Jump to content
Nytro

Windows 8.1 stops pass-the-hash attacks

By Nytro, in Stiri securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Windows 8.1 stops pass-the-hash attacks

Microsoft has armor-plated Windows 8.1 against the most feared attack on the planet. Here are the nitty-gritty details you need to know

By Roger A. Grimes | InfoWorld

Follow @rogeragrimes

Pass-the-hash (PtH) attacks are among the most feared cyber attacks in the computer world. Many of my largest customers (Fortune 500, government, and so on) have told me it's their No. 1 worry above all other attack types.

With PtH and other credential theft attacks, a hacker gains admin control over a computer, steals authentication credentials from disk or memory, and uses those credentials to initiate new connections and logons. Most operating systems are vulnerable to PtH attacks, although Microsoft Windows has certainly been the primary target thanks to its pervasiveness in the corporate environment and the availability of PtH tools.

[ InfoWorld presents the Bossies 2013, the best open source software for security, data centers, clouds, and more. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

Attackers using PtH attacks completely compromise just about every network they hit. Pretty much every APT (advanced persistent threat) attack team uses them. Every penetration test team uses them. And the tools to accomplish PtH attacks have only gotten better. That's why the anti-PtH measures built into Windows 8.1 are such a big deal.

Hands off the hash

Before Windows 8.1, the only real mitigations against PtH attacks were:

  • Don't let hackers get admin control of your box
  • Don't log on with elevated accounts, especially on computers not directly under your control
  • Restrict the ability of local accounts to be used over the network
  • Restrict what computers can connect to (using firewalls, IPSec, and so on)
  • Force a reboot after logging on with an elevated account

Unfortunately, most of these recommendations were difficult for most enterprises to implement without a lot of new policies, procedures, and elbow grease. On the software side, it's very difficult for any OS, including Windows, to stop PtH attacks while maintaining the SSO (single-sign-on) functionality customers absolutely require. Asking users to re-enter their logons every time they want to connect to new application, service, or drive share is the quickest way to make your OS obsolete.

To the pleasant surprise of a lot of people, Windows 8.1 includes comprehensive pass-the-hash mitigations. While it doesn't completely eliminate the threat, it comes pretty darn close. Here's a summary of the PtH mitigations available in Windows 8.1:

  • Strengthened LSASS to prevent hash dumps
  • Many processes that used to store credentials in memory no longer do so
  • Better methods to restrict local accounts from going over the network
  • Programs no longer leave credentials in memory after a user logs out
  • Allow RDP (Remote Desktop Protocol) connections to be used without putting the user's credentials on the remotely controlled computer
  • Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks
  • Several other OS changes that make PtH attacks far more difficult to achieve (see the Technet summary)

For those who want to drill down and determine how these new anti-PtH measures have been implemented here's some more detail:

Protecting LSASS

LSASS.exe is the main process used by Windows to verify authentication -- the same process most hacking tools attack to grab authentication credentials out of memory and on the disk. Most hacking tools work by intercepting LSASS and injecting their code into the process.

In Windows 8.1, this is no longer possible (or much more difficult, at the very least). LSASS can be made a protected process, which makes it a lot harder to be manipulated by rogue software. Plus, it no longer stores LM hashes or plaintext equivalents in memory (already, Windows doesn't store those types of credentials on disk by default). Because protection of LSASS may break some legitimate legacy software, this is not enabled by default on anything but Windows 8.1 RT. I recommend that all admins worried about PtH attacks enable this feature after thorough testing.

New security identifiers

There are two new built-in security identifiers, called "Local account" and "Local account and member of the Administrators group." You can place all your local sensitive accounts in these groups, then use them to apply permissions, privileges, and policies. For instance, previous PtH mitigations recommended giving local admin accounts a privilege called Deny Network Logons, which would prevent them from being used to access Active Directory network resources. This is still a great mitigation, but it previously required that each individual account be marked with the denial privilege and that admins keep up with individual adds, moves, and changes. Now you can apply the privilege to the new SIDs and be done with it.

Fixing RDP

One of my biggest pet peeves regarding RDP is that it ends up putting the admin's logon credentials on the remote box being accessed. I used to recommend that admins use just about any other remote admin method (such as MMC or PowerShell) instead of RDP. In Windows 8.1, with the new restrictadmin feature enabled, RDP it doesn't put stealable credentials on the remote computer being managed. This is a big win -- enterprises around the world, celebrate!

Protected Users group

Members of the new Protected Users group are significantly harder to exploit in PtH attacks. Members can use only Kerberos, and their credentials cannot be delegated. Yes, Kerberos tickets can be used in credential theft attacks, but attackers aren't nearly as familiar with Kerberos, and the lack of delegation makes PtH attacks far more difficult.

Many of these features are configurable, and they're protected by UEFI and SecureBoot; you can also turn them on and off.

The only caveat I can think of is that all of these new mitigations are currently available only in Windows 8.1 and in Windows Server 2012 R2. I have little doubt customers will want these mitigations back-ported to previous versions, but I have no idea what Microsoft's plans are -- or even if it is reasonably possible to accomplish without causing too many operational problems.

This story, "Windows 8.1 stops pass-the-hash attacks," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Sursa: Windows 8.1 stops pass-the-hash attacks | Security - InfoWorld

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...