Solved

Security on Laptops - Credential Caching.. local admin not needed?

Posted on 2007-03-28
8
654 Views
Last Modified: 2008-05-31
Experts,

i need to secure alot of holes in my network.. i would like to take away the admin privileges of everyone that has a laptop.. but im afraid that if they were on the road they would not be able to logon to the machines..

we have an AD infrastructure...

i am a bit unclear with the credential caching feature... does this let the user login 0-10 times before it will lock them out completely? what if they are local admin? what if they are not? regardless they have to be in the office sometime soon.. we also have satellite offices with no DC's.. how would the authentication work to those machines?

basically i want to lock down all the machines as best as possible.. prevent unauthorized software installations... this is not a problem for machines that stay in the office.. but concerns me about remote users..

im going to set it at
10 logons cached
password age would be 42 days through GP.

maybe i should just lock down the machines through GP then put them as local admin?

whats the benefits if any to having a user as a local admin

sorry if it sounds like im rambling .. my head is spinning =]
0
Comment
Question by:xidx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 100 total points
ID: 18807602
If you are trying to secure your environment, users should not have administrator privliges. Cached credentials set to 10 logons cached will cache credentials of 10 different users.

HTH

Toni
0
 

Author Comment

by:xidx
ID: 18807712
So.. the cached credentials isn't 10 Logins total per user per say.. but it will cache the credentials of 10 individuals from the domain that logged into the machine, then allow them an unlimited number of logins to the machine when it is off the domain? obviously when they connect to access network resources if their passwords have expired it wont work.. but this would only happen every 42 days, and someone has some explaining to do if they are not in the office atleast once every month and a half.

what about satellite offices and expiring passwords/credentials?

can anyone else verify the above statement?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18807798
In which case would your users have ability to access your network and not domain controllers at the same time? Do your branch offices connect to your domain network?

More info: http://www.windowsitpro.com/articles/print.cfm?articleid=46777
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:xidx
ID: 18808311
the brand offices have a VPN into our main offices..

i cant think of any time they wouldn't be able to connect to our network and not a DC through the same network in a different office.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 400 total points
ID: 18808376
I can confirm that by default 10 logins are cached, that is ten different sets of logins for 10 different users. The whole idea of this is that once someone had logged onto the domain and been varified by the domain controller, they will be able to log on to the laptop and access the local resources using their domain user account. This means that users do not need to have domain username/passwords when on the domain and loca username/passwords when not connected to the domain.

You can restrict the n umber of cached credentials with a group policy. If you make it zero then cached credentials are no longer allowed

for more info see http://support.microsoft.com/kb/913485
0
 

Author Comment

by:xidx
ID: 18808402
how would i update credentials for remote users? they would have to VPN in before logging in.. right?

any other easy easy way? maybe a run as once dialed into the vpn?

i wouldnt want to force users to HAVE to vpn in before booting up the machine if they are not at the office.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18808765
What kind of VPN do you use? If you would connect through MS VPN, users would be autheticated. AFAIK, "Run as" will not do because Secondary Logon Service should not cache credentials, but it can use previously cached credentials if you use /savedcred switch from command line.
0
 

Author Comment

by:xidx
ID: 18808834
we use an MS RAS solution through the server that ties into AD

i was just curious about the credentials being updated rather then authenticated..
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question