Executive Summary:
Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 have a built-in feature that automatically manages the usernames and passwords needed to access resources that require credentials other than the user's logon credentials. This feature is called Stored User Names and Passwords. Learn about this feature's benefits and how it works. Also learn how to use it to manually manage credentials. |
Remembering and managing multiple usernames and passwords for accessing various resources can pose a problem for most users. Although many third-party credential management products are available, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 have a built-in feature that automatically manages the usernames and passwords needed to access resources that require credentials other than the user's standard Windows logon credentials. This feature is called Stored User Names and Passwords.
Stored User Names and Passwords lets you store credentials for local network and Internet resources. The types of credentials that can be created, managed, and used with this feature include:
- Usernames and passwords
- X.509 certificates (e.g., for smart cards)
- Passports (e.g., .NET passports)
If you're using Windows XP Home Edition, be aware that this XP version stores only passport credentials and RAS/VPN usernames and passwords.
Let's look at the benefits that the Stored User Names and Passwords feature provides, how the feature works, and how to use it to manually manage credentials.
The Benefits
When users log on to a local computer or domain, they provide a username and password. After the logon, those credentials become the default security context for accessing other resources on the local network, the remote network, and/or the Internet. However, the credentials might not be sufficient for accessing all the resources that users need. For example, the credentials might not be sufficient for accessing websites that require authentication or domains without trust relationships. If there are many such resources, users might need many different credentials.
Similarly, administrators might need different credentials. For example, they might log on to the network using their standard Windows logon credentials but need administrative privileges to perform specific tasks on remote servers.
Having to remember multiple username and password combinations can lead to bad password practices, such as using weak passwords, using the same password for everything, and writing passwords on pieces of paper. The Stored User Names and Passwords feature helps users avoid such practices because it securely stores and manages multiple credentials for them. Users will have single sign-on experience because they'll log on to only their computers or domains. Because users won't be forced to remember passwords, they'll be more likely to choose strong passwords, which can greatly increase overall security.
Stored User Names and Passwords stores credentials in a secure part of a user's profile, so they can't be accessed by other users. If the user is configured to use a single profile across the enterprise (i.e., roaming profile), the stored usernames and passwords are retained wherever the user logs on to the network. This further increases the functionality of this feature, while still keeping an acceptable level of security.
How the Feature Works
When a user tries to access a website or network location that isn't accessible with their default credentials, he or she is prompted for a username and password. After entering that information and selecting the Remember my password check box, the logon information is stored within the user's profile. The next time the user connects to that resource those stored credentials are used to automatically authenticate him or her.
Every time a user clicks the Remember my password check box, the credentials are saved in the most general form possible. For example, if a user selects the Remember my password check box when he or she is accessing a specific server in the company.com domain, the credentials might be saved under *.company.com. If the user again selects the Remember my password check box when accessing a different server in same domain, Windows won't overwrite the previously saved credentials. Instead, Windows saves the new credentials using more specific information, such as server1.company.com. Because of this setup, no more than one username and password can be stored for a specific logon, which is a slight limitation of the Stored User Names and Passwords feature.
When multiple credential sets are stored, Windows orders them from most specific to least specific. When a user tries to access a resource not available under his or her current credentials, the authentication package searches the Stored User Names and Passwords repository for the most specific credential set that matches that resource. If one is found, the authentication package uses it without any interaction from the user. If one isn't found, the user is prompted for a username and password.