GPO to edit registry

murkytuna used Ask the Experts™
Hi.  Please let me know how to create a GPO on Windows server 2008 to edit the registry to get rid of the following vulnerability that was found by an Altiris vulnerability scan:

Microsoft Windows SMB Registry : Winlogon Cached Password Weakness

 Synopsis :

 User credentials are stored in memory.

 Description :

 The registry key HKLM\Software\Microsoft\Windows
 NT\CurrentVersion\Winlogon\CachedLogonsCount is non-null. It means
 that the remote host locally caches the passwords of the users when
 they log in, in order to continue to allow the users to log in in the
 case of the failure of the PDC.

 Solution :

 use regedt32 and set the value of this key to 0
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Administrator
I think that would be in
Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Just remember... This is a two edged sword... If the computers can't reach the domain controller for ANY reason, they will not be able to log in and work....


Thanks.  That did it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial