The Stored User Names and Passwords feature revealed
| Executive Summary:|
Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 have a built-in feature that automatically manages the usernames and passwords needed to access resources that require credentials other than the user's logon credentials. This feature is called Stored User Names and Passwords. Learn about this feature's benefits and how it works. Also learn how to use it to manually manage credentials.
Remembering and managing multiple usernames and passwords for accessing various resources can pose a problem for most users. Although many third-party credential management products are available, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 have a built-in feature that automatically manages the usernames and passwords needed to access resources that require credentials other than the user's standard Windows logon credentials. This feature is called Stored User Names and Passwords.
Stored User Names and Passwords lets you store credentials for local network and Internet resources. The types of credentials that can be created, managed, and used with this feature include:
- Usernames and passwords
- X.509 certificates (e.g., for smart cards)
- Passports (e.g., .NET passports)
If you're using Windows XP Home Edition, be aware that this XP version stores only passport credentials and RAS/VPN usernames and passwords.
Let's look at the benefits that the Stored User Names and Passwords feature provides, how the feature works, and how to use it to manually manage credentials.
When users log on to a local computer or domain, they provide a username and password. After the logon, those credentials become the default security context for accessing other resources on the local network, the remote network, and/or the Internet. However, the credentials might not be sufficient for accessing all the resources that users need. For example, the credentials might not be sufficient for accessing websites that require authentication or domains without trust relationships. If there are many such resources, users might need many different credentials.
Similarly, administrators might need different credentials. For example, they might log on to the network using their standard Windows logon credentials but need administrative privileges to perform specific tasks on remote servers.
Having to remember multiple username and password combinations can lead to bad password practices, such as using weak passwords, using the same password for everything, and writing passwords on pieces of paper. The Stored User Names and Passwords feature helps users avoid such practices because it securely stores and manages multiple credentials for them. Users will have single sign-on experience because they'll log on to only their computers or domains. Because users won't be forced to remember passwords, they'll be more likely to choose strong passwords, which can greatly increase overall security.
Stored User Names and Passwords stores credentials in a secure part of a user's profile, so they can't be accessed by other users. If the user is configured to use a single profile across the enterprise (i.e., roaming profile), the stored usernames and passwords are retained wherever the user logs on to the network. This further increases the functionality of this feature, while still keeping an acceptable level of security.
How the Feature Works
When a user tries to access a website or network location that isn't accessible with their default credentials, he or she is prompted for a username and password. After entering that information and selecting the Remember my password check box, the logon information is stored within the user's profile. The next time the user connects to that resource those stored credentials are used to automatically authenticate him or her.
Every time a user clicks the Remember my password check box, the credentials are saved in the most general form possible. For example, if a user selects the Remember my password check box when he or she is accessing a specific server in the company.com domain, the credentials might be saved under *.company.com. If the user again selects the Remember my password check box when accessing a different server in same domain, Windows won't overwrite the previously saved credentials. Instead, Windows saves the new credentials using more specific information, such as server1.company.com. Because of this setup, no more than one username and password can be stored for a specific logon, which is a slight limitation of the Stored User Names and Passwords feature.
When multiple credential sets are stored, Windows orders them from most specific to least specific. When a user tries to access a resource not available under his or her current credentials, the authentication package searches the Stored User Names and Passwords repository for the most specific credential set that matches that resource. If one is found, the authentication package uses it without any interaction from the user. If one isn't found, the user is prompted for a username and password.
How to Manually Manage Credentials
In addition to automatically creating and storing credentials by selecting the Remember my password check box, you can manually create credentials for a specific resource. Windows treats manually created credentials the same way as it treats those automatically created.
Vista, XP, Server 2008, and Windows 2003 provide a simple and intuitive interface for manually creating credentials. You can also view, edit, and remove existing credentials. Plus, in Vista and Server 2008, you can backup and restore saved credential sets, which is useful. Figure 1 shows the interface—the Stored User Names and Passwords dialog box—in Vista. I'll describe how to access and use the Stored User Names and Passwords dialog box in XP and Vista. The processes will be similar in the corresponding server OSs.
Figure 1: Managing credential sets in the Stored User Names and Passwords dialog box
Accessing the Stored User Names and Passwords dialog box. In XP, accessing the Stored User Names and Passwords dialog box differs slightly depending on whether the computer is in a workgroup or domain. When the computer is in a workgroup, open the Control Panel User Accounts applet, select the currently logged user, then click Manage my network passwords in the Related tasks pane. Only the credentials of the currently logged-on user can be managed. If the computer is in a domain, open the Control Panel User Accounts applet, click the Advanced tab, then click the Manage Passwords button.
In Windows Vista, you access the dialog box the same way, no matter whether the computer is in a workgroup or domain. Open the Control Panel User Accounts applet, click the User Accounts heading, then click Manage my network passwords in the Tasks area.
Alternatively, you can access the User Accounts applet directly in Vista or XP by opening the Run window and running the command
In the window that opens, click the Advanced tab, then click the Manage Passwords button. If you want to access the credentials for the currently logged-on user, run the command
This command opens the Stored User Names and Passwords dialog box directly. At this point, you can add, edit, remove, back up, and restore credential sets.
Adding a credential set. To manually add a credential set for a resource, click Add to bring up the Stored Credential Properties dialog box, which Figure 2 shows.
Figure 2: Manually adding a credential set
In the Log on to field, then enter the resource name. You can use a variety of formats, including hostnames (e.g., server1) and Fully Qualified Domain Names (FQDNs—e.g., server1.domainX.com). You can even use wildcards (e.g., *.domainX.com). However, keep in mind that if there are multiple credential sets that apply to the same resource, Stored User Names and Passwords will always use the most specific resource name.
In the User name field, enter the username in one of the following formats:
- Domain\Username (e.g., DomainX\User1)
- Machine\Username (e.g., Computer1\User1)
- Username\Machine (e.g., User1\Computer1)
- Workgroup\Username (e.g., Sales\User2)
- Username\Workgroup (e.g., User2\Sales)
- User principal name (UPN—e.g., User1@domainX.com)
In the Password field, enter the password. Finally, specify whether the credentials are for Windows logon authentication or for website or program authentication.
Editing a credential set. If you want to edit an existing credential set, select the resource from the list in the Stored User Names and Passwords dialog box, then choose Edit (Vista) or Properties (XP). You can edit only the username and password.
Removing a credential set. If you want to delete an existing credential set, select the resource from the list in the Stored User Names and Passwords dialog box, then click Remove.
Backing up and restoring credential sets (Vista and Server 2008 only). Although automatically storing credentials is beneficial, it can pose a problem if they're lost. Vista and Server 2008 let you back up and restore credential sets with the Backup and Restore Wizard. For security reasons, the backup and restore processes can't be automated. The only way to back up or restore credential sets is to do it manually.
To perform a backup in Vista, click the Back up button in the Stored User Names and Passwords dialog box. In the dialog box that Figure 3 shows, browse to where you want to store the backup file and enter the name you want to give it.
Figure 3: Backing up credential sets
All credential sets are stored inside a single .crd file that's encrypted with the Advanced Encryption Standard (AES). After providing the location and filename, you'll be required to press Ctrl+Alt+Del so that Vista can switch to secure mode. Next, you'll be prompted to enter a password to protect the credentials. This password must be strong (i.e., contain uppercase and lowercase letters, numbers, and special characters). After entering and validating password, the credentials will be saved at the specified location under the specified filename.
If you need to restore credentials that were previously backed up, click the Restore button in the Stored User Names and Passwords dialog box. Navigate to the .crd file's location and provide the password. Be aware that restoring credential sets from a backup file replaces any existing credential sets stored on the computer.
Securing the Credentials
Storing multiple credential sets in one location is convenient but potentially risky. Although credentials are stored in encrypted format within the SAM and user profile, attackers might be able to crack these passwords if they get physical access to the user profile files.
To secure the credentials as much as possible, it's important to apply all necessary security measures. Those measures might include:
- Having users protect unattended computers. For example, users should log off of or lock their computers when they leave them unattended for long periods of time. To protect computers that are left unattended for short periods, users should password protect their screen savers.
- Securing laptops with BitLocker or a similar encryption program. That way, the data is protected if the laptop is lost or stolen.
- Having users use a strong password for the standard Windows logon and change that password regularly. In a domain environment, it's best to use Group Policy to force password changes.
- For extremely critical resources, you might consider disabling the Stored User Names and Passwords feature.
A Convenient Tool
The Stored User Names and Passwords feature is a convenient tool for users who use multiple credentials to access various network and Internet resources. It gives them a single sign-on experience. Although the stored credentials are encrypted, it's important to keep workstations with stored credentials secure.