Windows Security Game Over

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Reference

The flaw results from how the third-party authentication system creates secret keys: by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether and allow an attacker to grant themselves admin privileges, as well as create secret passwords for existing users and new users that don't exist.

Although some of the entry points are time-limited – the system will seek to validate accounts after 20 minutes – because it is possible to create fake users without limit, it is possible to access a system incessantly.

[...]

The krbtgt user is created when the system is first installed and is inactive, so it can remain untouched on a system for years – providing ready access to a hacker.

This is such a shitty news for a network administrator. I should have done something else in life.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,297
Location
I am omnipresent
Not clear: is this a problem only for LANs / WANs and not single desktops?

Anything that does network authentication. Even if you're implementing someone else's Single Sign on toolchain, it still ultimately has to authenticate through Kerberos and that's real, real bad.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,742
Location
Horsens, Denmark
I know I'm not entirely out of the woods, but I'm really happy that none of my systems' first level of authentication from the web is Windows based.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
I read the article and it appears to me that it does not have applicability to home users on personal computers. Is that correct? Can someone explain to me like I'm five how this may impact me?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,297
Location
I am omnipresent
The service exists and it's still running, so yes, this impacts home PCs as well. If you're on the Public firewall profile and have no User accounts with(!) a password (and therefore don't use any Windows file sharing or the like), you're much more safe than a Windows server. Safety decreases from that point.

With regard to Windows admins, this is particularly awful because it's not just a matter of security on the outward-facing components of our networks. We're going to have to completely re-think what we expose inside the perimeter as well since there's that much less we can assume is safe traffic.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
Thank you. Would would be the recommendation for a home user such as myself? I have two Win10 Pro PCs connected to my router. One never has a user logged in since Plex runs as a service on it. The other is my primary use home machine and I am running an Admin type account. There is also one User type account I have for my son. THANKS!
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,297
Location
I am omnipresent
I suspect there will be a patch before too terribly long. You have an external firewall and don't expose your home PCs via any remote services other than Plex, right?
I'm more concerned about how far back Microsoft will patch or address this vulnerability. I have more not-R2 (Vista's cohort) Server 2008 machines out in the world than anything else.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
I suspect there will be a patch before too terribly long. You have an external firewall and don't expose your home PCs via any remote services other than Plex, right?
I'm more concerned about how far back Microsoft will patch or address this vulnerability. I have more not-R2 (Vista's cohort) Server 2008 machines out in the world than anything else.

Thanks again! The only other 'things' I run on my machines is the F@H Client, Crashplan & Steam (why I have Steam I have no idea because I almost never game).
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,297
Location
I am omnipresent
At one time at least, Microsoft sold high security Windows configurations to governmental organizations. I suspect they get to review code even if they rest of us don't.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,497
Location
USA
At one time at least, Microsoft sold high security Windows configurations to governmental organizations. I suspect they get to review code even if they rest of us don't.

IIRC there was a special version of XP long ago. It may have been EC only, but I don't recall.
I doubt that exists today with the MS philosophy of shoving Win 10 up our assess.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Since this is serious stuff, I presume MS is working on it frantically and will issue an out-of-cycle patch? I only hope the patch is not half-baked and breaks something else.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,358
Location
Gold Coast Hinterland, Australia
Hi Guys, Haven't really commented on this, but please be aware that any patch MS provides will break sh*t, as this flaw isn't some coding issue, but rather a policy/procedure issue in regards to how MS decided to use kerberos. Kerberos Golden Tickets have been known about for a while now, just the author of the blog did a really good write up on the issue. (one of the better ones I've seen).

The primary mitigation (if you continue to use MS) is to disable RC4 during ticket issue and routinely reset the kbrtgt user account on a regular basis... (and I expect any patch delivered by MS in relation will do the former for you). However disabling RC4 will break compatibility with older Windows variants (not that matters with Win10 being shoved down everyone’s throat) as well as some kerberos aware CIFS/SMB services on Mac and Linux, etc...

PS. Here is the original blog: http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
If you haven't read it, I recommend you do so.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,358
Location
Gold Coast Hinterland, Australia
At one time at least, Microsoft sold high security Windows configurations to governmental organizations. I suspect they get to review code even if they rest of us don't.

IIRC, MS worked closely with the NSA on securing Windows during the development of Vista and also with 7... Therefore most of the requirements for a high security configuration can be meat with the use of GPOs and don't requirement much of anything else...

NSA guidelines for OSes are publicly available here: https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml


Also note that MS has and does continue to give out the source code for windows components for academic purposes (primarily to gov departments and some universities)...
 
Top