Solved

Security on Laptops - Credential Caching.. local admin not needed?

Posted on 2007-03-28
8
647 Views
Last Modified: 2008-05-31
Experts,

i need to secure alot of holes in my network.. i would like to take away the admin privileges of everyone that has a laptop.. but im afraid that if they were on the road they would not be able to logon to the machines..

we have an AD infrastructure...

i am a bit unclear with the credential caching feature... does this let the user login 0-10 times before it will lock them out completely? what if they are local admin? what if they are not? regardless they have to be in the office sometime soon.. we also have satellite offices with no DC's.. how would the authentication work to those machines?

basically i want to lock down all the machines as best as possible.. prevent unauthorized software installations... this is not a problem for machines that stay in the office.. but concerns me about remote users..

im going to set it at
10 logons cached
password age would be 42 days through GP.

maybe i should just lock down the machines through GP then put them as local admin?

whats the benefits if any to having a user as a local admin

sorry if it sounds like im rambling .. my head is spinning =]
0
Comment
Question by:xidx
  • 4
  • 3
8 Comments
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 100 total points
ID: 18807602
If you are trying to secure your environment, users should not have administrator privliges. Cached credentials set to 10 logons cached will cache credentials of 10 different users.

HTH

Toni
0
 

Author Comment

by:xidx
ID: 18807712
So.. the cached credentials isn't 10 Logins total per user per say.. but it will cache the credentials of 10 individuals from the domain that logged into the machine, then allow them an unlimited number of logins to the machine when it is off the domain? obviously when they connect to access network resources if their passwords have expired it wont work.. but this would only happen every 42 days, and someone has some explaining to do if they are not in the office atleast once every month and a half.

what about satellite offices and expiring passwords/credentials?

can anyone else verify the above statement?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18807798
In which case would your users have ability to access your network and not domain controllers at the same time? Do your branch offices connect to your domain network?

More info: http://www.windowsitpro.com/articles/print.cfm?articleid=46777
0
 

Author Comment

by:xidx
ID: 18808311
the brand offices have a VPN into our main offices..

i cant think of any time they wouldn't be able to connect to our network and not a DC through the same network in a different office.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 400 total points
ID: 18808376
I can confirm that by default 10 logins are cached, that is ten different sets of logins for 10 different users. The whole idea of this is that once someone had logged onto the domain and been varified by the domain controller, they will be able to log on to the laptop and access the local resources using their domain user account. This means that users do not need to have domain username/passwords when on the domain and loca username/passwords when not connected to the domain.

You can restrict the n umber of cached credentials with a group policy. If you make it zero then cached credentials are no longer allowed

for more info see http://support.microsoft.com/kb/913485
0
 

Author Comment

by:xidx
ID: 18808402
how would i update credentials for remote users? they would have to VPN in before logging in.. right?

any other easy easy way? maybe a run as once dialed into the vpn?

i wouldnt want to force users to HAVE to vpn in before booting up the machine if they are not at the office.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18808765
What kind of VPN do you use? If you would connect through MS VPN, users would be autheticated. AFAIK, "Run as" will not do because Secondary Logon Service should not cache credentials, but it can use previously cached credentials if you use /savedcred switch from command line.
0
 

Author Comment

by:xidx
ID: 18808834
we use an MS RAS solution through the server that ties into AD

i was just curious about the credentials being updated rather then authenticated..
0

Join & Write a Comment

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now