Security Advisor

Critical Active Directory Design Flaw Could Compromise User Passwords

Microsoft is downplaying the disclosure and has offered multiple ways IT can avoid attack.

A recently disclosed flaw in Active Directory could allow an attacker to bypass security measures in a system to change users' passwords.

In a detailed report by Israeli-based security firm Aorato on Tuesday, the flaw is considered severe by the firm due to the widespread enterprise use of Active Directory, including in 95 percent of all Fortune 1000 companies.

The issue stems from Active Directory enabling the authentication protocol called NTLM. While Microsoft has moved away from the protocol in recent years in favor of the Kerberos security packet, AD still enables the older protocol by default.

"Since this authentication component is known to be a security hazard which leads to identity theft attacks, through the notorious Pass-the-Hash (PtH) attack, protections have been placed to prevent its misuse," wrote Tal Be'ery, vice president of research for Aorato, in a blog post. "For example, many enterprises try to limit the use Active Directory's older -- yet still enabled by default -- authentication protocol (i.e. NTLM)."

Be'ery continued by saying that attackers could force a targeted system's AD to authenticate their NTLM hash and issue valid RC4-HMAC-MD5-encrypted Kerberos tokens, which could be used to access restricted services of a system, including access to user identity (including password management). This could be accomplished by using one of many readily available free penetration tools like WCE or Mimkatz.

According to the firm, Microsoft has been alerted to the issue, but responded by declaring the issue to be a "limited" design flaw that cannot be fixed and is already a well-known issue.

"This is a well-known industry limitation in the Kerberos Network Authentication Service standard," the company said in a released statement. "Information on how to manage this limitation when using Windows can be found on the Microsoft TechNet site."

In the TechNet article, which was published online days before Aorato released its threat assessment, Microsoft outlined three different ways to avoid attack:

  • Configure user accounts to require smart card login for interaction, limiting an account to only be accessed by the valid smart card user.
  • Disable RC4 support for Kerberos on all domains.
  • Deploy domains in Windows Server 2012 R2 and designate authorized users be included in the Protected Users security group.

Many security experts agree with Microsoft over the severity of the issue. "It does not seem to be as serious as pictured since the conditions where an actual attack can happen are very complex," said Ehsan Foroughi, director of research at Security Compass, to Computerworld.

In what looks to be purely coincidental, The New York Times reported on Wednesday that Microsoft is currently in active negations to buy Aorato for an estimated $200 million. The security firm specializes in software used to monitor enterprise central communication components.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • How To Remove the Windows 10 Action Center

    Microsoft meant well with Windows 10's Action Center, but the constant pop-up notifications are often more annoying than helpful. Here's how to get rid of them.

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.