We are constantly trying to identify and address vulnerabilities that pose risks to our clients’ systems. One area that has been a concern is the long-standing weaknesses in Microsoft’s network authentication protocols, which have provided an avenue for Pass the Hash (PtH) attacks. While we don’t have access to technical information about a specific Common Vulnerabilities and Exposures (CVE), we believe it is crucial to shed light on the broader context of these vulnerabilities and the upcoming changes to address them.
What is the Actual Risk?
Microsoft’s network authentication protocols have been a problem in virtually every penetration test we’ve conducted against Windows-based networks. These protocols transmit the user’s actual NTLMv2 password hash, making it vulnerable to theft and subsequent use in pass the hash attacks. Exploiting this behavior has often resulted in our team being able to gain full domain admin privileges. Even measures such as enabling SMB signing are not a foolproof solution to protect against this vulnerability.
Benefits of Remote Procedure Call (RPC) Signing and Sealing:
RPC signing is a significant step towards fortifying a network. RPC signing ensures that client computers and servers can verify each other’s identities, thereby preventing rogue server setups. However, it is still possible to intercept the password hash through a transparent man-in-the-middle attack.
On the other hand, RPC sealing encrypts the traffic, making it nearly impossible for attackers to extract the actual password hash. This encryption significantly raises the difficulty level for potential attackers, presenting a formidable challenge to pen testing teams. Nonetheless, this is a positive development as it raises the bar for malicious actors and enhances overall network security.
Impact on Systems:
The enforcement of these changes should not have any adverse effects on Windows-based clients and servers that are running up-to-date versions of the operating system. However, we anticipate that there may be situations where third-party appliances, such as printers, NAS devices, backup appliances, and single sign-on (SSO) solutions integrated with Active Directory (AD), may face authentication challenges.
Preparing for the Change:
To mitigate potential disruptions, it is crucial to establish a reliable inventory of all systems in your network that may be impacted. Start researching whether the vendors of these systems have provided any information or guidance regarding the upcoming changes. For example, VMware has published a knowledge base (KB) article that sheds light on the impacts of these changes specific to their products.
Conclusion:
The vulnerabilities in Microsoft’s network authentication protocols have long been a concern for network security professionals. The imminent changes in the form of RPC signing and sealing represent a significant stride in bolstering the security of Windows-based networks. While these changes may introduce some challenges, particularly with third-party appliances, they ultimately enhance the overall resilience against pass the hash attacks. By staying informed and taking proactive steps to prepare for these changes, organizations can safeguard their networks and ensure a robust security posture. As a network security consulting firm, we remain committed to assisting our clients navigate these changes and protecting their digital assets from evolving threats.