Access Credential Manager Trusted Callers and ICAM: Windows Security

What is Access Credential Manager

Windows credential manager securely stores and manages user credentials such as usernames, passwords, and certificates. These credentials are often used to access various resources, including network shares, websites, and applications, facilitating access to information and managing digital identities.

The “Access Credential Manager as a trusted caller” setting defines which applications or services are considered trusted callers, meaning they are access controls that can request saved credentials from the Credential Manager. When this setting is enabled, only processes identified as trusted callers are granted access to retrieve stored credentials.

From an IT perspective, this security setting is crucial for controlling access to sensitive credentials. By specifying trusted callers, administrators can restrict access to the Credential Manager, ensuring that only authorized applications or services can retrieve stored credentials. This helps prevent unauthorized access to sensitive information and reduces the risk of credential theft or misuse.

Identity Credential and Access Management (ICAM)

ICAM is a comprehensive framework used by government agencies such as the DoD for various aspects of user identities and access management. It encompasses a range of policies, procedures, and technologies to ensure that the right individuals have the appropriate access to resources in a secure, efficient, and auditable manner. Access Credential Manager plays a crucial role within the ICAM framework by ensuring secure and efficient credential management.

AutoAdminLogon, worth the extra risk?

Rationale behind setting trusted caller to 'no one'

The Access Credential Manager as a trusted caller policy setting is used during logon and logoff processes as well as for backups and restoration. By default the only service permitted access to the Credential manager is Winlogon due to being responsible for handling the logon and logoff processes, which needs access to the stored credentials to authenticate users.

Why trusted caller should be set to 'no one'

Credential Manager stores not only the credentials to logon to a system, but also any other details stored by the user, so gaining access is a serious vulnerability.

If programs other than Winlogon are given permission, it could lead to the exposure of stored credentials with the possibility of escalating to a full scale breach. It is possible that the user account given permission could create an application that calls into Credential Manager and is returned the credentials of another user or account.

By utilizing the principle of least privilege (PoLP), attack surfaces are minimized, reducing the unnecessary access of programs which do not need high level access to protect against the risk of exposing stored credentials to malicious programs, compromising accounts.

When not to set trusted caller to 'no one'

In some specific scenarios such as custom developed enterprise applications, access to credential manager is necessary to function. When doing so it is important to limit the scope of access to just the necessary credentials and use the PoLP to both limit what is accessible and who has access.

This is also critical for specific applications and services, particularly on a member server. This setting allows designated processes to interact with the Credential Manager securely, ensuring that credentials are accessed appropriately during backup operations. When configured on a domain controller, this setting ensures that trusted applications can manage and back up sensitive credential information without compromising security, maintaining the integrity and availability of critical authentication data across the network.

Remediation 

To establish the recommended configuration via GP, set the following UI path to No One:

Remediation via group policy

Verify the effective setting in Local Group Policy Editor:

1. Run “gpedit.msc”.
2. Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups are granted the “Access Credential Manager as a trusted caller” user right, this is a finding.

3. For server core installations, run the following command:

Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt

4. Review the text file.

If any SIDs are granted the “SeTrustedCredManAccessPrivilege” user right, this is a finding.

Windows Credential Manager System Setting

These settings apply to the following list of Windows systems: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

Recommended state

The recommended state for this setting is: No One.

Possible values 

• User-defined list of accounts
• Not defined

Default Value

No one.

Best Practices 

Do not modify this policy setting from the default.

Hardening systems against vulnerabilities

By implementing server hardening it is possible to implementing strong security practices around the “Access Credential Manager as a trusted caller” setting, it is possible to significantly reduce the risk of password theft and unauthorized access to sensitive information stored within the Credential Manager.

Overall, the “Access Credential Manager as a trusted caller” setting is an important security measure that helps organizations manage access to sensitive credentials and maintain the integrity of their authentication mechanisms.