At 12:04 AM 3/23/98 -0500, David LeBlanc wrote: The way to disable this is to use the CachedLogonsCount registry value in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. Default value is 10 if the key doesn't exist. I keep my set at 1 so only the first logon is cached. NT does store the hashes and not clear text. It store these credentials in the HKLM\SECURITY\Policy\Secrets area of the registry as NL$1 to NL$10 and it stores the lanman hash followed by the NT hash followed by 3 bytes of 'status'. (as per Paul Aston's posting to NTBUGTRAQ) I'd bet that these hashes are not syskeyed. > >There are also a number of entries corresponding to previous logins by >users. There is a way to turn this behavior off, but I don't recall at the >moment exactly what it is. > >Essentially, it is there to allow you to log on if the domain controller >can't be reached. I believe it stores hashes rather than clear-text. > >The RAS functionality can often be annoying as well - it tends to prompt me >for my password even when I'm using a script (which of course contains the >user-password pair in the clear). Not sure why it thinks it needs it - I >just leave it blank, but a less astute user would probably type in their >actual password. > > >David LeBlanc |Why would you want to have your desktop user, >dleblancat_private |your mere mortals, messing around with a 32-bit > |minicomputer-class computing environment? > |Scott McNealy >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:54 PDT