Dealing with Windows Credential Manager

[eexodus]

I'm not sure if FreeNAS can offer any solutions since the issue is on Window's side, but I'm seeking advice. I have two FreeNAS servers bound to Active Directory and hosting SMB shares. Many of my users access these SMB shares from non-domain personal computers; connecting to FreeNAS with "domain\user". When users update their passwords in Active Directory this often triggers an SMB bruteforce attack alert from my Network Security team because Windows will continue trying the old password hundreds of times per second. Domain policy is the default account lockout after 8 failed attempts, but that obviously doesn't stop Credential Manager from trying from the client. The current solution is to help the user clear all saved credentials from Credential Manager and let Network Security know it was just an old cached login. Long-term this has become a drag. This isn't sane behavior from Windows. It mostly occurs with Windows 7 but I've seen it happen with Windows 10 as well. I simply never see this from Mac or Linux clients. With the issue only occurring on personal devices (local accounts) my options are limited but I'm hoping for suggestions!

 

[anodos]

You can encourage users to use a third-party password manager (like lastpass) to store the credentials. It's a slightly different workflow for the BYOD folks, but it should be an easy sell to them. Just stress the advantages overall. I don't think people naturally tend to using MS credential manager. You might want to review what official (and unofficial) docs people are using/sharing to show how to access network shares, and update them accordingly.