What is the secure way to store the credential in credential manager? I got the option to store credential using CMD and PowerShell using below commands
However I think it will be more convenient if I get the option through GPO using any Registry or any GPO preference
Background:
We are planning to map network drives for all the users. Since, this environment is not in domain We need are not able to use the domain credential for the same network shares.
We have a synology devices in workgroup now I need to map the respective drives by Team wise using Group Policy.
The Windows Credential Manager is anything but secure. It’s “secure” at the user account level, which means that any process that the user ever runs and the user themselves must necessarily be trusted in order to call this system “secure” with a straight face.
The only semi secure way of using the Windows Credential Manager is to store values pre-hashed, then verify those hashes. However, since any elevated process the user runs has full read/write capability on that user’s credential store, it simply can’t be trusted at all.
Lets think about “secure” in the sense of locking an application locally. Let’s take the example of a content filter that locks the settings page to keep the kids from enabling adult content, using the Credential Manager to store custom credentials. The same user, trying to bypass this, can do so easily. A user can visit the Credential Manager in the Control Panel and, though the values show up in asterisks, (*****), they can simply erase the value and replace it. Delete your hash, put in their own they’re in.
What’s even sillier is that the Control Panel will show asterisks, but if you use code accessing the applicable APIs, you can get the values in plain text. So passwords are not safe, hashes and such you verify to lock something are not safe. It’s not safe, it’s a piece of garbage and I’ve struggled for a long time to understand its usefulness, except for Microsoft to apparently have plain text copies of all of your passwords they can sell to the NSA.
Note
I realize there are measures you can take to encrypt contents before storing them, hashing them correctly etc, but my criticism still applies because doing these additional things is creating security, not the Windows Credential Manager. My problem with the Windows Credential Manager is that it advertises that using it through its provided GUI and or API is secure
