I think Dimitri was actually asking for the *file* location of the password
hashes that have been cached.. not how to turn off hashing. I would like to
know too.
I *also* would like to know where about the hashes that the SERVICES that
log on with domain accounts store their password hashes (i.e. Exchange
server and SMS use domain level service accounts; these servers have to have
the password stored somewhere locally in order to authenticate the account
and start the service).

Anyone know these two things off the top of their head?

-----Original Message-----
From: Sean Waddell [mailto:swaddellespgroup.net]
Sent: Thursday, November 15, 2001 10:42 AM
To: Dimitri Limanovski
Cc: 'focus-mssecurityfocus.com'
Subject: Re: Cached Network Password

There is a registry edit that you can make to prevent pwd's from being
cached.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"CachedLogonsCount"="0"

This should be part of your hardening process.

-- 
Sean Waddell
Network Engineer
The ESP Group
Dimitri Limanovski wrote:
> 
> If I'm not mistaken, by default WindowsNT/2000 will remember (cache) user
> credentials, both local and network, unless defined otherwise via domain
> security policy or by hand in the registry.
> Now, where does OS keep this "cached" password? To test I first logged to
> the network using one of the test machines. I then disconnected from the
> network and logged using the same network credentials while actually
> "offline". No problems there. (BTW, network password is remembered because
> you'll get an error when trying to use anything else). I then used pwdump2
> and extracted password hashes. I then tried to LophtCrack it but was only
> presented with the list of local users and their corresponding passwords.
> Now, what happened to "cached" network username/password? Where does
Windows
> keep this information and is it possible to extract them?
> Thanks in advance,
> 
> Dimitri

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]