Access Credential Manager Trusted Callers and ICAM: Windows Security

Access Credential Manager Trusted Callers and ICAM: Windows Security

4 Minutes Read Published on June 2, 2024

What is Access Credential Manager

Windows credential manager securely stores and manages user credentials such as usernames, passwords, and certificates. These credentials are often used to access various resources, including network shares, websites, and applications, facilitating access to information and managing digital identities.

The “Access Credential Manager as a trusted caller” setting defines which applications or services are considered trusted callers, meaning they are access controls that can request saved credentials from the Credential Manager. When this setting is enabled, only processes identified as trusted callers are granted access to retrieve stored credentials.

From an IT perspective, this security setting is crucial for controlling access to sensitive credentials. By specifying trusted callers, administrators can restrict access to the Credential Manager, ensuring that only authorized applications or services can retrieve stored credentials. This helps prevent unauthorized access to sensitive information and reduces the risk of credential theft or misuse.

Identity Credential and Access Management (ICAM)

ICAM is a comprehensive framework used by government agencies such as the DoD for various aspects of user identities and access management. It encompasses a range of policies, procedures, and technologies to ensure that the right individuals have the appropriate access to resources in a secure, efficient, and auditable manner. Access Credential Manager plays a crucial role within the ICAM framework by ensuring secure and efficient credential management.

AutoAdminLogon, worth the extra risk?

Rationale behind setting trusted caller to ‘no one’

The Access Credential Manager as a trusted caller policy setting is used during logon and logoff processes as well as for backups and restoration. By default the only service permitted access to the Credential manager is Winlogon due to being responsible for handling the logon and logoff processes, which needs access to the stored credentials to authenticate users.

Why trusted caller should be set to ‘no one’

Credential Manager stores not only the credentials to logon to a system, but also any other details stored by the user, so gaining access is a serious vulnerability.

If programs other than Winlogon are given permission, it could lead to the exposure of stored credentials with the possibility of escalating to a full scale breach. It is possible that the user account given permission could create an application that calls into Credential Manager and is returned the credentials of another user or account.

By utilizing the principle of least privilege (PoLP), attack surfaces are minimized, reducing the unnecessary access of programs which do not need high level access to protect against the risk of exposing stored credentials to malicious programs, compromising accounts.

datasheet for hardening

When not to set trusted caller to ‘no one’

In some specific scenarios such as custom developed enterprise applications, access to credential manager is necessary to function. When doing so it is important to limit the scope of access to just the necessary credentials and use the PoLP to both limit what is accessible and who has access.

This is also critical for specific applications and services, particularly on a member server. This setting allows designated processes to interact with the Credential Manager securely, ensuring that credentials are accessed appropriately during backup operations. When configured on a domain controller, this setting ensures that trusted applications can manage and back up sensitive credential information without compromising security, maintaining the integrity and availability of critical authentication data across the network.

Remediation 

To establish the recommended configuration via GP, set the following UI path to No One:

Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess Credential Manager as a trusted caller

Remediation via group policy

Verify the effective setting in Local Group Policy Editor:

  1. Run “gpedit.msc”.
  2. Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups are granted the “Access Credential Manager as a trusted caller” user right, this is a finding.

  1. For server core installations, run the following command:

Secedit /Export /Areas User_Rights /cfg c:pathfilename.txt

  1. Review the text file.

If any SIDs are granted the “SeTrustedCredManAccessPrivilege” user right, this is a finding.

Windows Credential Manager System Setting

These settings apply to the following list of Windows systems: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

Recommended state

The recommended state for this setting is: No One.

Possible values 

  • User-defined list of accounts
  • Not defined

Default Value

No one.

Best Practices 

Do not modify this policy setting from the default.

Hardening systems against vulnerabilities

By implementing server hardening it is possible to implementing strong security practices around the “Access Credential Manager as a trusted caller” setting, it is possible to significantly reduce the risk of password theft and unauthorized access to sensitive information stored within the Credential Manager.

Overall, the “Access Credential Manager as a trusted caller” setting is an important security measure that helps organizations manage access to sensitive credentials and maintain the integrity of their authentication mechanisms.

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

Essential Guide to Australian Secured Configuration Regulations

Essential Guide to Australian Secured Configuration Regulations

July 18, 2024

Australia’s Secured Configuration Regulations Australia’s cybersecurity regulatory landscape is multifaceted, with a blend of federal…

Mitigating NTLM relay remote code execution

Mitigating NTLM relay remote code execution

September 5, 2019

The Preempt research team found two critical vulnerabilities in Microsoft, sourced in three logical flaws…

Expert Advice on why you should automate server hardening

Expert Advice on why you should automate server hardening

April 3, 2023

We recently engaged in a conversation with our team of experts regarding their ongoing server…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article