Solved

Security on Laptops - Credential Caching.. local admin not needed?

Posted on 2007-03-28
8
649 Views
Last Modified: 2008-05-31
Experts,

i need to secure alot of holes in my network.. i would like to take away the admin privileges of everyone that has a laptop.. but im afraid that if they were on the road they would not be able to logon to the machines..

we have an AD infrastructure...

i am a bit unclear with the credential caching feature... does this let the user login 0-10 times before it will lock them out completely? what if they are local admin? what if they are not? regardless they have to be in the office sometime soon.. we also have satellite offices with no DC's.. how would the authentication work to those machines?

basically i want to lock down all the machines as best as possible.. prevent unauthorized software installations... this is not a problem for machines that stay in the office.. but concerns me about remote users..

im going to set it at
10 logons cached
password age would be 42 days through GP.

maybe i should just lock down the machines through GP then put them as local admin?

whats the benefits if any to having a user as a local admin

sorry if it sounds like im rambling .. my head is spinning =]
0
Comment
Question by:xidx
  • 4
  • 3
8 Comments
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 100 total points
ID: 18807602
If you are trying to secure your environment, users should not have administrator privliges. Cached credentials set to 10 logons cached will cache credentials of 10 different users.

HTH

Toni
0
 

Author Comment

by:xidx
ID: 18807712
So.. the cached credentials isn't 10 Logins total per user per say.. but it will cache the credentials of 10 individuals from the domain that logged into the machine, then allow them an unlimited number of logins to the machine when it is off the domain? obviously when they connect to access network resources if their passwords have expired it wont work.. but this would only happen every 42 days, and someone has some explaining to do if they are not in the office atleast once every month and a half.

what about satellite offices and expiring passwords/credentials?

can anyone else verify the above statement?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18807798
In which case would your users have ability to access your network and not domain controllers at the same time? Do your branch offices connect to your domain network?

More info: http://www.windowsitpro.com/articles/print.cfm?articleid=46777
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:xidx
ID: 18808311
the brand offices have a VPN into our main offices..

i cant think of any time they wouldn't be able to connect to our network and not a DC through the same network in a different office.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 400 total points
ID: 18808376
I can confirm that by default 10 logins are cached, that is ten different sets of logins for 10 different users. The whole idea of this is that once someone had logged onto the domain and been varified by the domain controller, they will be able to log on to the laptop and access the local resources using their domain user account. This means that users do not need to have domain username/passwords when on the domain and loca username/passwords when not connected to the domain.

You can restrict the n umber of cached credentials with a group policy. If you make it zero then cached credentials are no longer allowed

for more info see http://support.microsoft.com/kb/913485
0
 

Author Comment

by:xidx
ID: 18808402
how would i update credentials for remote users? they would have to VPN in before logging in.. right?

any other easy easy way? maybe a run as once dialed into the vpn?

i wouldnt want to force users to HAVE to vpn in before booting up the machine if they are not at the office.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18808765
What kind of VPN do you use? If you would connect through MS VPN, users would be autheticated. AFAIK, "Run as" will not do because Secondary Logon Service should not cache credentials, but it can use previously cached credentials if you use /savedcred switch from command line.
0
 

Author Comment

by:xidx
ID: 18808834
we use an MS RAS solution through the server that ties into AD

i was just curious about the credentials being updated rather then authenticated..
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question