How to prohibit the use of PPTP connection authorization data to access internal resources in the domain?

Y

yurasek2018-03-28 20:52:05

VPN

yurasek, 2018-03-28 20:52:05

Hello.
The problem is that if a VPN connection is made on a computer that is part of a domain, then when you try to access internal network resources via the SMB protocol, a dialog appears asking for credentials, while this dialog is automatically substituted with the name of the account used in the VPN connection. After entering the domain account, access to the network resource is granted. If you logged in to any of the internal network resources before making a VPN connection, then access to them remains after the VPN connection is made.
How can I disable attempts by the operating system to use VPN connection credentials to access internal network resources in the domain?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

Y

yurasek, 2018-03-28
@yurasek

Found a solution on the internet:

You can disallow the credential to be stored in the Credential Manager by setting the following registry entry to 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value Name: DisableDomainCreds
Value Type: REG_DWORD
Value: 1

I also found a better solution , because it allows you not to block the ability to save credentials for network resources, but only applies to a specific VPN connection:
you need to change it in the rasphone.pbk file located in the
C:\Users\"username"\AppData\Roaming\Microsoft\Network\Connections folder \Pbk\
in the section of the corresponding connection, the value of the UseRasCredentials parameter from 1 to 0.
It is important to use a hex editor, because, for example, Notepad, can corrupt the file format by appending to the beginning information that the file uses UTF encoding -eight.