Microsoft Windows SMB Registry : Winlogon Cached Password Weakness

Info Nessus Plugin ID 11457

Synopsis

User credentials are stored in memory.

Description

The registry key 'HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ Winlogon\CachedLogonsCount' is not 0. Using a value greater than 0 for the CachedLogonsCount key indicates that the remote Windows host locally caches the passwords of the users when they login, in order to continue to allow the users to login in the case of the failure of the primary domain controller (PDC).

Cached logon credentials could be accessed by an attacker and subjected to brute force attacks.

Solution

Consult Microsoft documentation and best practices.

See Also

http://www.nessus.org/u?184d3eab

http://www.nessus.org/u?fe16cea8

https://technet.microsoft.com/en-us/library/cc957390.aspx

Plugin Details

Severity: Info

ID: 11457

File Name: smb_reg_cachedlogons.nasl

Version: 1.17

Type: local

Agent: windows

Family: Windows

Published: 2003/03/24

Modified: 2018/06/05

Dependencies: 10400, 10150, 10394

Risk Information

Risk Factor: Info

Vulnerability Information

Required KB Items: SMB/transport, SMB/name, SMB/login, SMB/password, SMB/registry_access