Windows Security Game Over
- Thread starter CougTek
- Start date
Mercutio
Fatwah on Western Digital
That's super-ugly. How does something like that pass a security audit in the first place?
mubs
Storage? I am Storage!
Not clear: is this a problem only for LANs / WANs and not single desktops?
Mercutio
Fatwah on Western Digital
Anything that does network authentication. Even if you're implementing someone else's Single Sign on toolchain, it still ultimately has to authenticate through Kerberos and that's real, real bad.
ddrueding
Fixture
I know I'm not entirely out of the woods, but I'm really happy that none of my systems' first level of authentication from the web is Windows based.
Mercutio
Fatwah on Western Digital
The service exists and it's still running, so yes, this impacts home PCs as well. If you're on the Public firewall profile and have no User accounts with(!) a password (and therefore don't use any Windows file sharing or the like), you're much more safe than a Windows server. Safety decreases from that point.
With regard to Windows admins, this is particularly awful because it's not just a matter of security on the outward-facing components of our networks. We're going to have to completely re-think what we expose inside the perimeter as well since there's that much less we can assume is safe traffic.
With regard to Windows admins, this is particularly awful because it's not just a matter of security on the outward-facing components of our networks. We're going to have to completely re-think what we expose inside the perimeter as well since there's that much less we can assume is safe traffic.
Thank you. Would would be the recommendation for a home user such as myself? I have two Win10 Pro PCs connected to my router. One never has a user logged in since Plex runs as a service on it. The other is my primary use home machine and I am running an Admin type account. There is also one User type account I have for my son. THANKS!
Mercutio
Fatwah on Western Digital
I suspect there will be a patch before too terribly long. You have an external firewall and don't expose your home PCs via any remote services other than Plex, right?
I'm more concerned about how far back Microsoft will patch or address this vulnerability. I have more not-R2 (Vista's cohort) Server 2008 machines out in the world than anything else.
I'm more concerned about how far back Microsoft will patch or address this vulnerability. I have more not-R2 (Vista's cohort) Server 2008 machines out in the world than anything else.
Thanks again! The only other 'things' I run on my machines is the F@H Client, Crashplan & Steam (why I have Steam I have no idea because I almost never game).
What security audit? I thought MS just does what they like for the most part.
Mercutio
Fatwah on Western Digital
At one time at least, Microsoft sold high security Windows configurations to governmental organizations. I suspect they get to review code even if they rest of us don't.
IIRC there was a special version of XP long ago. It may have been EC only, but I don't recall.
I doubt that exists today with the MS philosophy of shoving Win 10 up our assess.
mubs
Storage? I am Storage!
Since this is serious stuff, I presume MS is working on it frantically and will issue an out-of-cycle patch? I only hope the patch is not half-baked and breaks something else.
Chewy509
Wotty wot wot.
Hi Guys, Haven't really commented on this, but please be aware that any patch MS provides will break sh*t, as this flaw isn't some coding issue, but rather a policy/procedure issue in regards to how MS decided to use kerberos. Kerberos Golden Tickets have been known about for a while now, just the author of the blog did a really good write up on the issue. (one of the better ones I've seen).
The primary mitigation (if you continue to use MS) is to disable RC4 during ticket issue and routinely reset the kbrtgt user account on a regular basis... (and I expect any patch delivered by MS in relation will do the former for you). However disabling RC4 will break compatibility with older Windows variants (not that matters with Win10 being shoved down everyone’s throat) as well as some kerberos aware CIFS/SMB services on Mac and Linux, etc...
PS. Here is the original blog: http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
If you haven't read it, I recommend you do so.
The primary mitigation (if you continue to use MS) is to disable RC4 during ticket issue and routinely reset the kbrtgt user account on a regular basis... (and I expect any patch delivered by MS in relation will do the former for you). However disabling RC4 will break compatibility with older Windows variants (not that matters with Win10 being shoved down everyone’s throat) as well as some kerberos aware CIFS/SMB services on Mac and Linux, etc...
PS. Here is the original blog: http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
If you haven't read it, I recommend you do so.
Chewy509
Wotty wot wot.
IIRC, MS worked closely with the NSA on securing Windows during the development of Vista and also with 7... Therefore most of the requirements for a high security configuration can be meat with the use of GPOs and don't requirement much of anything else...
NSA guidelines for OSes are publicly available here: https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
Also note that MS has and does continue to give out the source code for windows components for academic purposes (primarily to gov departments and some universities)...