Mitigating Windows Credential Flaws
There’s a vulnerability in Windows systems that is leveraged time and time again while compromising a network. Though the technique is well known to attackers, it is rarely mitigated effectively. Bad combination.
But it’s convenient…
Windows systems will cache user credentials in system memory. In cleartext. This is a default feature in systems older than Windows 8.1 and Server 2012. Windows 10 and Server 2016 will periodically clear their credential cache, but network credential caching is still enabled by default. Why? User convenience. Cached credentials allow you to save a few extra steps of typing in a password when you want to download something from a network system.
Unfortunately, “user convenience” often translates to “blaring security flaw” for malicious actors.
Ordinarily, when Windows sends your password over the wire, it doesn’t do it in cleartext. It hashes the password first and sends it over an encrypted tunnel if possible. At the very least, if the password is hashed, it requires a little extra effort for the attacker to discover the real password with a password cracker. No such effort is required when you have the plaintext form of the password.
Cleartext passwords? Don’t mind if I do.
Using a well known tool called Mimikatz, attackers can easily exploit this vulnerability to obtain these passwords and move around a network.
This tool is ferocious in terms of its impact on a network. When Mimikatz was first released in 2012, penetration testers and attackers alike learned just how easy it was to recover credentials for Windows systems when you had access to them.
Here’s how this tool plays a vital role in a network compromise.
- Bob is having trouble connecting to the office computer. Alice, a network administrator, initiates a remote connection to Bob’s computer to fix the problem. Bob’s computer caches credentials by default.
- Later on, Bob opens a phishing email from Xavier the hacker on his work computer. The email promises a free gym membership by clicking a link. Bob likes free stuff. Bob clicks the link in the email, inadvertently giving Xavier remote access to his machine.
- With access to Bob’s machine, Xavier notices Bob is a local admin on his computer, meaning he can install programs, view the registry, view objects in memory, and thus can view cached credentials.
- Xavier uses Mimikatz to pull cleartext credentials from the memory of Bob’s machine. Wouldn’t you know it, but both Bob’s and Alice’s passwords are retrieved this way, since both had previously logged on.
- Xavier now has Alice’s password. Since Alice is a domain administrator, Xavier can use that password to access virtually all areas of the network, including the domain controller, thus essentially compromising the network.
It doesn’t need to be this way
As penetration testers, this scenario is something we leverage time and time again. Fortunately, there are several steps network administrators can take in order to turn the tables on penetration testers (and attackers) and make their jobs way harder.
1. Group Policy: Disable Cached Credentials
Disable cached credentials through group policy. This makes it so that users must enter their password every time they need to authenticate to a network resource, such as a file server, email service, and certain printer setups. The users may have to type their password more often, but this is far better than leaving it in memory, which is basically like leaving it on a sticky note, taped to your monitor.
2. Group Policy: Force regular reboots
Even if cached credentials exist, rebooting the system will clear them out of memory. Reboots are also necessary for most Windows patches, so this recommendation goes a long way. You can use Group Policy to either reboot them on a scheduled basis with network-wide GPO Scheduled Tasks, or adjust the Automatic Update GPO to automatically restart the machine after patches, or you can set up both, which is even better.
3. Limit Use of Admin Accounts / Local Administrator Password Solution
Domain administrator accounts should be among the rarest used on the network because they are the most powerful and privileged. If Alice needed admin access to fix Bob’s computer, instead of using a domain admin account, she could have leveraged LAPS (Local Administrator Password Solution).
LAPS creates a centralized network storage of passwords in Active Directory. LAPS works differently than a password vault in that it directly integrates with Active Directory to assign a new password to every system on the network’s designated local administrator account. Each password is unique to every machine, and LAPS can be configured to change this password on a weekly, daily, even an hourly basis if you’re feeling an extra-special sort of paranoid.
When configured properly, technical users are able to access the system from a segmented VLAN in order to look up a computer’s local admin password for that specific time-period in order to troubleshoot issues and assist users. It also allows the separation of privileges so that each account only has access to the computer it is set up on, and has a unique password that is different from any other machine on the network.
All credentials are communicated over an encrypted stream which is protected by AES, the strongest encryption to date, and only authorized users (your helpdesk team) are able to communicate with the LAPS system.
The idea is that helpdesk technicians will only use LAPS credentials when servicing local user accounts, in times when a local administrator’s privileges are needed. It becomes much easier to manage credentials, and much more secure to use a local admin. Even if a system is compromised, the attacker only has local admin access to that system, and only for as long as that password is not expired. Though LAPS cannot prevent the cached credentials issue, it drastically limits an attacker’s ability to leverage this exposure to achieve further compromise.
These solutions – LAPS in particular—do a lot to thwart an attacker’s efforts. It won’t deter every attacker, but combining LAPS, aggressive destruction of Windows cached credentials, regular patching, and user training (so they don’t click on phishing links that provide the initial foothold) leaves your network with a lot of locked doors and windows.