Best practices can defeat 'devastating' Kerberos flaw

Despite claims that the problem lies in how Microsoft implements Kerberos in Windows, standard best practices and hardening rules can stop Golden Ticket and Pass-the-Hash attacks

It's hard enough keeping up with the latest vulnerability reports and new research, but security becomes an even bigger challenge when there's confusion surrounding a flaw's severity.

That's what happened recently when a security researcher described how an attacker could use pass-the-hash or Golden Ticket techniques with "devastating consequences" on Windows systems.

The issue relates to how Microsoft implemented Kerberos, an authentication system that uses secret-key cryptography to provide strong authentication for client/server applications. Instead of sending passwords across the network, Kerberos generates a secret key that's stored in memory. A flaw in Kerberos sounds serious and not one to lightly dismiss, but on further inspection, the underlying issue seems to be more about organizations disabling security controls and ignoring best practices.

Microsoft is aware of Golden Ticket and pass-the-hash techniques, and it recommends organizations follow established guidance to protect themselves.

The researcher, using the handle dfirblog, described in great detail how NT LAN Manager (NTLM) creates secret keys using NTLM's hash of an inactive user account. The inactive user krbtgt is created when the system is first installed and typically remain untouched on Windows machines for a long time. As a result, attackers can easily retrieve the hash and "gain legitimate Kerberos tickets," in order to execute commands with administrator privileges, create passwords for other accounts, and download certain files.

"Secret keys that use RC4 algorithm is not salted and use NTLM hash of the user as a key, so NTLM hash = RC4 secret key," dfirblog wrote.

The post claimed there was no way to fix the issue, but that organizations can prevent attackers by protecting privileged accounts "at all costs." Effective mitigations include using Microsoft's Credential Guard so that passwords aren't being stored in memory and relying on the Protected Users group to restrict access to privileged accounts.

"Mitigation of most of these attacks is not possible, as this is simply how Kerberos works in the Windows environment," dfirblog wrote.

Doom and gloom?

A Reddit user took exception to the claim the issue cannot be mitigated easily. "It requires deliberately misconfiguring your domain controllers, deliberately using old software, and a lot of avoiding following best practices to create this 'perfect' scenario," wrote user Michichael on Reddit. The attack as described is possible if the organization is not using established security best practices, such as running up-to-date software, not giving users local administrator privileges, and whitelisting applications.

Microsoft made a similar statement, noting that "only organizations that already have a fully compromised domain controller are vulnerable to this technique." 

For example, the original report said the secret keys using the RC4 cryptographic algorithm was not salted. Michichael noted that the algorithm in question is actually RC4-HMAC-MD5, which was deprecated in 2006 and is disabled by default on most modern operating systems. Microsoft issued an update in 2013 disabling RC4 on Windows 7.

Even though Windows Server 2008 R2 and Windows 7 can be configured to down-negotiate RC4 sessions for backward compatibility, organizations should already be hardening their systems against this specific risk. No newly deployed systems are vulnerable to this attack because the algorithm is disabled by default, and Microsoft has been recommending older systems running 2008 disable this capability for more than a decade.

Not everyone follows best practices

Saying that the problems aren't as dire -- or widespread -- as described in the blog post misses a critical point: A significant number of organizations are vulnerable to attacks using those techniques because not everyone is running up-to-date software, using alternative tokens, or taking advantage of whitelisting. An organization would be vulnerable to this attack precisely because it made certain security decisions, such as not using smart cards. Perhaps credentials are cached, or administrators log on interactively instead of using nonprivileged accounts. If steps aren't taken to protect privileged access, credentials can be intercepted and abused.

It's risky to assume organizations migrate off old operating systems when they enter end of life. It would be nice if organizations could always upgrade to the latest modern operating systems, but it takes a while to phase out older operating systems. If organizations still run Windows Server 2003, though it was discontinued in 2011, and have not applied appropriate hardening rules, then those systems will be vulnerable to the attack described by dfirblog.

Most organizations aren't mature enough security-wise to keep up with many of these recommended practices or have specific business reasons for not applying those practices. While this specific attack can be mitigated by using Credential Guard, it may not be the most practical recommendation for organizations not keeping up with basic patching, for example. It's one thing to be aware of the latest security research, but sometimes, it boils down to following best practices and keeping security controls in place.

Copyright © 2015 IDG Communications, Inc.