How to disable network password caching in XP pro?

[davidjf]

I support a computer lab on a university campus with pc's running XP pro. We have a standalone file server setup to provide storage space for students. If a student on one of my lab machines accesses the file server via start->run->\\servername, they are prompted with a "connect to" box that asks for username and password. All well and good. The problem is, this "connect to" dialog box also has a checkbox option to "remember my password". This is ungood. If a student selects this option by mistake or out of habit, their username/password becomes cached, even after logout, and we have to manually delete them via the control panel.

We want to remove the ability of the students to select the "remember my password" option when they connect to the server via the command line. We can't find a registry hack that does this, nor can we find a group policy that does this. I have not been able to google up ANYTHING on this topic! I come up empty on technet and usenet forums, too.

Any suggestions would be appreciated!

Dave

 

[LOB]

Well there is this but I haven't tested it to see if it meets the conditions you want.

Disable Password Caching (All Windows)
Normally Windows caches a copy of the users password on the local system to allow for additional automation, this leads to a possible security threat on some systems. Disabling caching means the users passwords are not cached locally. This setting also removes the second Windows password screen and also remove the possibility of networks passwords to get out of sync.

Registry Settings
User Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
System Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network
Value Name: DisablePwdCaching
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1=enabled)

 

[davidjf]

LOB,

Thanks, but we did try the "DisablePwdCaching" registry hack early on...didn't work. If user selects "remember my password" in the "connect to" box the password stays cached whether this registry key is enabled or disabled.

Dave

 

[Jontmke]

Does XP have .pwl files like 98? In 98 you could delete the .pwl (password list) file and the user would have to reenter all passwords.

Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)

 

[LOB]

I think there is a Policy, probably through gpedit.msc but am unsure, which turns "Stored Usernames and Passwords" off.

There is this:
"Prevent Users from Changing Network Drive Mappings
Once you establish a set of drive mappings for your users (either as part of a logon script, a profile, or a persistent connection), you can protect them from changes by changing the permissions on HKCU\Network, and its subkeys, to remove the Delete and Create Subkey permissions. If you do this, users can still add or delete network connections, but the changes won't persist after they log out.
Do not remove the users' Set Value or Read access; if you do, connections won't be re-established when that user logs on again."

That's all I can think of.

 

[davidjf]

LOB,

You know, I've SCOURED everything that is available in gpedit.msc...I've looked through every single folder, setting, template, etc, trying to find anything that remotely resembles what I'm looking for which, frankly, doesn't seem to me to be all that unusual a request. I wonders sometimes if I'm the only computer lab manager in the entire world who doesn't want students to keep stored network passwords? Anyway, the drive mapping setting you mentioned...I'll look at that further, but being that our students connect to the file server via a UNC path (i.e. \\servername), there is no logon script, and our students don't map network drives, either. But I'll try anything. Thanks for the suggestions!

Dave

 

[bcastner]

I never worried about it, but it seems to me that I would go through Internet Options, Security, Intranet Zone, and set user authentication for prompting for password and username rather than from cached credentials or a Domain authentication sevice.

The under the Content tab, I would turn off auto complete and prompting to save passwords.

Then I would Start, Run, control userpasswords2 and remove any existing stored passwords.

And finally I would use gpedit.msc to use Group Policy to disallow changing the Internet Options.

 

[davidjf]

Ok, changed the setting in IE's internet options/security/local intranet to "prompt for username and password", then to the content tab where I deslected all auto-complete options, including the "prompt me to save passwords" option, and then verified there were no stored usernames or passwords...but, I still have same problem. If I go to start->run->\\servername, I am still prompted with the "remember my password" option, and if I select it, my username and password are then cached. I have to manually remove the cached connection from user accounts in control panel.

Thanks for the suggestion, though...I will keep looking.

Dave

 

[bcastner]

I am sorry I cannot test this directly, but if you will bear with me:

You could try enabling:

Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options

"Network access: Do not allow the strorage of credentials or .NET passports for network authentication."

Then in my earlier suggestion for User Authentication in Internet Options, intranet zone, apply a disable to userdata persistance.

 

[bcastner]

My only other thought is that XP will never prompt to save plaintext passwords.

If you disabled encrypted passwords in Group Policy forcing all plaintext there would never be a prompt to save the username/password.