Each time you log on interactively to a Windows domain, your Windows system securely caches your domain credentials. Thanks to this feature, you can log on to the domain when no DCs are available or when your machine is disconnected from the network. Secure caching means that the system’s LSA will store a hash of the password hash in the system registry. In other words: the cached credentials cannot be used to derive either the password hash or the original password. The cached credentials are stored in the following registry key: HKEY_LOCAL_MACHINE\Security\Cache. In order to see the content of the Security registry container you must change its default permissions. Logging on with cached domain credentials gives you access only to the local resources on your machine, not to resources that are hosted on other domain-member machines.
From a security standpoint, this feature clearly has risks. Users can intentionally disconnect a local machine from the network, for example, to get around the fact that the administrator disabled the machine’s domain account, then still log on to the domain. This type of logon method, however, gives the user access only to local resources.
You can disable cached-account logon sessions and force a user’s machine to contact a DC before the user can log on to the domain. You can do so using a registry hack or a GPO setting. To disable cached-account logon sessions using a registry hack, create the CachedLogonsCount registry entry of type REG_SZ and set the value to 0 in the HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey. To do the same thing using a GPO setting, enable the “Interactive logon: number of previous logons to cache (in case domain controller is not available)” setting. This setting is located in the Computer Configuration\ Windows Settings\Security Settings\Local Policies\Security Options GPO container. Do not set the number of logons to cache to 0 on mobile users’ laptops. These users would be unable to log on with their domain credentials when away from the office.
You must restart your computer for this change to apply. When credential caching is disabled and no DC is available, a user can still logon to a machine using a local account. Although this key doesn’t appear in the registry by default, NT caches a set of 10 domain credentials by default. The maximum value for CachedLogonsCount is 50.
The credential caching discussed in this section should not be confused with Windows XP and Windows Server 2003’s capability to store user credentials in the user’s profile, a feature that is known as the credential manager and that is discussed in more detail in Chapter 9. Also, this credential caching is different from the caching mechanisms offered by certain authentication protocols. Kerberos, for example, offers client-side ticket caching. Kerberos is discussed in greater detail in Chapter 5.