General discussion

Locked

ways to disable /savecred

By Craig IT Mangaer ·
Has anyone figured out how to "disable" the /savecred feature for Windows XP/2003? I don't want to kill the runas command but don't want the password to be stored on a local computer. Has anyone found where this information is stored so that it could be deleted when a user logs off or back on(at a minimum)?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by saihib In reply to ways to disable /savecred

The RunAs utility in WinXP Pro has a /savecred option. Is there a GPO setting to disable this on administrator workstations so passwords must be provided by admins?
This question posed on 12 April 2005


Sadly, there doesn't seem to be one. Many people have lamented the fact that the /savecred option in RunAs can be a massive security hole. With this in mind, I've recommended in the past not using RunAs to run programs in the context of an administrator, simply because it's too easily defeated. There are a number of better solutions, such as TQRunas, which allows you to run programs as administrator without revealing administrator credentials to the end user. CPAU is another (freeware) solution to the same problem, again with some more attention paid to security

Collapse -

by Craig IT Mangaer In reply to

Poster rated this answer.
You aren't trying hard enough. That's the easy way out. This obviously doesn't help the problem short of disabling the runas command. There has to be a place this information is stored. We just need to figure out where it is and then come up with way to deal with it.

Collapse -

by Gooshie In reply to ways to disable /savecred

There is a security policy you can set to disable this. However, it will also disable saving credentials for Passport, network shares and Exchange Server.

Under Security Options, set "Network access: Do not allow storage of credentials or .NET Passports for network authentication" to Enabled. Or, you can change it in the registry by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\disabledomaincreds to 1.

Collapse -

by Craig IT Mangaer In reply to

Poster rated this answer.

Collapse -

by Craig IT Mangaer In reply to ways to disable /savecred

The last answer showed promise but upon testing, it was evident that the credentials had been saved. I will do further testing to see if the credentials aren't saved once you logoff and or reboot to be sure.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums