Cached Logon Hashes


NT caches previous users’ logon information locally so that they will be able to
logon in the event that a logon server is unavailable during subsequent logon
attempts. If a domain controller is unavailable and a user’s logon information
is cached, the user will be prompted with a dialog that says:

A domain controller for your domain could not be contacted.
You have been logged on using cached account information. Changes to your
profile since you last logged on may not be available.

With caching disabled, the user is prompted with this message:

The system cannot log you on now because the domain
is not available.

NT 2000 suppresses the A domain controller for your domain
could not be contacted
message by default. To suppress the message in NT4

Hive: HKEY_CURRENT_USER
Key:
Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Name:
ReportDC
Type: REG_DWORD
Value: 0 suppress domain controller message
Value:
1 dont suppress domain controller message

By default, Windows NT will remember the 10 most recent logon attempts. The
valid range of values for this parameter is 0 to 50. There is a
possibility for exposing powerful domain account passwords since the hashs is
stored locally on the workstation.

A value of 0 disables logon caching (appropriate for high security
environment) and any value above 50 will only cache 50 logon attempts. For
workstations I recommend setting CachedLogonsCount to
1 as having the best balance between functional &
security needs. See LSA Secrets for
background.

I don’t want to give a tutorial on the exact method, but lets say JoeDummy
calls for help stating that he is having a problem logging on. An installer or
domain admin comes by, logs in to problem resolve the issue (leaving a copy of
their powerful account’s hash cached on the workstation). You leave and
JoeDummynowHacker, runs a dictionary attack on the hash (assuming he/she
discovers how to get to the hash). To prevent this attack, I recommend setting
the number of cached passwords to 1. A person with a powerful domain account
logs into the PC, fixes, the problem, leaves a cached hash. That person has the
owner of the PC login immediately, wiping out the powerful account hash or the
person with the powerful account logs in with a powerless account on the domain,
leaving a worthless account hash cached. Setting the cached hashes to zero is
more secure but setting it to 1 reaches a good balance between functionality and
security (assuming personnel with powerful accounts understand
the risk and avoid exposing their powerful accounts to attack
).

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows
NT\CurrentVersion\Winlogon

Name: CachedLogonsCount
Type: REG_SZ
Value: 0 no cached pw
Value: 1 my recommendation
Value: 2-50
Value: 51-whatever
caches 50 hashes

This setting is best set with RegKey.exe from the Resource Kit. When possible
avoid direct registry editing and use indirect registry modifiers such as RegKey
and TweakUI.

A different hack disables domain password caching in the sense that if you
need to access a new resource, you will be forced to re-enter your password for
each new resource accessed. It would drive your users nuts. For a high security
environment – it has real potential. Perhaps this makes sense for Administrator
workstations.

Hive: HKEY_LOCAL_MACHINE
Key: Network\Logon
Name: NoDomainPwdCaching
Type: REG_DWORD
Value: 1

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top