The Domain Admins and Enterprise Admins accounts are the keys to the kingdom. With Windows' default domain credential caching, password hashes for these important accounts are easily hacked. If you log on to a workstation, laptop, or server (other than a domain controller—DC) using a Domain Admins or Enterprise Admins account, by default the password hash is stored in the local cache, where it can be retrieved and cracked by someone with physical access to the computer. We’ve always been told that physical access to a computer means ownership of the computer, but in this case, physical access to a laptop could mean ownership of the domain. To protect your domain, you can take two actions:
- As an administrator, you've probably physically secured your DCs to prevent hackers from cracking Active Directory (AD) password hashes. It's equally important to physically secure the workstations, laptops, and member servers on which you might use Domain Admins or Enterprise Admins credentials. Even if you use a laptop or workstation to connect to a DC through RDP, your password is saved in the local cache by default, so you need to physically secure that computer.
- You should turn off domain credential caching in the workstations, laptops, or member servers on which you might use Domain Admins or Enterprise Admins credentials. To do so, open the Group Policy Object Editor and navigate to Computer Configuration\Windows Settings\ Security Settings\Local Polices\Security Options. Look for the Interactive Logon: Number of previous logons to cache (in case domain controller is not available) policy. By default, the policy is set to 10 logons. As Figure 1 shows, change the setting to 0 logons to disable the local caching of logon information. If you don't want to turn off cached credentials on member servers because you want to be able to log on when a DC isn't available, you should set a local Administrator password on each server. Each password should be different. If you forget a local Administrator password, searching five minutes on the Internet will give you several options on how you can reset the password.
—Tony Weil
Editor's note: This Reader to Reader item was a winning entry in the Know Your IT Security contest sponsored by Microsoft Learning Paths for Security.
Share Your Security Experiences
Share your security discoveries, comments, solutions to problems, and experiences with products. Email your contributions to r2r@windowsitsecurity.com. Please include your full name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you’ll get $100.