Wednesday, 17 June 2015

Understanding and managing cached credentials with Windows 7/8/2008/2012

Windows will often make use  of caching credentials for user logins and services such as Remote Desktop Services. If you've ever wondered how to manage all of these
credentials there is a utility called cmdkey (available since Server 2003 onwards) that can help you achieve this.

Passwords stored within the cache are encrypted - although some are easier to encrypt than others.

Typically there are three main switches:

cmdkey /list
That will display a list of all cached credentials

cmdkey /add:targetname /user:username /pass:password
That will allow you to add credentials for a specific target (e.g. remote server you are rdp'ing to)

cmdkey /delete:targetname
That will allow you to delete a specific target's credentials from the cache.

Example output of 'cmdkey /list':

Currently stored credentials:

    Target: LegacyGeneric:target=Microsoft_OC1:uri=user@domain.com:specific
EWS:1
    Type: Generic
    User: domain\user

    Target: LegacyGeneric:target=Microsoft_OC1:uri=user@domain.com:specific
OCS:1
    Type: Generic
    User: user@domain.com

There are several different types of credential types:

- Generic Password: Used to store user specific credentials (e.g. Outlook, Lync etc.)
- Domain Password: Used for network authentication e.g. Outlook, RDP etc.) - More secure as only the LSASS.exe process can encrpyt / decrypt the passwords.
- Domain Visible Password: Similar to a generic password, although the username is not encrpyted - used for services such as .NET Passport.
- Certificates

Now these credentials are stored in the followng paths (in Windows 7 and above):

%USERPROFILE%\AppData\Roaming\Microsoft\Credentials

and

%USERPROFILE%\AppData\Local\Microsoft\Credentials

** Although you will need to ensure "Hide protected operating system files' is unticked before you will see anything in this directory! **

Sources: http://securityxploded.com/networkpasswordsecrets.php

0 comments:

Post a comment