Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Security on Laptops - Credential Caching.. local admin not needed?

Posted on 2007-03-28
8
Medium Priority
?
663 Views
Last Modified: 2008-05-31
Experts,

i need to secure alot of holes in my network.. i would like to take away the admin privileges of everyone that has a laptop.. but im afraid that if they were on the road they would not be able to logon to the machines..

we have an AD infrastructure...

i am a bit unclear with the credential caching feature... does this let the user login 0-10 times before it will lock them out completely? what if they are local admin? what if they are not? regardless they have to be in the office sometime soon.. we also have satellite offices with no DC's.. how would the authentication work to those machines?

basically i want to lock down all the machines as best as possible.. prevent unauthorized software installations... this is not a problem for machines that stay in the office.. but concerns me about remote users..

im going to set it at
10 logons cached
password age would be 42 days through GP.

maybe i should just lock down the machines through GP then put them as local admin?

whats the benefits if any to having a user as a local admin

sorry if it sounds like im rambling .. my head is spinning =]
0
Comment
Question by:xidx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 300 total points
ID: 18807602
If you are trying to secure your environment, users should not have administrator privliges. Cached credentials set to 10 logons cached will cache credentials of 10 different users.

HTH

Toni
0
 

Author Comment

by:xidx
ID: 18807712
So.. the cached credentials isn't 10 Logins total per user per say.. but it will cache the credentials of 10 individuals from the domain that logged into the machine, then allow them an unlimited number of logins to the machine when it is off the domain? obviously when they connect to access network resources if their passwords have expired it wont work.. but this would only happen every 42 days, and someone has some explaining to do if they are not in the office atleast once every month and a half.

what about satellite offices and expiring passwords/credentials?

can anyone else verify the above statement?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18807798
In which case would your users have ability to access your network and not domain controllers at the same time? Do your branch offices connect to your domain network?

More info: http://www.windowsitpro.com/articles/print.cfm?articleid=46777
0
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

 

Author Comment

by:xidx
ID: 18808311
the brand offices have a VPN into our main offices..

i cant think of any time they wouldn't be able to connect to our network and not a DC through the same network in a different office.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 1200 total points
ID: 18808376
I can confirm that by default 10 logins are cached, that is ten different sets of logins for 10 different users. The whole idea of this is that once someone had logged onto the domain and been varified by the domain controller, they will be able to log on to the laptop and access the local resources using their domain user account. This means that users do not need to have domain username/passwords when on the domain and loca username/passwords when not connected to the domain.

You can restrict the n umber of cached credentials with a group policy. If you make it zero then cached credentials are no longer allowed

for more info see http://support.microsoft.com/kb/913485
0
 

Author Comment

by:xidx
ID: 18808402
how would i update credentials for remote users? they would have to VPN in before logging in.. right?

any other easy easy way? maybe a run as once dialed into the vpn?

i wouldnt want to force users to HAVE to vpn in before booting up the machine if they are not at the office.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18808765
What kind of VPN do you use? If you would connect through MS VPN, users would be autheticated. AFAIK, "Run as" will not do because Secondary Logon Service should not cache credentials, but it can use previously cached credentials if you use /savedcred switch from command line.
0
 

Author Comment

by:xidx
ID: 18808834
we use an MS RAS solution through the server that ties into AD

i was just curious about the credentials being updated rather then authenticated..
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question