Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer


AD Manager Plus

Blog roll



Security Thoughts: Leveraging NTLM Hashes using Kerberos RC4-HMAC encryption (AKA Aorato’s Active Directory Vulnerability)

In a blogpost today, Tal Be'ery, Vice President Research at Aorato, an Israeli security company consisting of veterans of the Israeli Defense Forces specializing in Active Directory, published how weak encryption enables an attacker to change a victim’s password without being logged.

Labeled as a vulnerability in Active Directory, this information sparked some controversy, so let’s dive into it.


About this vulnerability

Tal Be'ery and his colleagues at Aorato have found a way to use harvested NTLM hashes in RC4-HMAC-MD5-encrypted Kerberos sessions, based on the backward compatibility information in RFC 4757. Section 2 of this RFC states that “The key used for RC4-HMAC is the same as the existing Windows NT key (NT Password Hash) for compatibility reasons.”

The RC4 vulnerability process (click for larger view)

The attack process is depicted in the picture above, where blue items represent the legitimate processes and traffic and red items represent the attacker’s steps. After a colleague logs in with his/her user account (1), LSASS on his/her device creates hashes corresponding with its plugins (2), using, among other methods, the NT One-Way Function (NTOWF) to create the NTLM hash. When signing on to network resources, the appropriate plugin is accessed to provide the hashes, and tokens needed, without the colleague being prompted for credentials (3).

The attack method described by Tal Be’ery consists of three parts:

  1. Harvest NTLM hashes (1)
  2. Use NTLM hashes to constract valid RC4-HMAC-MD5-encrypted Kerberos tokens (2)
  3. Communicating to hosts, like Domain Controllers, in weakly-(RC4-HMAC-)encrypted Kerberos sessions (3)

About LSASS and LSASS Protection

As you might recall in my last blogpost covering LSASS protections in Windows 8.1 and Windows Server 2012 R2, I detailed how LSASS uses plug-ins per Security Support Provider (SSP) and how these create hashes using its one way hasing algorithms. I also detailed a new feature called LSASS Protection when you’re running Windows 8.1 or Windows Server 2012 R2, that protects the LSASS Memory Space and does not store all hashes in it.  

About encryption algorithms

When NTLM was introduced with Windows NT in 1993, processors weren't fast enough to reliably and unnoticeable hash values with more than DES or 3DES. Despite inherent weaknesses, todays processors can brute force the original value pretty easily.

This, indeed, is a cat and mouse game. From a Kerberos authentication type point of view, Microsoft has disabled DES-CBC-CRC and DES-CBC-MD5 for Kerberos encryption from Windows 7 and Windows Server 2008 R2 onwards, by default.

Could RC4-HMAC-MD5 be the next in line to bite the dust?


Mitigating this type of attack

This attack method is made possible by three factors:

  1. The device stores NTLM hashes in the LSASS memory space, where they can be harvested with tools like the Windows Credentials Editor (wce.exe) and Mimikatz.
  2. For backward compatibility, Microsoft has introduced the ability to create RC4-HMAC-MD5-encrypted Kerberos tokens based on the NTLM hash.
  3. Hosts on the network, including Active Directory Domain Controllers, running Windows 7 and Windows Server 2008 R2 and up, negotiate Kerberos encryption types. RC4-HMAC-MD5 is allowed as a valid Kerberos encryption type, by default.

The second factor is not something that can be easily changed, but as Active Directory admins, we can address the other two factors:

Mitigate Pass-the-Hash (PtH) attacks

Since this type of attacks leverages harvested NTLM hashes, mitigating these kind of attacks makes the bottom fall out of it. Last week, Microsoft released its second version of its Whitepaper on Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft. In it, Microsoft details these steps to mitigating Pass-the-Hash attacks:

  1. Restrict and protect high privileged domain accounts
    1. Separate administrative accounts from user accounts for administrative personnel
    2. Create specific administrative workstation hosts for administrators
    3. Restrict server and workstation logon access
    4. Disable the account delegation right for privileged accounts
  2. Restrict and protect local accounts with administrative privileges
    1. Enforce local account restrictions for remote access
    2. Deny network logon to all local accounts 
    3. Create unique passwords for privileged local accounts
  3. Restrict inbound traffic using the Windows Firewall

Another way is to upgrade to Windows 8.1 and Windows Server 2012 R2 to gain the LSASS Protections.

Banish RC4-HMAC-MD5

As Ned Pyle pointed out, in a blog post on the Ask the Directory Services Team blog on Hunting down DES in order to securely deploy Kerberos, you can scan the network for Kerberos encryption types. This makes it easy to see which systems still rely on the older backward-compatible RC4-HMAC-MD5 encryption scheme.

When it’s not in use, you can safely disable it using the information on Windows Configurations for Kerberos Supported Encryption Type on the Microsoft Open Specifications Support Team Blog through the Network security: Configure encryption types allows for Kerberos Group Policy:

The Network security: Configure encryption types allows for Kerberos Group Policy (click to see in separate window)

To prevent Kerberos impersonation using NTLM hashes leveraged in RC4-HMAC-MD5-encrypted Kerberos, apply this Group Policy setting to all the computer objects in the Active Directory environment. For the purpose of merely preventing password changes with this method, apply the Group Policy setting to all Domain Controllers, as outlined by Microsoft in its TechNet page on Preventing Kerberos change password using RC4 secret keys.

An alternative user object-based method is to use the Protected Users global group. The Protected Users global security group in the Users container triggers non-configurable client-side protection on devices and servers running Windows Server 2012 R2 and Windows 8.1, and (optional) additional Domain Controller protection on Active Directory Domain Controllers in domains running the Windows Server 2012 R2 Domain Functional Level (DFL).

Implementing Protected Users can be hazardous. Active Directory admins can shut themselves out, be unable to troubleshoot delegation effectively. Colleagues may need to change their passwords before protections may kick in.

The Protected Users group is only for user account objects, not for service accounts or computer account objects.

One of the (non-configurable) protection mechanisms that are part of membership of the Protected Users group is limiting the Kerberos encryption types to AES128 and AES256.



It's not the Pass-the-Hash stuff that's interesting to me in Aorato’s Active Directory vulnerability. It's what they're using the hash for; instead of using it for lateral movement or privilege escalation, they're using it to get a valid (weak) Kerberos token to change the password for the affected user with.

Microsoft offers this functionality for backward compatibility, but perhaps they shouldn't need to anymore in a next version?

Related KnowledgeBase Articles

2868725 Microsoft security advisory: Update for disabling RC4 
2871997 Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014  

Further reading

Active Directory Vulnerability Disclosure: Weak encryption enables attacker to change a victim’s password without being logged 
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 2
Windows Configurations for Kerberos Supported Encryption Type  
Protected Users Security Group

Pictures of Ngi-NGNs ‘Systems Management: Beyond Control’ event

Yesterday, the Dutch Networking User Group (NGN) and Dutch Platform for IT Professionals (Ngi) hosted their ‘Systems Management: Beyond Control’ event at the former Cenakel Monastery, part of the Kontakt der Kontinenten Conference grounds in Soesterberg.

Below are pictures of the venue, the speakers, audience and, of course, our own session:

Arriving at the former Cenakel Monastery (click for larger photo)The Stage (click for larger photo)More on the mural behind the stage (click for larger photo)
Erwin Derksen in the first session: Doing Nothing is Not An Option (click for larger photo)Alex de Jong and Roel van Bueren showing their age with floppies in their presentation! (click for larger photo)
Ruben Spruijt on VDI (click for larger photo)Kicking off our session (click for larger, but still blurry photo)Delivering our session (photo by Adnan Hendricks) (click for larger photo)An impression of the audience (no larger version available to protect the innocent)

It was a great event, with great feedback.

Thank you!

Security Thoughts: LSASS Protection in Windows 8.1 and Windows Server 2012 R2

I’ve written about Pass-the-Hash (PtH) attacks before. Today, I’m writing on the cleanup mechanisms to remove lingering password(hashe)s from Windows, that Microsoft has introduced with Windows 8.1 and Windows Server 2012 R2. These mechanisms help protect against Pass-the-Hash (PtH) attacks.


Let’s zoom out first, and see what happens under the hood, when a person logs on to a device: the credentials are sent to the Local Security Authority Subsystem Service (lsass.exe). This service is responsible for providing the single sign-on experience for the person. LSASS hosts a number of plug-ins, representing the protocols that Windows supports, including NTLM authentication, Digest authentication and Kerberos. Credentials are presented to each of these plugins, producing one-way hashes and tickets in the memory space of LSASS, that would remain there for the duration of the user session.

About Pass-the-Hash (PtH) attacks

Last year, I detailed the whitepaper that Microsoft has published in December 2012 with information on Pass-the-Hash attacks and how to to prevent lateral movement throughout a networking environment and privilege escalation though credential theft.

The whitepaper points out the following main tasks to mitigate Pass-the-Hash (PtH) attacks:

  1. Restrict and protect high privileged domain accounts
    1. Separate administrative accounts from user accounts for administrative personnel
    2. Create specific administrative workstation hosts for administrators
    3. Restrict server and workstation logon access
    4. Disable the account delegation right for privileged accounts
  2. Restrict and protect local accounts with administrative privileges
    1. Enforce local account restrictions for remote access
    2. Deny network logon to all local accounts
    3. Create unique passwords for privileged local accounts
  3. Restrict inbound traffic using the Windows Firewall

Basically, these security best practices should avoid malicious persons from gaining access to hashes that are stored by the Local Security Authority Subsystem Service (lsass.exe).

These hashes can be used, just as LSASS would use them to authenticate to resources. There’s no need (or possibility) to revert these hashes back to the password.


Introducing LSASS protection

Now, for small to medium-sized organizations, applying these best practices is hard and costly. Organizations want their people to access resources after they’ve logged on to a device and not need to authenticate each and every time they need access to additional resources. The Local Security Authority Subsystem Service (lsass.exe) allows for this type of single sign-on by storing hashes in its memory.

What if the Local Security Authority Subsystem Service (lsass.exe) could be taught a new trick and not keep these hashes around longer than strictly needed, so we can prevent credential harvesting and Pass-the-Hash attacks spreading throughout these networks?

In Windows 8.1 and Windows Server 2012 R2, Microsoft made changes to lsass.exe to make it do precisely that:

1. LSASS as a protected process

The Local Security Authority Subsystem Service (lsass.exe) can be run as a protected process, protecting it against access from improperly signed binaries.

2. Protection mechanisms for local accounts

Additionally, two well-known groups have been introduced in Windows 8.1 and Windows Server 2012 R2:

  • S-1-5-113
    NT AUTHORITY\Local account
  • S-1-5-114
    NT AUTHORITY\Local account and member of Administrators group

Membership to these groups is added by the system automatically. Membership of these built-in Administrators group no longer allows network traversal. This type of protection prevents lateral movement with local accounts.

3. Protection mechanisms for domain accounts

For domain accounts, LSASS offers these protection mechanisms in Windows 8.1 and Windows Server 2012 R2:

  • The Local Security Authority Subsystem Service (lsass.exe) removes LM hashes from its memory space.
  • The Local Security Authority Subsystem Service (lsass.exe) removes Kerberos tickets for domain accounts from its memory space.
  • The Local Security Authority Subsystem Service (lsass.exe) removes plaintext-equivalent passwords (for domain credentials) from its memory space. These include TSPkg, WDigest, Kerberos, LiveSSP and 3rd party SSP plugins to LSASS.

         TSPkg is off by default in Windows 8.1 and Windows Server 2012 R2.
  • The Local Security Authority Subsystem Service (lsass.exe) enforces credential removal after logoff.
  • The Local Security Authority Subsystem Service (lsass.exe) aggressively tries to end sessions.

    This way, credentials that would normally be left lingering on devices are now cleaned up. Credential reuse is no longer available, and, thus, the Active Directory environment is more secure. These protections prevent both lateral movement with domain accounts and privilege escalation using harvested credentials of privileged domain accounts.


    The latter two protection mechanisms result in the following table, indicating the availability of reusable credentials as seen in the Pass-the-Hash: How Attackers Spread and How To Stop Them presentation by Mark Russinovich and Nathan Ide at Microsoft TechEd North America 2014:




    This new removing lingering credentials behavior for the Local Security Authority Subsystem Service (lsass.exe) does not require any configuration. It, also, doesn’t require a specific Domain Controller version, Domain Functional Level (DFL) or Forest Functional Level (FFL). These new Local Security Authority Subsystem Service (lsass.exe) protection mechanisms are on, by default.

    To make the Local Security Authority Subsystem Service (lsass.exe) run as a protected process, make a change in the Windows Registry using regedit.exe (or any other registry tool you might prefer): Create a REG_DWORD value for RunAsPPLTest with 1  as its data in


    Afterwards, reboot the device.


    Microsoft has built several cleanup mechanisms to remove lingering password(hashes) from Windows in Windows 8.1 and Windows Server 2012 R2.

    When you have no 3rd party authentication providers hooking into the the Local Security Authority Subsystem Service (lsass.exe) and are looking for extended protection against tools like the Windows Credentials Editor (wce.exe) and Mimikatz, I recommend to seriously look at running lsass.exe as a protected process.

    Of course, none of these protections fully protect against credentials theft; a keylogger could still steal passwords…

    Related blogposts

    Security Thoughts: Pass the Hash and other Credential Theft  

    Further reading

    Local Security Authority Sybsystem Service  
    Intercepting pass-the-hash attacks
    Stop pass-the-hash attacks before they begin
    Dissecting the Pass the Hash Attack
    Tools used in the TechEd session by Marcus Murray and Hasain Alshakarti
    TechEd: Pass the Hash: Preventing Lateral Movement (ATC-B210)
    Password Cracking ‘Pass The Hash’ style
    New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash
    Pass The Hash
    Hardening your Windows Client
    Mitigating "Pass the Hash"...

    Eight years of blogging

    Today, I realized I’ve been blogging here for the last eight years.

    When comparing writing almost 600 blog posts these eight years to the development of children, eight years is special:

    Eight-year-olds are becoming more confident about themselves and who they are. At age 8, they will likely have developed some interests and hobbies, and will know what they like and don’t like.


    … and that is exactly how it feels.

    When I started blogging, I didn’t have much experience in writing in English. In school I had written most papers in Dutch, and all the other writing throughout my professional career up to that point were in Dutch, too. I still rely heavily on built-in spell checkers, but these days I feel more confident on my English writing and speaking skills than ever. This is all due to this blog and the things that came from it, like the many International speaking engagements these last few years.

    Also, I’m beginning to see the niche that is filled by this blog and this website. There aren’t much websites on the Internet that focus on Active Directory. The Dirteam.com / ActiveDir.org Weblogs do. Most of the time.

    I’ve also defined pretty clearly what I’m writing on. I’m no longer writing on Microsoft Exchange. I’m, also, no longer writing on Server Core. (You can find it on ServerCore.Net nowadays). What you find here is blog posts on Active Directory and how you can use it as a central means for management and access.

    Thank You!

    Luxuries in Life: 6 inches of Windows Phone goodness

    Eighteen months ago, I purchased a Nokia Lumia 920. It has been my loyal companion for the biggest part of that time, until it recently got stolen. I needed to replace the phone. Luckily it was insured under the circumstances it was stolen, so I had ample budget to look around for a new phone.

    A new phone

    Of course, it needed to be a Windows Phone. It didn’t need to be a Windows Phone 8.1 phone, because I could upgrade it through the Preview for Developers app and the soft buttons aren’t on my wish list.

    My shortlist came down to three phones:

    1. Nokia Lumia 1520
    2. Nokia Lumia 1020
    3. Nokia Lumia 930

    I’m not someone that needs to zoom in on pictures that much. Also, I carry my phones in my pockets. The Lumia 1020 was out pretty fast. With the recent price drops of the Nokia Lumia 1520, and the merely incremental upgrade to the 920 in the form of the 930, the choice between these two phones was pretty simple: I bought a black Nokia Lumia 1520 and I upgraded it to the Windows Phone 8.1 Preview, straight away.


    This phones 6" screen is awesome. It’s 1920x1080 display allows me to have all my tiles on my Windows Phone home screen without pinching (my eyes) or scrolling. Its 3400mAh battery makes this phone last two days between charges and its 20 megapixel camera with PureView technology makes splendid pictures. It’s way faster than a Lumia 920, too, and as a bonus rocks a micro-SD card slot.

    Luckily, it fits my pockets. Glimlach


    After using it for a week, there’s also some things that work less than I expected them. Although most of the screen estate is used efficiently when you compare it to smaller Windows Phone screens (like the 920), some features don’t. For instance, unlocking the lock screen with a numerical password feels like you’re punching a cell phone for seniors. It’s scaled. The same applies to most 3rd party apps.

    Of course, a device like this is destined to be used as a media player. I’ve added some H.264-encoded movies to a micro-SD card, added the card to the phone and then played it. Although the sound is great, the movie playback is very edgy (no smoothing) and the interface of the built-in Video app is very basic, even lacking the ability to fast forward.


    The Lumia 1520 is an awesome phone.

    I’ll be speaking at the Datacenter Group’s Partner Event

    Working at a Systems Integrator (SI) has its perks. I get to discuss interesting technologies with interesting customers and interesting partners. Sometimes, my playing field feels like an ecosystem where manufacturers, partners and customers think and act like one.

    One of the partners we’re working closely these days and gives me that special feeling is The Datacenter Group (TDCG).

    About the Datacenter Group (TDCG)

    TDCG Datacenter Locations on the map of the NetherlandsThe Datacenter Group (TDCG) is a Dutch company, offering colocation services since 2007. After the success of their datacenter in Amsterdam, The Datacenter Group recently opened another datacenter in Delft, right around the corner of our (new) offices.

    The innovative thing about these datacenters is their cooling: TDCG uses cool outside air to cool datacenter equipment to 22 degrees Celsius, following closed corridor principals.

    Many organizations, including our own, use TDCG colocation services to provide their own services on top of.

    About the Event

    On June 26, 2014, TDCG organizes their Customer and Technology Partner Event, with Information Security as its theme. Throughout the afternoon, different aspects of information security will be covered. Keynote speaker is Ronald Prins, CTO and co-founder of Fox-IT.

    Other speakers include Siemon van den Berg, CEO of TDCG and Edwin Diender, CTO at Huawei.

    After the presentations there’s time for discussion, chatter and drinks. The Datacenter Group also offers small tours through their new 600m2 dataroom which is under construction in their Delft facility.

    About my session

    I will deliver a 25-minute session on Operating System and Application Security.
    Of course, in the light of recent innovations in Windows Server 2012 R2 and Azure, I will be talking about Identity Federation: claims-based authentication provides robust authentication for the Internet and enables rich authorization scenarios.

    After a short primer on SAML and OAuth, I’ll provide a small demo from a Workplace-joined device to show claims that can be used for authorization. Then, I’ll workplace-join another device, with Azure Multi-Factor Authentication (MFA).

    I’m looking forward to it. Glimlach

    I’ll be speaking at Ngi-NGNs ‘Systems Management: Beyond Control’ event

    I’ve been associated with the Dutch Networking User Group (NGN) for almost five years now. I’ve been speaking at their events and have helped others achieve the same goal. NGN has recently joined forces with the Dutch Platform for IT Professionals (Ngi), and an old tradition has been dusted off: We’re organizing a Windows Server-themed event.

    In three weeks time, on June 24, 2014 to be precise, the Kontakt der Kontinenten event location in Soesterberg, the Netherlands will be buzzing with the new technologies in Windows Server, that IT Pros can harness to take their systems management to the next level: Systems Management: Beyond control Dutch.

    Erwin Derksen will redeliver his TechDays NL 2014 session on Soviet IT. In his session, Erwin lays out the foundation for the day by creating a sense of urgency: When IT Admins create a Soviet Russian-style locked down and inflexible networking environment, people will flee it. Alex Warmerdam, then, picks up the glove by comparing on-to-go file sharing products, like OneDrive, Work Folders, SharePoint, Filr, ShareFile, and Box Business.

    After a short coffee break, Ruben Spruijt delivers a compelling session in his From The Firehose series of sessions. This time, he’ll present his Insider’s Guide to Desktop Virtualization. Bart Smith follows up with a 40-minute approach to modern information security.

    After lunch, Roel van Bueren and Alex de Jong explain how to deploy Windows 8.1, featuring ADK, WinPE, WDS, ImageX, DISM, USMT, Setup Commander, CopyPE, and Update Commander. Raymond and I will be presenting a 60-minute session on Windows Server 2012 R2 and how admins can harness the People Centric-IT features to make employees feel at home in the network on their own devices.

    After a second short break, Jeff Wouters details PowerShell’s Desired State Configuration (DSC). This way, unwanted changes to configurations can be blocked, so admins have more time to address the big issues. To round off the day, Martijn Bellaard demos deploying DirectAccess on Windows Server 2012 R2.


    See you there?

    This event is free to members of Ngi-NGN.
    If you’re not a member of Ngi-NGN, and don’t want to pay the 75 euro entrance free, try your luck at the raffle on Ngi-NGNs Facebook page Dutch.
    KnowledgeBase: Windows Server 2012 R2-based AD FS Proxy consumes 100% CPU

    As part of the May 2014 Update Rollup, Microsoft has released an update for Windows Server 2012 R2-based Active Directory Federation Services (AD FS) Proxies, consuming 100% CPU.

    This leads to rejected logons and slow performance for colleagues trying to authenticate to the Active Directory Federation Services (AD FS) infrastructure.


    The situation

    The Active Directory team has found an issue when over 200 people try to simultaneously sign in by using an Active Directory Federation Services (AD FS) Proxy in front of a Security Token Service (STS), the AD FS proxy consumes 100% usage of the CPU.


    The issue

    In this situation, the AD FS Proxy performance is slow, and causes a delay that exceeds 10 seconds. Any servers acting as Security Token Service (STS) and in use behind the AD FS Proxy, however, experience minimal load. This leads to the STS rejecting requests or serving a mere 5 to 10 requests per second.


    The cause

    This issue occurs because the additional "stale" requests are added to the request pool when multiple clients try to sign in. Therefore, the resource usage on the AD FS Proxy is exhausted.


    The solution

    To resolve this issue, install 2955164 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: May 2014 on Windows Server 2012 R2-based Active Directory Federation Services (AD FS) Proxies.

    You do not have to restart these servers after you apply this hotfix.



    I recommend any admins, running Windows Server 2012 R2-based Active Directory Federation Services (AD FS) Proxies to update these installations with the May 2014 Rollup update.

    Related KnowledgeBase articles

    2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in  
    2955164 Windows RT 8.1, Windows 8.1, and Server 2012 R2 update rollup: May 2014

    Further reading

    KnowledgeBase: An update is available to fix several issues after you install security update 2843638 or 2843639 on Active Directory Federation Services (AD FS) servers 
    MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Important)

    KnowledgeBase: You cannot log on as a local administrator when you restart in Directory Services Repair Mode

    As part of the May 2014 Update Rollup, Microsoft has fixed a problem that I hope has not been bugging any Active Directory Admin…

    On Windows Server 2012 and Windows Server 2012 R2-based Domain Controllers, an issue was identified that blocks access to the Directory Services Restore Mode (DSRM).


    The situation

    On Windows Server 2012 or Windows Server 2012 R2-based Domain Controllers, you applied the Admin Approval Mode for the built-in Administrator account Group Policy setting.


    The issue

    When you restart the Domain Controller in Directory Services Restore Mode (DSRM) and you log on as a local administrator (against the local Security Accounts Manager (SAM) database, that is offline during normal operations of the Domain Controller), only a black screen is displayed after the authentication screen. At this point, you can do nothing except log off by pressing Ctrl+Alt+Delete.

    This leaves the Directory Services Restore Mode (DSRM) unusable. You cannot perform the actions you would want to perform in Directory Services Restore Mode (DSRM).


    The solution

    To resolve this issue, install 2955164 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: May 2014 on the Domain Controllers.

    You do not have to restart these servers after you apply this hotfix.



    I recommend installing the 2955164 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: May 2014, because the Directory Services Restore Mode (DSRM) is essential in troubleshooting advanced issues with Domain Controllers; You don’t want to encounter any issues while in this mode.

    Related KnowledgeBase articles

    2937044 You cannot log on as a local administrator when you restart in DSRepair mode  
    2955164 Windows RT 8.1, Windows 8.1, and Server 2012 R2 update rollup: May 2014

    Related blogposts

    How to add a DSRM startup option in Windows Server 2008 and Windows Server 2008 R2 
    Active Directory Domain Services Command Fu, Part 3
    Rebooting Windows Server 2012-based DCs into Directory Services Restore Mode 
    And you will keep your password updated … 
    New features in AD DS in Windows Server 2012, Part 6: Recycle Bin GUI 
    Restoring a DC from a Snapshot

    Security Thoughts: Internet Explorer 8 Woes (CVE-2014-1770)

    Last week, the Zero Day Initiative (ZDI) decided that Microsoft has had enough time within its coordinated vulnerability disclosure program to fix a vulnerability in Internet Explorer 8.

    This use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function.

    A Belgian researcher found a problem in Internet Explorer 8, last year. He sold the information via the Zero Day Initiative to TippingPoint, who reported the vulnerability to Microsoft on October 11, 2013. On May 8, 2014, the Zero Day Initiative warned Microsoft to come up with a solution. A mere two weeks later, on May 21, 2014, the Zero Day Initiative made the vulnerability public.

    Apparently, there is a difference between responsible vulnerability disclosure and coordinated vulnerability disclosure… I don’t know, yet, which one serves me better.


    The impact

    Affected systems

    The vulnerability only impacts Microsoft Internet Explorer 8.

    This fact, plus the fact that the vulnerability is not actively exploited in the field, makes it very plausible that this vulnerability ended up at the bottom of the pile of stuff to fix in Microsoft Internet Explorer. In fact, I will even state that admins confronted with exploits, have themselves more than Microsoft to blame.

    • Internet Explorer 11 is the default browser for Windows 8.1. This version of Internet Explorer is not vulnerable.
    • Internet Explorer 10 is the default browser for Windows 8. This version of Internet Explorer is not vulnerable.
    • While Internet Explorer 8 was the default version of Internet Explorer for Windows 7, but Microsoft has, since RTM, made several versions of Internet Explorer available as Important updates. Only when Windows 7’s Internet Explorer has not been updated, its Internet Explorer 8 installation is vulnerable.
           Windows 7 without Service Pack 1 is no longer supported by Microsoft.
           However, this Service Pack did not contain an updated Internet Explorer.
    • Internet Explorer 7 is the default browser in Windows Vista. The most recent version of Internet Explorer for Windows Vista, however, is Internet Explorer 9.
    • Internet Explorer 6 was the default browser for Windows XP. Internet Explorer 8 is the most recent version for Windows XP, but Windows XP is out of support.

    Code execution

    An attacker who successfully exploited this Internet Explorer vulnerability could gain the same user rights as the current user. Just like with the Internet Explorer ‘WontFix’ bug last month (CVE-2014-1776), in organizations, implementing Windows with Least Administrative Privilege is the best practice and the standard. It should come as no surprise this principle is extensively covered in all Windows-oriented Microsoft exams.

    Again, admins confronted with exploits in environments without this best practice applied, have themselves more than Microsoft to blame.



    Microsoft has been able to reproduce the undesirable Internet Explorer behavior and the ability to be able to run code as the logged on user.

    For admins that fins themselves stuck with Internet Explorer 8 (for instance, on Windows Server 2003 (R2)-based Terminal Services), Microsoft has formulated a couple of workarounds that make the vulnerability in Internet Explorer 8 non-exploitable:

    • Set Internet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
    • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
    • Install and configure the Enhanced Mitigation Experience Toolkit (EMET) to work with Internet Explorer.

    While we’re waiting for Microsoft to fix this vulnerability in Internet Explorer (except for Windows XP), the workarounds can be applied:

    Change Internet Explorer zone’s settings

    All of these actions can be performed using Group Policy and Group Policy Preferences.
    You can find these as part of the User Configuration, Preferences, Control Panel Settings, Internet Settings of a Group Policy Object (GPO). Simply add settings for Internet Explorer 8 and 9 or change any settings you might have in place.

    Setting the Internet Zone security level to High can be done on the Security tab:

    Security Tab of Internet Settings in a Group Policy Preference (click for screenshot)

    Alternatively, you can leave the default Medium-high settings for the Internet Zone, and change the Active Scripting settings using the Custom Level… button. Press F8 first to not configure all these settings for Internet Explorer installations (unless you want to). Then scroll down to Automatic prompting for ActiveX controls, press F6 and configure this specific setting to Enable:

    Automatic Prompting for ActiveX controls in a Group Policy Preference (click for screenshot)

    Alternatively, you can disable ActiveX altogether, by not configuring the Automatic prompting for ActiveX controls setting (press F7 to not apply the setting) and configuring the Run ActiveX controls and plug-ins. Again, Press F6 to enable the setting, then configure it as Disable:

    Disable running ActiveX controls and plug-ins in a Group Policy Preference (click for screenshot)

    When done press OK to close the Internet Zone properties. When you’ve chosen to change the specific ActiveX settings, also apply them to the Local Intranet Zone. Press OK in the Internet Explorer 8 and 9 Properties screen and close the Group Policy Management Editor screen to finish the Group Policy Object. Then, apply the object to users running Internet Explorer 8.

    Install and configure EMET

    The above three strategies will secure the Internet Explorer 8 installations within an organization, but are not very user-friendly. The best way to deal with vulnerabilities like these, is to install and configure the Enhanced Mitigation Experience Toolkit (EMET). You can use the Software Installation capabilities of Group Policy to deploy it. Not only, will it protect from exploits of this particular vulnerability in this particular version of Internet Explorer, but most vulnerabilities in all supported versions of Internet Explorer.



    Internet Explorer 8 is five years old. Admins have had multiple chances to get rid of it and other ancient technology.

    Further reading

    Vulnerability Note VU#239151
    ZDI-14-140 (0Day) Microsoft Internet Explorer CMarkup Use-After-Free Remote Code Execution Vulnerability 
    Microsoft IE Zero-Day Flaw Could Leave Millions at Risk   
    Microsoft Intentionally Failing to Patch Critical Vulnerability in Explorer IE 8 
    New Internet Explorer Zero-Day Vulnerability Publicly Disclosed; Identified in October 2013  
    Microsoft warns of major Internet Explorer bug; no fix for Windows XP

    KnowledgeBase: Colleagues with IE get Windows prompts when authenticating to AD FS behind TMG, forms-based authentication when using Chrome or FireFox

    Today, a colleague came up to me to ask me a question on a weird situation he encountered while troubleshooting an Active Directory Federation Services (AD FS) implementation at a customer site.

    We didn’t implement this situation, but after solving this challenge, we gave some great pointers to get the environment sorted.


    The situation

    This customer has a highly redundant Active Directory environment, hosted by Domain Controllers that have never experienced any problems. They also have a single Windows Server 2012 Full installation, with the Active Directory Federation Services Server Role installed and configured with a relying party trust that instructs it to be the identity provider for a web application.

    On the perimeter network (DMZ), a Windows Server running Forefront Threat Management Gateway (TMG) is deployed. In TMG, a Web Publishing Firewall Rule was configured to pass traffic, destined for the AD FS server address to the AD FS server on the internal network.
    The rule is configured without Authentication Delegation, as you can see on the Authentication Delegation tab in the screenshot of the Web Publishing rule, below (rule name removed to protect the innocent):

    TMG auth delegation web listener


    The challenge

    In the case of this customer, when colleagues accessed a claims-enabled web application they would get a password prompt instead of the AD FS logon page when they’d be using Internet Explorer:


    When these colleagues would use Google’s Chrome or Mozilla’s FireFox, the AD FS logon page would display correctly.

    The customer wanted a consistent logon experience for their employees on each of these browsers. The systems administrator, obviously, wanted to eradicate the Windows Authentication taking place outside of the network.   


    The solution

    Because of the way Forefront Threat Management Gateway (TMG) is implemented at this customer, the Active Directory Federation Services (AD FS) Server misinterprets the location where the authentication request is originating from. When we looked at the Global Authentication Policy in AD FS Management, we saw the default settings still applied, allowing Windows Authentication from the Intranet.

    We unchecked the option for Windows Authentication for the Intranet:


    After we clicked OK, the problem was solved for this customer; regardless of the browser capabilities, employees would get the AD FS logon page served.



    15 Minutes of work. One happy customer. 3 billable hours. Knipogende emoticon

    Although this document specifically mentions AD FS 2.1 on Windows Server 2012, the same applies to AD FS 3.0 on Windows Server 2012 R2.
    Security Thoughts: Passwords in Group Policy Preferences (CVE-2014-1812)

    Last week, Microsoft released Security Bulletin MS04-025, including guidance and an update that resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored in the cpassword value of Group Policy preferences.


    The problem with cpasswords

    Group Policy Preferences (GPPs) allow system administrators to set passwords using the following GPP extensions:

    • Local user and group
    • Mapped drives
    • Services
    • Scheduled tasks (Uplevel)
    • Scheduled tasks (Downlevel)
    • Immediate tasks (Uplevel)
    • Immediate tasks (Downlevel)
    • Data sources

    An example would be a Group Policy Preference that sets the local administrator password for all domain-joined devices within the scope of the Group Policy Object (GPO). This scope can be configured with Organizational Units (OUs), but also through WMI Filters.

    Now, when you’d set a password this way in the Group Policy Editor on Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, the Group Policy Editor, already, warns you:

    Warning when you use a method in a Group Policy Preference that triggers the creation of a cpassword value (click for screenshot)

    This warning message tells you that the password is stored. Authenticated Users can discover and access its value by simply browsing through the System Volume (SYSVOL). The password is not encrypted, but, as the warning suggests, merely obscured.

    It’s true. Settings in GPPs are stored in XML files. Passwords in GPPs are stored in these XML files using the cpassword field. Below is the groups.xml file corresponding to a GPP with the extension used to create a new account with a non-expiring password for the Demo User:

    The cpassword value in the groups.xml file of a Group Policy Preference (click for screenshot)

    Other XML files in the SYSVOL share of Domain Controllers, where you can find cpassword values are scheduledtasks.xml, services.xml and datasources.xml.

    Of course, the password for the Demo User Account is configured as P@ssw0rd, as are all the passwords I tend to share with you on this blog… You can easily confirm it, by using the Get-GPPPassword PowerShell script that is part of PowerSploit.


    Fixing your environment

    Step 1, Determine the impact on your environment

    By now, You might be wondering what the impact is on your Active Directory environment. Group Policy Preferences containing passwords may have been implemented before your time, before you had Windows Server 2012 (R2)-based Domain Controllers or other admins might just have been ignoring warning messages on this malpractice.

    As part of KnowledgeBase Article 2962486, Microsoft has released a PowerShell script to detect Group Policy Preferences (GPPs) using GPP Extensions that rely on the cpassword.

    I recommend running the Get-SettingsWithCPassword.ps1 PowerShell script with an account with sufficient privileges to access all Group Policy Objects on a domain-joined device. 

    When the device is a Windows client, make sure to have the Remote Server Administration Tools (RSAT) installed, since the script uses PowerShell Modules included with these tools.

    The script does not support to be run from a device that is not joined to the Active Directory environment you are trying to scan.

    The output of the script, when run successfully, is a list of GPPs containing cpasswords.

    Step 2, Get rid of cpassword values

    Now that you have determined the impact on your environment, you can remedy the situation (where needed):

    Local users

    For the Local User Management portion of GPPs that contain cpasswords, Microsoft has made the Invoke-PasswordRoll PowerShell script available to set the local account passwords on remote machines to random passwords.

    Administrators can add local administrator accounts to computers by creating an Active Directory group and adding it to the local Administrators group through Group Policy Preferences -> Local Group. This method does not cache credentials in cpassword values.

    Mapped drives

    To map drives and assure only authorized access to the network location is allowed, protect the mapped drive using Active Directory objects to control permissions to the folder.


    In environments where the Services preference extension is used to change service properties in such a way that they run in a context, other than their original security context, admins can use (group) Managed Service Accounts (MSAs). This method does not cache credentials in cpassword values or in registry.

    Scheduled tasks

    When you encounter cpassword values in Group Policy Objects (GPOs) that specify running scheduled tasks in specific security contexts, the best practice is to select the Do not store password. The task will only have access to local resources. option. 

    Data sources

    The Data Sources preference is used to associate a data source with a computer or user. Unfortunately, Microsoft does not have a workaround available to make these available in such a way in a secure manner.

    Of course, when you repurpose old accounts, make sure you don’t use passwords that are equal to passwords found in obfuscated cpassword values, and, also, cannot be easily guessed based on old passwords. Someone might already have made a ‘backup’ of your SYSVOL…

    When you reconfigure a Group Policy Preference (GPP) the corresponding XML files get overwritten. Any passwords stored in obfuscated cpassword values will be gone, after you click OK in the Properties of the GPP and close the Group Policy Object (GPO). SYSVOL replication will take care of replacing the XML files on all Domain Controllers in the domain.

    Step 3, Neuter the User Interface

    As part of MS14-025, Microsoft has released two security updates, as part of these KnowledgeBase articles:

    1. Microsoft Knowledge Base Article 2928120 for systems with the security update from KnowledgeBase Article 2919355 installed.
    2. Microsoft Knowledge Base Article 2961899 for systems without the security update from KnowledgeBase Article 2919355 installed.

    When you install these updates on Windows client systems and Windows Server installations with the Remote Server Administration Tools (RSAT) installed or the Group Policy Management Tools (gpmc.msc) enabled, the User Interface for the Group Policy Editor (gpedit.msc) User Interface (UI) gets stripped from the management capabilities to create or edit cpassword values. 

    When you’ve already applied the security updates above and figured out you needed to perform step 2, you can always implement a system without the security update to granularly manage Group Policy Preference (GPP) settings.



    After years of guidance and warnings from Microsoft to not use passwords in Group Policy Preferences, MS14-025 finally triggers blocking the ability to configure them via the User Interface (UI). Be prepared.

    Related KnowledgeBase Articles

    Microsoft Security Bulletin MS14-025 – Important 
    2962486 MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014 
    2928120 MS14-025: Description of the security update for Group Policy Preferences for systems that have update 2919355 installed: May 13, 2014  

    Further reading

    Group Policy Preferences Password Behaviour Change – MS14-025 
    MS14-025: An Update for Group Policy Preferences 
    Passwords in Group Policy Preferences   
    Passwords in Group Policy Preferences (updated)

    Named best Dutch Microsoft IT Pro by Compu’Train

    During the 2014 Dutch TechDays, I participated in a Microsoft knowledge contest by Compu’Train, that dared Developers and IT Professionals to answer questions in their respective areas. As a mere joke I entered the competition, while Daniel continuously tried to distract me.

    Nonetheless, I answered the most IT Pro questions correctly of the 200 TechDays attendees that took the test(s): I answered 13 questions correctly of the 20 questions and I took 5 minutes to do so. Not a great score, but it was the high score for the IT Pro part of the contest during TechDays.

    As my prize, I won a Surface 2.


    Today, I was invited by Compu’Train for the finale of the contest in Business Center Netherlands (BCN) Utrecht. Compu’Train set up the location as The Battle for TechEd, as the grand prize was to win a trip to TechEd Europe 2014 in Barcelona, Spain.

    Compu’Train didn’t just invite me… they invited the 10 Developers that answered the most questions the fastest at TechDays, the 10 IT Pros that answered the most questions the fastest at TechDays, and the four best online contestants.

    The finale for the Microsoft knowledge contest was pretty straightforward: both groups got their own 80-question exam, that they needed to complete within 30 minutes. This would give an accurate non-cheatable score for each contestant.

    Making The Test (click for larger photo)

    To compare the results of the two groups, the average scores and average time needed for the top 25 of each group at TechDays would serve as the denominator for their scores and times. What you should know: the Developers at TechDays scored high on average and didn’t need the entire 5 minutes, in contrast to the IT Pros, who scored poorly and needed the entire 5 minutes most of the time.

    I was up against a really good developer. Of the 80 questions he checked 74 correct answers and only needed 13 minutes to do so. I scored 49 out of 80 and achieved it in 21 minutes. However, due to the results of the people at TechDays, Compu’Train declared me the winner.

    Pictures of the Top 3 (click for larger photo)

    That’s right. The largest IT training company of the Netherlands declared me the winner of their Microsoft knowledge contest against 400 other Developers and IT Professionals, declaring me

    the best allround-skilled Microsoft IT Professional of the Netherlands!


    Thank you!  

    Pictures of my presentation at TechEd North America 2014

    Last week, I presented my first session ever on TechEd. I co-presented the session PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies with Mike Resseler in the last presentation slot of TechEd North America 2014 in Houston.

    The story how I obtained the speaker position (in typical MVP manner) can be found in my blogpost I will be speaking at TechEd North America 2014. When you’re curious about the contents of the session you can read my blogpost Upgrading Active Directory using virtualization on 4Sysops.com.

    My buddy Raymond made some photos during the session, that I think will give you a good impression on the fun we had:

    Mike and me standing posing with our title slide mere moments for the session (click for larger size)
    Explaining how new versions of Active Directory differ (click for larger size)Our audience (click for larger size)
    Mike and me giving our audience some room for questions (click for larger size)

    Presenting at TechEd (click for larger size) So why do you upgrade Active Directory? (click for larger size)Rambling on the simplified Active Directory deployment features in Windows Server 2012 (click for larger size)
    Answering a question from the audience (click for larger size)Answering another question from our audience (click for larger size)
    Thank you to our audience! (click for larger size)


    Thank You!

    I will be speaking at TechEd North America 2014

    This week I’m in Houston for Microsoft’s 2014 TechEd North America event.

    Yesterday, at the TechExpo, I ran into a couple of familiar faces. I talked to Ben Armstrong for a while, together with Didier van Hoye, MVP Hyper-V. While we were getting drinks for the guys at the booths, we ran into Mike Resseler, MVP System Center Cloud and Datacenter Management and working for Veeam.

    It’s a small world, and what happened next illustrates exactly how small.

    While I was discussing Mike Resseler’s PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies session with him, I asked him if he was expecting any hard Active Directory-related questions. I offered to take a seat in the front row, so I could help him out. You know, that’s what Microsoft Most Valuable Professionals (MVPs) do…

    Mike thought about it for a moment, but then replied:

    “I’d much rather have you on stage with me.”


    So, there you have it. I’ll be speaking at TechEd North America 2014. Glimlach

    Here’s some more information on the session:

    PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies
    Thursday, May 15 2:45 PM - 4:00 PM Room: General Assembly C
    Speaker(s): Mike Resseler, Sander Berkouwer
    Track: People-centric IT
    Session Type: Breakout
    Topic: Active Directory Domain Services

    Upgrading technologies can always be a challenge and dangerous. By using your backup solution and virtualization technology (Hyper-V) you can try out everything upfront on your real production data without risking destroying the environment. The Change Management Process will become much easier.


    When you’re also at TechEd North America, please visit our session. If not, make sure to visit Channel 9 after TechEd ends to see the recording of this session on demand.

    More Posts Next page »