Enabled Cached Logon Credential

Discussion created by adamc on Mar 30, 2017

QID:90007 - Enabled Cached Logon Credential


Threat / Description:
Windows NT may use a cache to store the last interactive logon (i.e. console logon), to provide a safe logon for the host in the event that the Domain Controller goes down. This feature is currently activated on this host.


Unauthorized users can gain access to this cached information, thereby obtaining sensitive logon information.


We recommend that you locate the following Registry key, and then set or create a REG_SZ 'CachedLogonsCount' entry with a '0' value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon



In my network environment I see 10k+ instances of this vulnerability detected.  Our configuration has this set to a value of 3.  Per the vulnerability details, this finding only makes sense for remediation, however I do not agree with the determination or the fact it is a Severity 2.  The terminology is bad and derived from poor Microsoft best practice guidelines.  This configuration does not affect the hashing of logon credentials, it removes the functionality of the cached log-on verifier.  If there was documented evidence of attackers or academia successfully obtaining sensitive information from the cached-log-on verifier or cracking PBKDF2 then it would merit a Severity 2 vulnerability.  This setting should be an IG instead of a vulnerability.


Anyone say/think otherwise?