Security Advisor

Critical Active Directory Design Flaw Could Compromise User Passwords

Microsoft is downplaying the disclosure and has offered multiple ways IT can avoid attack.

A recently disclosed flaw in Active Directory could allow an attacker to bypass security measures in a system to change users' passwords.

In a detailed report by Israeli-based security firm Aorato on Tuesday, the flaw is considered severe by the firm due to the widespread enterprise use of Active Directory, including in 95 percent of all Fortune 1000 companies.

The issue stems from Active Directory enabling the authentication protocol called NTLM. While Microsoft has moved away from the protocol in recent years in favor of the Kerberos security packet, AD still enables the older protocol by default.

"Since this authentication component is known to be a security hazard which leads to identity theft attacks, through the notorious Pass-the-Hash (PtH) attack, protections have been placed to prevent its misuse," wrote Tal Be'ery, vice president of research for Aorato, in a blog post. "For example, many enterprises try to limit the use Active Directory's older -- yet still enabled by default -- authentication protocol (i.e. NTLM)."

Be'ery continued by saying that attackers could force a targeted system's AD to authenticate their NTLM hash and issue valid RC4-HMAC-MD5-encrypted Kerberos tokens, which could be used to access restricted services of a system, including access to user identity (including password management). This could be accomplished by using one of many readily available free penetration tools like WCE or Mimkatz.

According to the firm, Microsoft has been alerted to the issue, but responded by declaring the issue to be a "limited" design flaw that cannot be fixed and is already a well-known issue.

"This is a well-known industry limitation in the Kerberos Network Authentication Service standard," the company said in a released statement. "Information on how to manage this limitation when using Windows can be found on the Microsoft TechNet site."

In the TechNet article, which was published online days before Aorato released its threat assessment, Microsoft outlined three different ways to avoid attack:

  • Configure user accounts to require smart card login for interaction, limiting an account to only be accessed by the valid smart card user.
  • Disable RC4 support for Kerberos on all domains.
  • Deploy domains in Windows Server 2012 R2 and designate authorized users be included in the Protected Users security group.

Many security experts agree with Microsoft over the severity of the issue. "It does not seem to be as serious as pictured since the conditions where an actual attack can happen are very complex," said Ehsan Foroughi, director of research at Security Compass, to Computerworld.

In what looks to be purely coincidental, The New York Times reported on Wednesday that Microsoft is currently in active negations to buy Aorato for an estimated $200 million. The security firm specializes in software used to monitor enterprise central communication components.

About the Author

Chris Paoli is the site producer for and


  • Cloud Services Use on the Rise But Security Concerns Remain

    A recently published industry report suggested that use of public cloud services by organizations may nearly double in the next two years.

  • OneDrive Users To Get Storage Options, Plus New Personal Vault

    Microsoft announced a few OneDrive enhancements, including storage-option additions, plus a new "Personal Vault" feature for added security assurance.

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.