421/28-6343 eMail: schittek@post.med.uni-marburg.de I Fax: 06421/28-3494