![]() ![]() (Updated 11-4-14 to reflect new name and add clarity). It covers an overview of Pass-the-Hash (PtH) and ways to mitigate it, understanding the breadth of related credential theft risks, risks of using shared passwords, the enforcement of local account restrictions, randomized local Administrator account passwords, recovery procedures for privileged account passwords as well as real world capabilities that you can implement into your environment to compartmentalize and defend against lateral traversal attacks using built in Administrative credentials. This course is an advanced course for implementing mitigation lateral movement mitigations from Microsoft’s Pass the Hash Whitepaper. If you are a Microsoft Premier customer you have the option to get a Proactive Operations Program – Securing Lateral Account Movement (SLAM) delivery (we typically call it POP-SLAM ). ![]() Once this password is discovered I am opening myself up to a Pass-the-Hash (PtH) attack. I’m not sure I could ever in good conscious recommend this to anyone who is serious about security. Using a simple PowerShell script (more info found at the link) that utilizes the encryption key that was easily available on MSDN, I was able to get the password with a few keystrokes. You can see that while the information shown below in yellow isn’t the password I used (which was Password1), it is still readable by any authenticated user as they all have read access to Sysvol. When you set this up you are even warned about this: The passwords are stored in the XML file that Group Policy Preferences uses to store its data. The other problem with this solution is that although the password is encrypted using AES 256, the private key for the encryption is located on MSDN. And all machines that get this policy will have the same password. ![]() That’s is a fancy way of saying that the password is converted to an unreadable format. You see the stored password is obfuscated. Type the new password into the Password text box, confirming the password in Confirm Password text box. Type Administrator into the User name text boxĩ. Since some of you may be doing this already, I'll talk about this in a little detail and explain why we removed this.Ħ. Once you apply this patch, this is no longer a usable option. Because of the security concerns with storing passwords in Group Policy Preferences, Microsoft just released a security patch, MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege, that removes this functionality. The first thing that might come to mind is to use Group Policy Preferences. But what about when you have thousands of servers and tens of thousands of workstations? Now we need a little bit of automation to keep things moving along smoothly. If you only have one computer then this is an easy thing to do. Today I decided to focus on one that is simple to implement, changing the local administrator’s password on a regular basis. ![]() The list of things you can do are extensive and more than I could ever cover in a single blog post. With all of the security breaches we keep reading about on the Internet these days, I keep getting asked how to make servers and workstations less vulnerable to attack. Hello again, Tom Ausburne with another post we think you’ll enjoy. First published on TechNet on May 18, 2014 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |