Cached Logon Hashes

by Wayne Maples [Published on 10 May 2005 / Last Updated on 10 May 2005]

NT caches previous users' logon information locally so that they will be able to logon in the event that a logon server is unavailable during subsequent logon attempts. If a domain controller is unavailable and a user's logon information is cached, the user will be prompted with a dialog that says:

A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.

With caching disabled, the user is prompted with this message:

The system cannot log you on now because the domain is not available.

NT 2000 suppresses the A domain controller for your domain could not be contacted message by default. To suppress the message in NT4

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Name: ReportDC
Type: REG_DWORD
Value: 0 suppress domain controller message
Value: 1 dont suppress domain controller message

By default, Windows NT will remember the 10 most recent logon attempts. The valid range of values for this parameter is 0 to 50. There is a possibility for exposing powerful domain account passwords since the hashs is stored locally on the workstation.

A value of 0 disables logon caching (appropriate for high security environment) and any value above 50 will only cache 50 logon attempts. For workstations I recommend setting CachedLogonsCount to 1 as having the best balance between functional & security needs. See LSA Secrets for background.

I don't want to give a tutorial on the exact method, but lets say JoeDummy calls for help stating that he is having a problem logging on. An installer or domain admin comes by, logs in to problem resolve the issue (leaving a copy of their powerful account's hash cached on the workstation). You leave and JoeDummynowHacker, runs a dictionary attack on the hash (assuming he/she discovers how to get to the hash). To prevent this attack, I recommend setting the number of cached passwords to 1. A person with a powerful domain account logs into the PC, fixes, the problem, leaves a cached hash. That person has the owner of the PC login immediately, wiping out the powerful account hash or the person with the powerful account logs in with a powerless account on the domain, leaving a worthless account hash cached. Setting the cached hashes to zero is more secure but setting it to 1 reaches a good balance between functionality and security (assuming personnel with powerful accounts understand the risk and avoid exposing their powerful accounts to attack).

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: CachedLogonsCount
Type: REG_SZ
Value: 0 no cached pw
Value: 1 my recommendation
Value: 2-50
Value: 51-whatever caches 50 hashes

This setting is best set with RegKey.exe from the Resource Kit. When possible avoid direct registry editing and use indirect registry modifiers such as RegKey and TweakUI.

A different hack disables domain password caching in the sense that if you need to access a new resource, you will be forced to re-enter your password for each new resource accessed. It would drive your users nuts. For a high security environment - it has real potential. Perhaps this makes sense for Administrator workstations.

Hive: HKEY_LOCAL_MACHINE
Key: Network\Logon
Name: NoDomainPwdCaching
Type: REG_DWORD
Value: 1

There is a global setting for Windows NT / Windows 2000 / Windows XP to disable password caching in general:

Hive: HKEY_CURRENT_USER
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Network
Name: DisablePwdCaching
Type: REG_DWORD
Value: 0 disable

Featured Links