How to prevent domain admin credentials from being cached under a domain user's security context

When I remotely assist another user in my domain and subsequently access a share on a server I am prompted for my (domain) administrative credentials. That's expected. What is troublesome is that during any subsequent traversal to that location, I am not prompted for my credentials again. This implies that my credentials are cached somehow under the remote user's security context. In essence, I could end the remote assistance session and they could still access the share on the server. Where in Group Policy or AD is this setting defined and how can I prevent my administrative credentials from being cached on all remote users' computers in the future?
LVL 1
SnAkEhIpSAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Default is disabled hence caching is allowed. You can still have cached but limited by the count of logon too. For example, to limit the number of changed domain credentials that are stored on the computer, set the cachedlogonscount registry entry. If the value of this entry is 0, there will not be any user account data saved in the logon cache.
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AlanConsultantCommented:
Hi,

I would just add to Btan's comment that, if you set that to zero, I believe it will apply to all accounts on that machine, including the regular user.

Might be worth testing that to be sure, and see how it impacts on the user(s), if at all.

Alan.
0
btanExec ConsultantCommented:
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

McKnifeCommented:
1st: to clear the credentials, you will simply have to restart the service called "workstation".
2nd: DON'T ever use domain admin credentials for user support. They are not meant to be used for user support but for DOMAIN ADMINISTRATION. Failing to do so can endanger your whole domain.

Please read my article thoroughly where I show an alternative: https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html
0
SnAkEhIpSAuthor Commented:
Everyone has pointed me in the right direction. However, reading McKnife's post has given me pause.  I need to evaluate this in practice before assigning any points and closing the question; not that points are of great concern to many, but I want to be fair. I work in a sector that demands more stringent security than has been previously practiced in our particular environment. Everything concerns me. The threat landscape evolves rapidly and I'd like an opportunity to evaluate this suggestion before calling it "done".  If others have suggestions, feel free to chime in.
0
SnAkEhIpSAuthor Commented:
The glaring issue I see with this McKnife is the following statement: "The usage scenario: User needs support, the problem has been identified: it is not a user profile problem so we will not need to work inside the user's session..."

The assumption in my use case is that I need to perform Windows Remote Assistance in the user's session. In your experience is this possible using the same or similar techniques that you've described using RDP?
0
McKnifeCommented:
Look, you seem to misunderstand something: if it is a problem that can only be corrected when acting as user, then no administrative permissions are needed, thus no account change. If it is a problem that can only be corrected by an admin, then the corrective action can and should be performed in the admin session, not in the user session.

Your use case "enter admin credentials inside the user session" is never needed and should never be done for security reasons.
0
AlanConsultantCommented:
Hi SnAkEhIpS,

Do you mean that there is a one-time requirement during, say, initialisation / first run (as opposed to installation) of an application, that needs to do something requiring admin rights (or at least more rights that the user has) in order to run, but thereafter, the software will run fine as the normal user?

Thanks,

Alan.
0
SnAkEhIpSAuthor Commented:
Actually, both issues exist Alan. That is to say, domain credentials are being used to perform remote support tasks and we also have some applications that have a one-time requirement for initialization or first use. The former practice we can eliminate, but the latter we don't have a workaround for at this time.
1
McKnifeCommented:
Please come back to my suggestion and name one example where it wouldn't suffice to remote into the machine with a different account and make the required change or installation or corrective measure as admin.
Sure, there are applications that ask the user for administrative permissions at first start, but that can be overcome by preseeding things as admin - if you know how.
0
SnAkEhIpSAuthor Commented:
"Preseeding things as admin"... it seems to me that you are referring to https://msdn.microsoft.com/en-us/library/windows/desktop/aa369519(v=vs.85).aspx or https://msdn.microsoft.com/en-us/library/windows/desktop/aa372468(v=vs.85).aspx or altering an application's manifest or using some other method. Obviously, I'm seeking the solution involving the least complexity, because, as we all know, every IT department has limited resources and staff with varying skill sets. If anyone has anything more to add, please do. Perhaps I'm still misunderstanding something.
0
McKnifeCommented:
Those links are not what I meant. Reseeding would simply mean to adjust permissions before the user runs into permission issues. I am on vacation and not ready to type a lot on my phone. Will return on Tuesday. If you could name an example by then, we can discuss it.
0
AlanConsultantCommented:
If it is just the one-time initialisation that is an issue, then you could do it this way:

1) Change the user password to something only you know

2) Make the user a local admin

3) RDP in using the user credentials

4) Install / initialise as required

5) Reboot the user's machine

6) Make the user a normal (non admin) user

7) Change the user's password to something, and force them to immediately change it to whatever they like


That way you have never had your (domain admin) credentials on their machine.

Alan.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.