So does it dump the first entry added to the table as the "oldest", or
does it dump the "oldest" entry that hasn't been used/updated?
On 16 Oct 2009, at 22:40, Scott Webster wrote:
I have tested this before, it definitely dumps the oldest.
From: [email protected] [mailto:pauldotcom-
[email protected]] On Behalf Of k41zen
Sent: Friday, October 16, 2009 1:47 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Windows Cached Credentials/Security Verifier
Thanks for the info. I'm in security so I'm against any cached creds
but also do understand the business requirement for them.
I'm also against services requiring domain creds too when running
and as the supplier has two services on the laptop plus probably an
admin account to build/configure it they are left with two spare
which isn't a lot. Then comes compliance/VA testing which probably
takes up the remaining two.
I was really after exactly how it works when the table/quota is
filled.
I'm back in the office on Monday and will try out a number of tools
to dump out the cached creds table and see what happens.
On 16 Oct 2009, at 20:57, Michael Dickey wrote:
I don't know the exact mechanics, but I believe it drops the oldest
one.
If you have access to domain machines and accounts, you could
probably test this. If you set the number down to 2 and grab
yourself 3 logins, you could start to verify which one is bumped off
as you get to the third one.
Personally, setting this value to 5 is no better than the default
value of 10. I personally prefer to use 1. This pretty much means
the primary user will be the only cached credential. If you have
concerns about your admin staff then being locked out, you could
make a case for 2. But really, it's those admin credentials you
really don't want lingering all over. For any non-mobile systems
that you expect to always be on a domain-enabled network, you could
make a good case for 0.
On Fri, Oct 16, 2009 at 9:30 AM, k41zen <[email protected]> wrote:
So the business wants users to be able to log onto laptops using
cached domain credentials whilst they are offline.
The supplier has limited the number of cached credentials/security
verifier's available to 5.
My question is how is the "security verifier's table" (for want of a
better description) managed? If it is full and as a 6th unique account
I logon connected to the domain, which entry gets overwritten? Does it
overwrite the oldest verifier that hasn't been logged on recently?
Does it overwrite the first one in the table?
I'm finding little info on the algorithm used (if any).
Grateful for any insight.
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
