Security Advisor

Critical Active Directory Design Flaw Could Compromise User Passwords

Microsoft is downplaying the disclosure and has offered multiple ways IT can avoid attack.

A recently disclosed flaw in Active Directory could allow an attacker to bypass security measures in a system to change users' passwords.

In a detailed report by Israeli-based security firm Aorato on Tuesday, the flaw is considered severe by the firm due to the widespread enterprise use of Active Directory, including in 95 percent of all Fortune 1000 companies.

The issue stems from Active Directory enabling the authentication protocol called NTLM. While Microsoft has moved away from the protocol in recent years in favor of the Kerberos security packet, AD still enables the older protocol by default.

"Since this authentication component is known to be a security hazard which leads to identity theft attacks, through the notorious Pass-the-Hash (PtH) attack, protections have been placed to prevent its misuse," wrote Tal Be'ery, vice president of research for Aorato, in a blog post. "For example, many enterprises try to limit the use Active Directory's older -- yet still enabled by default -- authentication protocol (i.e. NTLM)."

Be'ery continued by saying that attackers could force a targeted system's AD to authenticate their NTLM hash and issue valid RC4-HMAC-MD5-encrypted Kerberos tokens, which could be used to access restricted services of a system, including access to user identity (including password management). This could be accomplished by using one of many readily available free penetration tools like WCE or Mimkatz.

According to the firm, Microsoft has been alerted to the issue, but responded by declaring the issue to be a "limited" design flaw that cannot be fixed and is already a well-known issue.

"This is a well-known industry limitation in the Kerberos Network Authentication Service standard," the company said in a released statement. "Information on how to manage this limitation when using Windows can be found on the Microsoft TechNet site."

In the TechNet article, which was published online days before Aorato released its threat assessment, Microsoft outlined three different ways to avoid attack:

  • Configure user accounts to require smart card login for interaction, limiting an account to only be accessed by the valid smart card user.
  • Disable RC4 support for Kerberos on all domains.
  • Deploy domains in Windows Server 2012 R2 and designate authorized users be included in the Protected Users security group.

Many security experts agree with Microsoft over the severity of the issue. "It does not seem to be as serious as pictured since the conditions where an actual attack can happen are very complex," said Ehsan Foroughi, director of research at Security Compass, to Computerworld.

In what looks to be purely coincidental, The New York Times reported on Wednesday that Microsoft is currently in active negations to buy Aorato for an estimated $200 million. The security firm specializes in software used to monitor enterprise central communication components.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.