Archive for the ‘Active Directory’ Category

Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472

January 15th, 2021 No comments

Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020.  We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default.  This will block vulnerable connections from non-compliant devices.  DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the …

Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 Read More »

Attacks exploiting Netlogon vulnerability (CVE-2020-1472)

October 29th, 2020 No comments

Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be …

Attacks exploiting Netlogon vulnerability (CVE-2020-1472) Read More »

The post Attacks exploiting Netlogon vulnerability (CVE-2020-1472) appeared first on Microsoft Security Response Center.

Time for day 2 of briefings at BlueHat Seattle!

October 25th, 2019 No comments

We hope you enjoyed the first day of our BlueHat briefings and the Bytes of BlueHat reception in our glamping tent (complete with toasted marshmallows). Yesterday, we learned a lot about how XboxOne hardware security has advanced the state of hardware security elsewhere, we heard some surprising correlations between vuln severity, age, and time to …

Time for day 2 of briefings at BlueHat Seattle! Read More »

The post Time for day 2 of briefings at BlueHat Seattle! appeared first on Microsoft Security Response Center.

KRBTGT Account Password Reset Scripts now available for customers

February 11th, 2015 No comments

Credential theft and reuse attacks continue to be top of mind for many of the CISOs I have talked to recently. We have discussed this topic several times in the past:

UntitledAlthough pass-the-hash credential theft and reuse attacks aren’t new, more recently security researchers have been focusing on attack methods for Kerberos authentication. Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service[i].

A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.

One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.

Today we are sharing the krbtgt account password reset script and associated guidance that will enable customers to interactively reset and validate replication of the krbtgt account keys on all writable domain controllers in the domain. By providing this script and associated guidance, we hope to help customers perform the reset in a way which reduces the likelihood of authentication errors caused by delayed distribution of the new krbtgt account keys in their environment.

The Reset-KrbtgtKeyInteractive-v1.4 enables customers to:

  1. Perform a single reset of the krbtgt account password (it can be run multiple times for subsequent resets).
  2. Validate that all writable DC’s in the domain have replicated the keys derived from the new password, so they are able to begin using the new keys.

The krbtgt account password reset script guide includes detailed information on how to use the reset script and its three modes- Informational, Estimation Mode, and Reset and offers:

  1. A step-by-step list of tasks associated with performing the krbtgt account password reset.
  2. Information for customers wishing to invalidate all existing TGTs by performing a double reset of the krbtgt account secret during a comprehensive Active Directory recovery.

We’ve also provided a detailed guide which helps system administrators understand the required tasks, impact to the organization, schedule and timeline, and other considerations. Together, this combination covers necessary tasks, tests, and validations that should be performed before and after the reset.

It is important to remember that resetting the krbtgt is only one part of a recovery strategy and alone will likely not prevent a previously successful attacker from obtaining unauthorized access to a compromised environment in the future. We strongly advise that customers create a comprehensive recovery plan using guidance found in the Mitigating Pass-the-Hash and Other Credential Theft, version 2.