I understand that when windows caches user credentials, these can sometimes be used by malicious parties to access other machines once a machine containing cached credentials is compromised, a method known as "pass the hash"[1]. For this reason I would like to get control over what's cached to reduce the risk of cached credentials being used maliciously.
It is possible to prevent all caching by zeroing HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount, but this is too indiscriminate: laptops users need to be able to login when away from the network. What I would like to do is prevent the caching of credentials of certain users, such as administrators — is there any way to do that in Windows XP?
Best Answer
The best practice, as it mentioned in many articles on the subject is to set CachedLogonsCount=1. When the user logs into their laptop the admin credentials will be flushed. Be sure to explain to the user that they need to login while connected to the network before leaving or they'll be locked out.
Also it's worth noting that Pass-The-Hash doesn't work on Kerberos. It's recommended you disable NTLM auth wherever it's convenient.
Recent Developments:
Programs that take advantage of GPUs (graphics cards) to crack NTLM passwords are becoming more popular, and extremely fast. A 7 character NTLM password can be cracked in <20 minutes with a reasonable home computer. Disabling NTLM Caching is becoming more important as recovering the password from the hash becomes easier (which could then be used for Kerberos, http-digest, or other authentication methods).
With the rise of cloud computing, cracking NTLM passwords in the cloud has made it possible to 'rent' the resources to crack almost any NTLM hash in a reasonable amount of time (though at sum expense). Given these developments, everyone should be re-evaluating their password length and complexity policies; limiting the use and storage of NTLM hashes; and carefully evaluating (or guessing) how much a nefarious organization (competitor) would pay to get access to your systems.