Active Directory Security

Active Directory Security

Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

  • Home
  • About
  • AD Resources
  • Attack Defense & Detection
  • Contact
  • Mimikatz
  • Presentations
  • Schema Versions
  • Security Resources
  • SPNs
  • Top Posts

Kerberos Vulnerability in MS14-068 (KB3011780) Explained

MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum

Nov 21 2014

Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2

  • By Sean Metcalf in Microsoft Security, Technical Reference

In June 2014, Microsoft released KB2871997 which takes many of the enhanced security protection mechanisms built into Windows 8.1 & Windows Server 2012 R2 and “back-ports” them to Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012.

The enhanced security features reduce the credential data stored in memory and supports modern authentication (Kerberos AES). There are two primary logon types, interactive and network.

An Interactive logon occurs when a user enters their logon credentials at the logon prompt, typically when sitting in front of a computer (or when connecting to Terminal Services or Remote Desktop Protocol, RDP, services). This logon type results in the user’s credential being stored in memory, often in various forms: Kerberos tickets, NTLM hash, LM Hash (if the password is less than 15 characters long), and even the clear-text password is stored. Mimikatz is a tool that can extract credentials in LSASS protected memory as well as the local Windows Security Accounts Manager (SAM). Read the ADSecurity.org Unofficial Guide to Mimikatz & Command Reference for more information on Mimikatz capability, usage, detection, and mitigation.

The second type is a Network logon where the user’s credentials are transparently passed to the service on the destination system in order to gain access; note that the user does not have to explicitly enter credentials, they are “passed” to the target service and verified (typically using Kerberos or NTLM). With this logon type, the user’s credentials are not sent to the system hosting the service; therefore, the credentials are not stored on the destination system. This means any service receiving network logons leverages “pass the hash” for single sign on (SSO).

Note: This post uses WDigest and Digest authentication interchangeably. Also, this patch doesn’t stop Pass-the-Hash, it does help harden Windows against standard attack methods such as clear-text password dumping, RDP credential theft, and lateral movement using local Administrator accounts.

Update: KB2871997 includes the client components of Restricted Admin Mode Remote Desktop Client (mstsc /RestrictedAdmin). There was a patch released at the end of 2014 that includes the server components of Restricted Admin Mode for earlier versions of Windows.

These protections include:

  • “Protected Users” Group Support (forces Kerberos authentication enforcing AES encryption)
    • The Protected Users group is created when the Domain Functional Level is set to Windows Server 2012 R2.
    • Accounts in the Protected Users group may only authenticate using the Kerberos protocol, denying NTLM, Digest, and CredSSP.
    • Kerberos refuses DES and RC4 encrpytion types for pre-authentication – the domain must be configured to support AES or higher.
    • A Protected User’s account cannot be delegated with Kerberos constrained or unconstrained delegation.
    • Protected Users work well with “Authentication Policies and Silos“.
  • Restricted Admin RDP Mode Remote Desktop Client support (mstsc /RestrictedAdmin)

    • Restricted Admin RDP mode is enhanced security to protect administrator credentials – this mode is not available for users (“Remote Desktop Users”).
    • As noted above before this update, RDP logon was an interactive logon, where only after the user provided the user name and password did he/she gain access. Logging on to a RDP host in this manner places the user credentials in memory on the RDP host where they may be stolen if the host is compromised.
    • This update enables RDP to support network logon where the user’s existing logon token may be passed for authentication for RDP access. Using this logon type ensures that the user’s credentials do not exist on the RDP server.
    • This effectively provides the option to send credentials to the system you are connecting to via RDP (credentials are stored in memory on RDP host) or a “token” is sent to the RDP host keeping the credentials off the RDP host.
    • Note: Restricted Admin connections impersonate the computer account for remote connections, so the connected admin may only access shares to which the computer has access.
    • Microsoft recommends Restricted Admin be leveraged in scenarios where help desk users RDP to a workstation to resolve an issue, ensuring the elevated credentials of the help desk are not placed on the workstation (this requires the workstation to be Windows 8.1 or higher).
    • This update does not back-port Restricted Admin RDP server mode to operating systems prior to Windows 8.1 and Windows Server 2012 R2.
  • Pass The Hash Enhanced Protection
    • Removal of Credentials at Logoff
      • Windows caches user credentials (clear-text password, NTLM password hash, Kerberos TGT/Session key) in memory (the LSASS process) when the user logs on. At logoff, these credentials should be cleared from memory, but this didn’t always occur. This update ensures credentials are cleared after log-off.
    • New well-known SIDs
      • LOCAL_ACCOUNT (S-1-5-113) – any local account
      • LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP (S-1-5-114) – any local account that is a member of the administrators group.
      • Configuring the new well-known SIDs in a Group Policy with the settings “Deny access to this computer from the network” and “Deny log on through Remote Desktop Services” prevents local accounts from connecting over the network.
    • Clear-text credentials removed from LSASS
      • Disabled by default for compatibility reasons. Clear-text passwords are stored in memory (LSASS) to primarily support WDigest authentication.
      • Enable this feature to prevent clear-text credentials from being stored in memory (LSASS).
      • Enable this feature by setting the Registry key “UseLogonCredential” to “0” (dword) located in:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”
        On Windows 8.1/Windows 2012 R2, this value is set to 0 (Digest disabled). The patch sets the value to 1 on earlier versions of Windows for backwards compatibility (Digest enabled).
        WDIGEST-RegistryKey-UseLogonCredential-1
      • The NT Hash and Kerberos keys are still stored in memory (LSASS).
      • Check event logs on the Domain Controllers (Event ID 4776) and on all servers (Event ID 4624) to determine if WDigest is still in use. Look for “Authentication Package: WDigest”.

 

References:

  • An overview of KB2871997 (Joe Bialok’s post to the Microsoft Security Research and Defense Blog)
  • Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014
  • Security Update for Windows 7 for x64-based Systems (KB2871997) – disables clear-text passwords in LSASS for WDigest support
  • 2.4.2.4 Well-Known SID Structures

 

 

 

(Visited 21,054 times, 3 visits today)
  • Clear-TextCredentials, DigestAuthentication, InteractiveLogon, KB2871997, Kerberos, Local_Account, LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP, LSASS, mstsc /RestrictedAdmin, NetworkLogon, PassTheHash, ProtectedUsers, RestrictedAdminRDP, UseLogonCredential, Windows7, Windows8, Windows8.1, WindowsServer2008R2, WindowsServer2012R2

Sean Metcalf

I improve security for enterprises around the world working for TrimarcSecurity.com
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8

Recent Posts

  • Attacking Active Directory Group Managed Service Accounts (GMSAs)
  • From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path
  • What is Azure Active Directory?
  • Slides Posted for Black Hat USA 2019 Talk: Attacking & Defending the Microsoft Cloud
  • AD Reading: Windows Server 2019 Active Directory Features

Trimarc Active Directory Security Services

Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture.

Find out how... TrimarcSecurity.com

Popular Posts

  • Attack Methods for Gaining Domain Admin Rights in…
  • PowerShell Encoding & Decoding (Base64)
  • Kerberos & KRBTGT: Active Directory’s…
  • Finding Passwords in SYSVOL & Exploiting Group…
  • Securing Domain Controllers to Improve Active…
  • Securing Windows Workstations: Developing a Secure Baseline
  • Mimikatz DCSync Usage, Exploitation, and Detection
  • Detecting Kerberoasting Activity
  • Scanning for Active Directory Privileges &…
  • The Most Common Active Directory Security Issues and…

Categories

  • ActiveDirectorySecurity
  • Apple Security
  • Cloud Security
  • Continuing Education
  • Entertainment
  • Exploit
  • Hacking
  • Hardware Security
  • Hypervisor Security
  • Linux/Unix Security
  • Malware
  • Microsoft Security
  • Mitigation
  • Network/System Security
  • PowerShell
  • RealWorld
  • Security
  • Security Conference Presentation/Video
  • Security Recommendation
  • Technical Article
  • Technical Reading
  • Technical Reference
  • TheCloud
  • Vulnerability

Tags

ActiveDirectory Active Directory ActiveDirectoryAttack ActiveDirectorySecurity Active Directory Security ADReading ADSecurity AD Security DCSync DEFCON DomainController EMET5 GoldenTicket HyperV Invoke-Mimikatz KB3011780 KDC Kerberos KerberosHacking KRBTGT LAPS LSASS MCM MicrosoftEMET MicrosoftWindows mimikatz MS14068 PassTheHash PowerShell PowerShellCode PowerShellHacking PowerShellv5 PowerSploit Presentation Security SIDHistory SilverTicket SneakyADPersistence SPN TGS TGT Windows10 WindowsServer2008R2 WindowsServer2012 WindowsServer2012R2

Copyright

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned.

Made with by Graphene Themes.