3.013 - Caching of logon credentials must be limited.


The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well-protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.


If the system is not a member of a domain, this is NA.
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> 'Interactive Logon- Number of previous logons to cache (in case Domain Controller is not available)' to '2' logons or less.

See Also


Item Details


References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-28978r3_rule, STIG-ID|3.013, Vuln-ID|V-1090

Plugin: Windows

Control ID: 8616e74b079bbf088636dbfe0145fe0df97b7bf7ca33fbff09747838de20b5f2