Audit for Saved Credentials on Windows
-
@travisdh1 said in Audit for Saved Credentials on Windows:
@scottalanmiller said in Audit for Saved Credentials on Windows:
So from time to time, someone will type in some credentials when mapping a drive and save them causing a mapped session to have permissions that are not intended for the user. If we are sitting at a computer, it is relatively easy to manually go look for this to have happened.
But if we have thousands of computers across many companies, we can't realistically go computer by computer, account by account manually looking for these entries.
Does anyone know of a good way, likely with PowerShell, to do an audit for saved credentials so that we can list them and, almost certainly, remove them?
I've never done this myself, but I'd think you'd start with
Get-StoredCredential
That requires a public module that won't let you remove a secret unless you know the exact target you're looking for, which is fine, but might limit what you want to do.
-
There's isn't a good way to manage the Windows Credential Manager via PowerShell with built-in cmdlets, or the CredentialManager module unless you know what you're looking for, so a more reliable way to do it if you don't, is with the command-line utility
cmdkey.exe
.I came up with some quick scratch-work to show an example, which gets the job done in my testing, but I have no mapped drives so I couldn't do a proper test.
# $targetMatch = '\\servername' $targetMatch = 'TESTTEST' $cmdkeyList = ((cmdkey.exe /list) | Where-Object {$_ -match "Target:"}) -replace "\s\s\s\s" foreach ($line in $cmdkeyList) { $target = ($line -split 'target=')[1] if ($target -match $targetMatch) { Write-Host "`nRemoving stored credential target: [$target]" cmdkey.exe /delete:$target } }
-
@obsolesce said in Audit for Saved Credentials on Windows:
@travisdh1 said in Audit for Saved Credentials on Windows:
@scottalanmiller said in Audit for Saved Credentials on Windows:
So from time to time, someone will type in some credentials when mapping a drive and save them causing a mapped session to have permissions that are not intended for the user. If we are sitting at a computer, it is relatively easy to manually go look for this to have happened.
But if we have thousands of computers across many companies, we can't realistically go computer by computer, account by account manually looking for these entries.
Does anyone know of a good way, likely with PowerShell, to do an audit for saved credentials so that we can list them and, almost certainly, remove them?
I've never done this myself, but I'd think you'd start with
Get-StoredCredential
That requires a public module that won't let you remove a secret unless you know the exact target you're looking for, which is fine, but might limit what you want to do.
That's why you start with
Get-StoredCredential
.The Microsoft documentation I saw didn't mention a thing about needing a module for it, which doesn't suprise me at all, I find this to be the case 90% of the time whenever I find documentation about powershell (the first command you need to run is never mentioned, in this case
Install-Module -Name CredentialManager
).After getting the stored credentials, getting rid of them is easy enough
Remove-StoredCredential -Target CredentialName
. Of course, from the little I've seen, the CredentialName is not provided, so that could make life difficult. -
@travisdh1 said in Audit for Saved Credentials on Windows:
The Microsoft documentation I saw didn't mention a thing about needing a module for it
What microsoft documentation?
-
@travisdh1 said in Audit for Saved Credentials on Windows:
After getting the stored credentials, getting rid of them is easy enough Remove-StoredCredential -Target CredentialName.
Right, there you need to know the exact name of the target to remove it, which you can't obtain with just the module itself. So instead of installing a 3rd party module and having to use the cmdline tool anyways, best to just use the one that does it all.
Unless of course every machine you are searching uses the exact same known target, and they don't differ in any way, which is very unlikely. One target may be
\\server\folder1
, another might be\\server\folder2
and then it would start missing removals.Using the cmdline tool, you can get a list of all targets, and match all those that have just
\\server
and remove them, without the requirement of using a 3rd party module. -
@scottalanmiller said in Audit for Saved Credentials on Windows:
So from time to time, someone will type in some credentials when mapping a drive and save them causing a mapped session to have permissions that are not intended for the user. If we are sitting at a computer, it is relatively easy to manually go look for this to have happened.
But if we have thousands of computers across many companies, we can't realistically go computer by computer, account by account manually looking for these entries.
Does anyone know of a good way, likely with PowerShell, to do an audit for saved credentials so that we can list them and, almost certainly, remove them?
Sounds like you're solving the wrong problem.
Shouldn't the users be restricted from mapping drives and IT should set up the proper drive maps for the people in need? Isn't that the problem to solve?
If people are mapping drives themselves it's because the IT department doesn't work. It's shadow IT.
-
@pete-s said in Audit for Saved Credentials on Windows:
Sounds like you're solving the wrong problem.
He explained the problem he's trying to solve... you must have missed it.
-
@obsolesce said in Audit for Saved Credentials on Windows:
@pete-s said in Audit for Saved Credentials on Windows:
Sounds like you're solving the wrong problem.
He explained the problem he's trying to solve... you must have missed it.
I guess he got my unsolicited opinion, just like I got yours.
-
@pete-s said in Audit for Saved Credentials on Windows:
@obsolesce said in Audit for Saved Credentials on Windows:
@pete-s said in Audit for Saved Credentials on Windows:
Sounds like you're solving the wrong problem.
He explained the problem he's trying to solve... you must have missed it.
I guess he got my unsolicited opinion, just like I got yours.
Or, it was obvious to everyone except you that he’s discussing his IT support staff connecting to something to do something and not removing the saved credentials. Not some dumb fucking users. This is more like a safety bet for him in case the technicians did not.
-
Would something like crackmapexec do the trick? I've started playing around with it to validate that some of our security configs are actually doing what they're supposed to and it can be used to dump user lists from a lot of the native windows locations. Not sure that it would get everything that you're looking for but "hacking" tools might be something to consider in addition to the typical bevy of PS and Windows commands.