Don't Let Your Domain Admins or Enterprise Admins Password Get Hacked
With Windows' default domain credential caching, passwords are cached locally. This can leave your domain vulnerable to attack if you use a high-level administrative account to log on to a workstation or member server. Here's how to protect your domain.
July 25, 2007
The Domain Admins and Enterprise Admins accounts are the keys to the kingdom. With Windows' default domain credential caching, password hashes for these important accounts are easily hacked. If you log on to a workstation, laptop, or server (other than a domain controller—DC) using a Domain Admins or Enterprise Admins account, by default the password hash is stored in the local cache, where it can be retrieved and cracked by someone with physical access to the computer. We’ve always been told that physical access to a computer means ownership of the computer, but in this case, physical access to a laptop could mean ownership of the domain. To protect your domain, you can take two actions:
As an administrator, you've probably physically secured your DCs to prevent hackers from cracking Active Directory (AD) password hashes. It's equally important to physically secure the workstations, laptops, and member servers on which you might use Domain Admins or Enterprise Admins credentials. Even if you use a laptop or workstation to connect to a DC through RDP, your password is saved in the local cache by default, so you need to physically secure that computer.
You should turn off domain credential caching in the workstations, laptops, or member servers on which you might use Domain Admins or Enterprise Admins credentials. To do so, open the Group Policy Object Editor and navigate to Computer ConfigurationWindows Settings Security SettingsLocal PolicesSecurity Options. Look for the Interactive Logon: Number of previous logons to cache (in case domain controller is not available) policy. By default, the policy is set to 10 logons. As Figure 1 shows, change the setting to 0 logons to disable the local caching of logon information. If you don't want to turn off cached credentials on member servers because you want to be able to log on when a DC isn't available, you should set a local Administrator password on each server. Each password should be different. If you forget a local Administrator password, searching five minutes on the Internet will give you several options on how you can reset the password.
—Tony Weil
Editor's note: This Reader to Reader item was a winning entry in the Know Your IT Security contest sponsored by Microsoft Learning Paths for Security.
Share Your Security Experiences
Share your security discoveries, comments, solutions to problems, and experiences with products. Email your contributions to [email protected]. Please include your full name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you’ll get $100.
About the Author
You May Also Like