{
	"id": "a1f5ddf0-6ec4-4a5b-a4f6-1332dd406e55",
	"created_at": "2026-04-06T00:19:55.602128Z",
	"updated_at": "2026-04-10T03:22:07.923536Z",
	"deleted_at": null,
	"sha1_hash": "d31b63f3fc22d32254bee2aa20e721f2437046f3",
	"title": "Network access: Do not allow storage of passwords and credentials for network authentication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51378,
	"plain_text": "Network access: Do not allow storage of passwords and credentials\r\nfor network authentication\r\nBy Archiveddocs\r\nArchived: 2026-04-05 16:09:48 UTC\r\nApplies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows\r\n8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8\r\nThis security policy reference topic for the IT professional describes the best practices, location, values, policy\r\nmanagement and security considerations for this policy setting.\r\nReference\r\nThis security setting determines whether Credential Manager saves passwords and credentials for later use when it\r\ngains domain authentication.\r\nPossible values\r\nEnabled\r\nCredential Manager does not store passwords and credentials on the computer.\r\nDisabled\r\nCredential Manager will store passwords and credentials on this computer for later use for domain\r\nauthentication.\r\nNot defined\r\nBest practices\r\nIt is a recommended practice to disable the ability of the Windows operating system to cache credentials on any\r\ncomputer where credentials are not needed. Evaluate your servers and workstations to determine the requirements.\r\nCached credentials are designed primarily to be used on laptops that require domain credentials when\r\ndisconnected from the domain.\r\nLocation\r\nGPO_name**\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** \r\nDefault values\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852185(v=ws.11)?redirectedfrom=MSDN\r\nPage 1 of 4\n\nThe following table lists the actual and effective default values for this policy. Default values are also listed on the\r\npolicy’s property page.\r\nServer type or Group Policy Object (GPO) Default value\r\nDefault domain policy Disabled\r\nDefault domain controller policy Disabled\r\nStand-alone server default settings Disabled\r\nDomain controller effective default settings Not defined\r\nMember server effective default settings Not defined\r\nEffective GPO default settings on client computers Not defined\r\nOperating system version differences\r\nThis policy is present in Windows Server 2003 and Windows XP, and it is named Network access: Do not allow\r\nstorage of credentials or .NET Passports for network authentication. The policy name was modified for\r\nWindows Server 2008 and Windows Vista. However, this policy can be applied to all Windows server operating\r\nsystems through Group Policy.\r\nPolicy management\r\nThis section describes features and tools that are available to help you manage this policy.\r\nRestart requirement\r\nA restart of the computer is required before this policy will be effective when changes to this policy are saved\r\nlocally or distributed through Group Policy.\r\nGroup Policy\r\nAlthough the name of this policy was changed in Windows Server 2008 and Windows Vista, it can be applied to\r\nWindows Server 2003 and Windows XP.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852185(v=ws.11)?redirectedfrom=MSDN\r\nPage 2 of 4\n\nSecurity considerations\r\nThis section describes how an attacker might exploit a feature or its configuration, how to implement the\r\ncountermeasure, and the possible negative consequences of countermeasure implementation.\r\nVulnerability\r\nPasswords that are cached can be accessed by the user when logged on to the computer. Although this information\r\nmay sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords\r\nand forwards them to another, unauthorized user.\r\nNote\r\nThe chances of success for this exploit and others that involve malicious software are reduced significantly for\r\norganizations that effectively implement and manage an enterprise antivirus solution combined with sensible\r\nsoftware restriction policies. For more information, see Software Restriction Policies.\r\nRegardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be\r\noverwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the\r\nadministrator's password may be overwritten. This procedure requires physical access to the computer. Utilities\r\nexist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by\r\nusing the overwritten value.\r\nOverwriting the administrator's password does not help the attacker access data that is encrypted by using that\r\npassword. Also, overwriting the password does not help the attacker access any Encrypting File System (EFS)\r\ndata that belongs to other users on that computer. Overwriting the password does not help an attacker replace the\r\nverifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File\r\nSystem or by using the Data Protection API (DPAPI) will not decrypt.\r\nCountermeasure\r\nEnable the Network access: Do not allow storage of passwords and credentials for network authentication\r\nsetting.\r\nTo limit the number of changed domain credentials that are stored on the computer, set the cachedlogonscount\r\nregistry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid\r\nlogons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating\r\nsystem remember 10 cached logons, except Windows Server 2008 R2 and Windows Server 2008, which are set at\r\n25.\r\nWhen you try to log on to a domain from a Windows-based client computer, and a domain controller is\r\nunavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached\r\ndomain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC\r\nregistry entry.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852185(v=ws.11)?redirectedfrom=MSDN\r\nPage 3 of 4\n\nPotential impact\r\nUsers are forced to type passwords whenever they log on to their Windows Live ID or other network resources\r\nthat are not accessible to their domain account. This policy setting should have no impact on users who access\r\nnetwork resources that are configured to allow access with their Active Directory–based domain account.\r\nAdditional resources\r\nFor information about how the Windows operating system stores and manages credentials, see Cached and Stored\r\nCredentials Technical Overview.\r\nSource: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852185(v=ws.11)?redirectedf\r\nrom=MSDN\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852185(v=ws.11)?redirectedfrom=MSDN\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852185(v=ws.11)?redirectedfrom=MSDN"
	],
	"report_names": [
		"jj852185(v=ws.11)?redirectedfrom=MSDN"
	],
	"threat_actors": [],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d31b63f3fc22d32254bee2aa20e721f2437046f3.pdf",
		"text": "https://archive.orkl.eu/d31b63f3fc22d32254bee2aa20e721f2437046f3.txt",
		"img": "https://archive.orkl.eu/d31b63f3fc22d32254bee2aa20e721f2437046f3.jpg"
	}
}