Domain Member: Caching of logon credentials must be limited


The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well-protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.


This is the default configuration for this setting (10 logons to cache).

TO fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ Security Options
|_ Interactive logon: Number of previous logons to cache (in case domain controller is not available) to "10" logons or less.

This setting only applies to domain-joined systems, however, it is configured by default on all systems.

STIG Desktop:
W10: /

NIST 800-53: CM-6b.
CCI: CCI-000366
Rule-ID: SV-28978r3_rule
STIG-ID: 3.013
Vuln-ID: V-1090