This is an ADM template to prevent people from saving their credentials in those proxy pop-up dialog type boxes that you tend to come across for things like IIS/Apache auth or outbound proxies (like internet authentication). If you ended up here you were probably looking for this, so here it is:
CLASS USER
CATEGORY "Internet Explorer Password Caching"
POLICY "Disable password caching in Internet Explorer"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "DisablePasswordCaching"
VALUEON NUMERIC "1" VALUEOFF NUMERIC "0"
END POLICY
END CATEGORY;
The important things to note are:
1. In the GPO editor, highlight Administrative Templates and from the top menu choose View -> Filtering... and uncheck "Only show policy settings that can be fully managed." Otherwise you won't see it.
2. Due to the nature of this key, I expect a very crafty user could open up regedit, change the key to 0 (since it is in HKCU) and save their credentials prior to the GPO refreshing it back to 1. I haven't tried it, but if you have users that would have the wherewithal to do that, I'd think silly little blockades like this wouldn't be enough anyways. Also, why aren't you blocking regedit.exe and friends from being run? HrrrmmMMM?
No comments:
Post a Comment