question

CGMANI-7825 avatar image
0 Votes"
CGMANI-7825 asked HannahXiong-MSFT answered

Is there any GPO that can turn off caching of "generic credentials"

I find it ridiculous that MS has provided group policy to disable network and cert based creds, but NOT generic ones. It seems to be well documented on the internet that these "generic credentials" where O365 stores them, are the number one way 0365 accounts get compromised, and yet MS doesn't see the need to be able to disable the caching of the credentials for the corporate world. Do what you want with the home , but at least give admins the ability to secure their environment. I know there are scripts out there to keep clearing them from the vault, but to me that is an unacceptable answer. MS needs to provide a real administrative solution to the issue in the form of a GPO that allows the disablement of generic credentials for the corporate world.

With my rant over, if anyone has figured out a way to disable the caching of generic credentials, especially O365 credentials, I'd appreciate knowing how you did it.

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered CGMANI-7825 commented

Hello @CGMANI-7825,

Thank you so much for posting here.

So sorry for the inconvenience caused. We could enable the group policy "Network access: Do not allow storage of passwords and credentials for network authentication" under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. However, it will not disable the caching of Generic Credentials.


115711-image.png

It is suggested that we could also disable the Credential Manager service. In my lab, I disabled the service, and below is the result.

115703-image.png

Here is the discussion, and we could kindly have a check.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/c70c73a3-6403-4f1f-b1df-b225836487c4/when-i-disable-windows-vault-via-group-policy-it-does-not-disable-the-storage-of-generic?forum=winserverfiles

Thank you so much for your understanding and support.

Best regards,
Hannah Xiong



image.png (56.5 KiB)
image.png (16.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hannah,

Thank you for your response. I already have that group policy set, but as you mentioned and I stated in my OP, it does NOT disable the generic credentials, which is what I'm asking for a group policy based solution for. As far as disabling the service I have already done extensive testing with that, and it only prevents users from using the UI, it does not stop credential manager from functioning. As far as the link you sent, again they are suggesting using a script to keep clearing the vault, and as I stated in my OP, I don't view that as a real solution. It will take too much time and effort for IT to manage that and there is no way to really ensure it is working on a regular basis. MS needs to provide an administrative solution to this via GPO.

rRegards

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello @CGMANI-7825,

You are welcome. Thank you so much for your kindly reply.

I could totally understand your situation and feeling. And I am sorry for the inconvenience caused since there is no group policy based solution for our requirement.

I would suggest you contact Microsoft Customer Services and Support to see whether we could get an efficient solution:

https://support.serviceshub.microsoft.com/supportforbusiness

Greatly appreciate your understanding and support.

Best regards,
Hannah Xiong

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.