This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer. If you disable or do not configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication. Note: When configuring this security setting, changes will not take effect until you restart Windows. Default: Disabled. Countermeasure: Configure the Network access: Do not allow storage of passwords and credentials for network authentication for network authentication setting to Enabled. Potential Impact: Users will be forced to enter passwords whenever they log on to their Passport account or other network resources that aren't accessible to their domain account. Testing has shown that clients running Windows Vista or Windows Server 2008 will be unable to connect to Distributed File System (DFS) shares in untrusted domains. Enabling this setting also makes it impossible to specify alternate credentials for scheduled tasks, this can cause a variety of problems. For example, some third party backup products will no longer work. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory-based domain account. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of passwords and credentials for network authentication (2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa!DisableDomainCreds

[enabled/disabled]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa!DisableDomainCreds