Cached credentials are extremely useful for laptops that don’t always connect to their domain controls. When you log into one that is outside of your network, Windows checks if the entered username and password match the local cached copy and will let you in if it does. But it’s not necessary on a desktop computer that is always wire-connected to the network.
By default, Windows caches up to 10 credentials on local computer and these cached credentials never expire. They are stored in the registry under HKLM\Security\Cache key.
Note that you will need to give yourself Read permission
All credentials are hashed in the NL$x value format and cannot be viewed plainly and easily decrypted, fortunately. However, it could still potentially be risky because once the hackers get their hands on these data they can use a brute-force attack against these hashes to decrypt the password.
So, here are a few approaches to limit the cache credentials on Windows computers.
First of all, add all accounts in Domain Admin group to the Protected Users group so the credentials for these accounts won’t be cached locally. However, if you have some apps that integrates with AD you may find difficulty signing in using your own password.
Then, turn on BitLocker disk encryption if possible. Once encrypted, hackers won’t be able to do anything with it.
If BitLocker is not possible, disable cached credentials on all desktops and limit to only 1 for all laptops.
It’s easier to do so through GPO. Head over to the following location,
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
And set the Interactive Logon: Number of previous logons to cache to 1 for laptops and 0 for desktops.
Additionally, you can display a notification of using cached credentials by enabling the policy Report when logon server was not available during user logon under the following location:
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options
Hey, thanks for the article. I think you made a small typo at the end. You say: “If BitLocker is not possible, disable cached credentials on all desktops and limit to only 1 for all laptops.” So far, so good! But later on, you say: “And set the Interactive Logon: Number of previous logons to cache to 0 for laptops and 1 for desktops.”. I think you meant the other way around: 1 for laptops, and 0 for desktops. Right?
You are indeed correct. Thanks for pointing it out to me. I’ve updated the post accordingly now. Cheers.