Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer


AD Manager Plus

Blog roll



It’s time to update your Secure Channel (MS14-066, CVE-2014-6321)

Today, Microsoft has released a security update that resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows, which provides security protocol support for applications. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

While only a single Common Vulnerabilities and Exposures (CVE) item is linked to this update (CVE-2014-6321), citing Qualys CTO Wolfgang Kandek this CVE covers multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses:

“The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as they were found by Microsoft internally and while Microsoft considers it technically challenging to code an exploit it is only a matter of time and resources, it is prudent to install this bulletin in your next patch cycle.”


This security update is rated Critical for all supported releases of Microsoft Windows.

The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets.

About the Secure Channel

The Secure Channel (Schannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. These components are used to implement secure communications in support of several common internet and network applications, such as web browsing and Active Directory authentication. Schannel is part of the security package that helps provide an authentication service to provide secure communications between client and server following the below architecture:

Overview of the SChannel architecture (click for original screenshot)


In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes changes to available TLS cipher suites. This update includes new TLS cipher suites that offer more robust encryption to protect customer information:


These new cipher suites all operate in Galois/Counter mode (GCM), and two of them (1. and 2.) offer Perfect Forward Secrecy (PFS) by using Diffie-Hellman Ephemeral (DHE) key exchange together with RSA authentication.

Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 have seen these new cipher suites added  towards the top of the priority order in April with KB2929781 Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2.


Call to Action

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers, but exploitation of this vulnerability might prove interesting for malicious persons due to its impact.

Since no mitigating factors or workarounds are available, I urge you to install KB2992611 in a test environment as soon as possible, assess the risks and possible impact on your production environment and, then, roll out this update to all systems within your networking infrastructure, both workstations and servers.

Related Knowledgebase articles

2992611 MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014 
2929781 Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2

Further reading

What is TLS/SSL?
Secure Channel  
Microsoft Security Bulletin Summary for November 2014    
Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities  

I’ll be presenting at Veeam on Tour


VeeamON 2014, hosted by Veeam from October 6th to October 8th 2014 in Las Vegas NV,  was this years only event targeted on Availability of the Modern Datacenter. Thought leaders, subject-matter experts and IT Pros from around the world immersed in the latest technology for the Always-On Business.

Of course, not everyone made it to VeeamON. For these people, Veeam is organizing special editions of Veeam on Tour, getting you up to speed on Veeam Availability Suite v8, Veeam’s best practices on scaling and sizing and Advanced capacity planning and performance management using Veeam products:

  • Tuesday November 11th, 2014 in Utrecht
  • Thursday November 20th, 2014 in Breda

I was asked to present at the last of these two sessions in the last session slot. Glimlach

This means you’ll have the chance to attend a session on Active Directory availability at Hotel Princeville in Breda on Thursday November 20th, 2014.

Veeam is offering these events free of charge, so make sure you secure your ticket today! Dutch

I’ll be presenting at Experts Live 2014


On November 18th, several Dutch user groups join forces to present the Experts Live event at Cinemic in Ede, the Netherlands Dutch.

As some of you might remember, I’ve been a speaker (and track owner) at the previous Experts Live events in the last four years. This time around, Experts Live is even bigger. There were 750 tickets available and all but some have and features seven tracks, catering to the needs of all the user groups. Of the 43 available session slots, I will feature in two:


About my sessions

During Experts Live 2014, I will be cohosting two sessions in the Hyper-V track and Windows Server track, together with Raymond Comvalius (Windows IT Pro MVP). Both sessions will run for 60 minutes:

Running highly-sensitive Domain Controllers on Hyper-V and Azure
(7:45 AM – 8:45 AM in Room 1)

Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization? In this session, Raymond Comvalius (Windows Expert – IT Pro MVP) and Sander Berkouwer (Directory Services MVP) give best practices for hardening, backing up, restoring and managing virtualized Domain Controllers. In their real-time demos, they’ll run environments like yours, showing you the real world possibilities and impossibilities.

Security overview for Windows 8.1 and Windows Server 2012 R2
(11:30 AM – 12:30 PM in the Keynote Room)

Windows 8.1 offers a huge leap forward when it comes to security capabilities and provides IT professionals security features that are simple to use, manageable, and valuable. So what are the key security improvements in Windows 8.1 and Windows Server 2012 R2? You’ll be surprised! Come join Raymond Comvalius (Windows Expert – IT Pro MVP) and Sander Berkouwer (Directory Services MVP) to learn about the improvements that are offered in domains such as identity control, malware resistance, data protection and access control.


Sign up

When you’re living in the Netherlands or Belgium, you don’t want to miss out, so sign up for this event and snatch one of those last tickets! Glimlach

I’ll be presenting at Microsoft Sinergija 2014

Last week, I received a message from Microsoft Serbia on an opportunity to speak at its yearly Sinergija event in Belgrade on October 20th and October 21st 2014; An event, a Microsoft subsidiary and a country with an extensive legacy and rich heritage.

Readers of my blog in this region will be happy to know that I’ll be able to provide two learning opportunities on Windows Server and Active Directory during this event:

Microsoft Sinergija  

10 most common mistakes when deploying AD FS

Monday October 20, 2014 1PM – 2PM

Active Directory Federation Services (AD FS) are the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers (IdPs) like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it's our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field in organizations that have deployed AD FS. Learn from their mistakes, whether you've already deployed AD FS and want to make your implementation more robust, or are holding off deploying AD FS to not step into these pitfalls. Learn the common mistakes when deploying AD FS, how to properly design an AD FS solution and how to deploy AD FS correctly.

Virtualization-safer Active Directory and DC Cloning

Tuesday October 21, 2014 9AM – 10AM

Although Microsoft has been discouraging people to virtualize Domain Controllers, many companies have done this with mixed success. From Windows Server 2012 onwards, Active Directory Domain Services embrace the Virtualization Machine Generation ID (VM-GenerationID), offered by today's virtualization platforms to make Domain Controllers safe(r) to virtualize. The VM-GenerationID technology also unlocks a much sought after feature: Domain Controller Cloning. This session goes in-depth on virtualizing Domain Controllers and gives you actionable advise to virtualize your own Domain Controllers safely.



Register for Microsoft Sinergija 2014.


See you there? Glimlach

I’ll be presenting (two of) three Veeam Webinars

After the successful Veeam webcast on Virtualization-safe Active Directory with Mike Resseler last year, Veeam invited me back for another series. I’ll be presenting the first two parts of Veeam’s three-part series on Active Directory.

This is your chance to get the jumpstart on Active Directory: how to set it up, virtualize and ensure availability. Master backing up and restoring Active Directory, as well as how to mitigate risks in the larger part of your Domain Controllers' lifecycles.

Veeam Active Directory Expert Series [From Physical to Virtual] Get the jumpstart on Active Directory: how to set it up, virtualize and ensure availability. Master backing up and restoring Active Directory with Veeam and the 5x MVP Sander Berkouwer, as well as how to mitigate risks in the larger part of your Domain Controllers' lifecycles.

What are these webcasts about?

In the first part on October 15, 2014, I’ll dive into the specifics of Active Directory schema, objects and containers. Learn about replication and how it impacts your understanding of high availability. Also, we’ll take a look at how several services like DNS and DHCP interact with Domain Controllers, and learn best practices on deploying Domain Controllers.

In the second part of the webcast series, scheduled for October 22, 2014, I’ll focus on the new features in Active Directory Domain Services in Windows Server 2012 R2, and especially the new virtualization safeguards that help us avoid USN rollbacks and lingering objects. I'll also show you the impact of virtualization on running Domain Controllers as well as backing up and restoring them.

In the third installment of this series, Timothy Dewin from Veeam will focus on Veeam Backup & Replication v8 and how you can use its SureBackup and Explorer features to not only backup and restore Domain Controllers, but even automatically deploy Active Directory test environments and perform attribute-level restores.


Best of all? These webinars are free.

Register for the series!


See you there! Glimlach

Pictures of the Social Tooling Experience

Last week, I delivered a 60-minute session at my employer’s Social Tooling Experience event. Below are some pictures, so you can have a glimpse of how exquisitely relax this was:

Beachclub Down Under (picture by Lennaert Meijvogel)Not exactly a beach, but watersports nonetheless (picture by Lennaert Meijvogel)
A man-made beach in the middle of the Netherlands. Quite original.. (picture by Lennaert Meijvogel)The all-important beach couches (picture by Lennaert Meijvogel)
Annemiek Koers (OGD) welcoming guests
Michiel de Jongh giving one of his legendary introduction to Coconut
Presenting (picture by Lennaert Meijvogel)My audience (picture by Lennaert Meijvogel)
Drinks afterwards (picture by Lennaert Meijvogel)Try and top that! ;-) (picture by Lennaert Meijvogel)
No, thank you! (picture by Lennaert Meijvogel)

Enjoy! Glimlach


Related blogposts

I’ll be speaking at the Social Tooling Experience 

Further reading

Coconut organiseert de Social Tooling Experience Dutch
Coconut Private Social Network Dutch
Down Under Beachclub in Nieuwegein, the Netherlands Dutch

I’ll be speaking at the Social Tooling Experience

My employer is organizing an event to lead the way in modern social tooling for online collaboration, knowledge management and intranet: the Social Tooling Experience.

The Down Under Beachclub

We’ve picked Thursday, September 18, 2014 as the date and the Down Under Beachclub in Nieuwegein, the Netherlands as our location.

We’ll kick things off with a free lunch and then a short introduction of our company and our private social intranet solution: Coconut.

In two separate tracks, we’ll show the implementation and adoption process from Coconut customers, typical pitfalls of implementing and adopting social tools and how to motivate people to actually use the tools.

My session for this event is the only technical session on the schedule. In an interactive 75-minute session I’ll sketch the current landscape and challenges surrounding apps, passwords and security incidents. Then, I’ll explain our company’s vision on integration and adoption without hurdles by implementing Single Sign-On. Of course, our Coconut product supports the Kerberos, SAML and OpenID Connect protocols, so we’ll be exploring the possibilities.

After the formal part of the events, there will be drinks from 5PM onwards.

It’ll be fun! Glimlach


Further reading

Coconut organiseert de Social Tooling Experience Dutch
Coconut Private Social Network Dutch
Down Under Beachclub in Nieuwegein, the Netherlands Dutch

Pictures of the Datacenter Group’s Partner Event

Earlier this summer, I gave a presentation at the Datacenter Group’s Partner Event. Today, I received some photos of this event.

These photos have a surreal feel to them, since the event was located in a room that is now operational as a server room and occupied by customers of the Datacenter Group and they made an effort to light out elements and create an ambiance with blue lighting:

Overview of the location from behind the bar (Photo by the Datacenter Group)Presentation Setup (photo by the Datacenter Group)View from the top (photo by the Datacenter Group)
Ready to start, but where's everybody? (Picture by the Datacenter Group)
Ready to start (Picture by the Datacenter Group)
Presenting in my red shirt (Picture by the Datacenter Group)
Drinks afterwards (Picture by the Datacenter Group)Drinks afterwards (Picture by the Datacenter Group)


Enjoy! Glimlach 


Further reading

I’ll be speaking at the Datacenter Group’s Partner Event

The videos of the presentations of Ngi-NGNs ‘Systems Management: beyond Control’ event are now available

As you might recall, Raymond and I delivered a session on Windows Server 2012 R2 at Ngi-NGNs ‘Systems Management: beyond Control’ event on June 24, 2014.

Jeff Wouters (PowerShell MVP) uploaded five videos he shot during this event to YouTube. You can watch them here:

All these videos are in Dutch.

Sovjet-IT, de controle verliezen door niets te doen
(Erwin Derksen)

Hit the road jack- Company data onderweg, workfolders, sharepoint, onedrive
(Alex Warmerdam)

 From the fire hose series: An Insider's Guide to Desktop Virtualization
(Ruben Spruijt)

PowerShell’s Desired State Configuration
(Jeff Wouters)

Windows Server als startpunt voor centraal beheer en toegang
(Sander Berkouwer & Raymond Comvalius)



Related blogposts

I’ll be speaking at Ngi-NGNs ‘Systems Management: Beyond Control’ event 
Pictures of Ngi-NGNs ‘Systems Management: Beyond Control’ event

The video of my presentation at TechEd North America 2014 is now available

Microsoft has posted the 80-minute video of PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies, the session Mike Resseler and I presented on Friday May 15, 2014 at Microsoft TechEd North America 2014.

You can watch this session free of charge over on Channel 9, regardless of whether you’ve attended TechEd North America 2014, or not:




Related blogposts

I’m attending TechEd North America 2014 
Keep up with TechEd North America 2014 (Houston) even when you’re not an attendee 
I will be speaking at TechEd North America 2014 
Pictures of my presentation at TechEd North America 2014

Security Thoughts: Leveraging NTLM Hashes using Kerberos RC4-HMAC encryption (AKA Aorato’s Active Directory Vulnerability)

In a blogpost today, Tal Be'ery, Vice President Research at Aorato, an Israeli security company consisting of veterans of the Israeli Defense Forces specializing in Active Directory, published how weak encryption enables an attacker to change a victim’s password without being logged.

Labeled as a vulnerability in Active Directory, this information sparked some controversy, so let’s dive into it.


About this vulnerability

Tal Be'ery and his colleagues at Aorato have found a way to use harvested NTLM hashes in RC4-HMAC-MD5-encrypted Kerberos sessions, based on the backward compatibility information in RFC 4757. Section 2 of this RFC states that “The key used for RC4-HMAC is the same as the existing Windows NT key (NT Password Hash) for compatibility reasons.”

The RC4 vulnerability process (click for larger view)

The attack process is depicted in the picture above, where blue items represent the legitimate processes and traffic and red items represent the attacker’s steps. After a colleague logs in with his/her user account (1), LSASS on his/her device creates hashes corresponding with its plugins (2), using, among other methods, the NT One-Way Function (NTOWF) to create the NTLM hash. When signing on to network resources, the appropriate plugin is accessed to provide the hashes, and tokens needed, without the colleague being prompted for credentials (3).

The attack method described by Tal Be’ery consists of three parts:

  1. Harvest NTLM hashes (1)
  2. Use NTLM hashes to constract valid RC4-HMAC-MD5-encrypted Kerberos tokens (2)
  3. Communicating to hosts, like Domain Controllers, in weakly-(RC4-HMAC-)encrypted Kerberos sessions (3)

About LSASS and LSASS Protection

As you might recall in my last blogpost covering LSASS protections in Windows 8.1 and Windows Server 2012 R2, I detailed how LSASS uses plug-ins per Security Support Provider (SSP) and how these create hashes using its one way hasing algorithms. I also detailed a new feature called LSASS Protection when you’re running Windows 8.1 or Windows Server 2012 R2, that protects the LSASS Memory Space and does not store all hashes in it.  

About encryption algorithms

When NTLM was introduced with Windows NT in 1993, processors weren't fast enough to reliably and unnoticeable hash values with more than DES or 3DES. Despite inherent weaknesses, todays processors can brute force the original value pretty easily.

This, indeed, is a cat and mouse game. From a Kerberos authentication type point of view, Microsoft has disabled DES-CBC-CRC and DES-CBC-MD5 for Kerberos encryption from Windows 7 and Windows Server 2008 R2 onwards, by default.

Could RC4-HMAC-MD5 be the next in line to bite the dust?


Mitigating this type of attack

This attack method is made possible by three factors:

  1. The device stores NTLM hashes in the LSASS memory space, where they can be harvested with tools like the Windows Credentials Editor (wce.exe) and Mimikatz.
  2. For backward compatibility, Microsoft has introduced the ability to create RC4-HMAC-MD5-encrypted Kerberos tokens based on the NTLM hash.
  3. Hosts on the network, including Active Directory Domain Controllers, running Windows 7 and Windows Server 2008 R2 and up, negotiate Kerberos encryption types. RC4-HMAC-MD5 is allowed as a valid Kerberos encryption type, by default.

The second factor is not something that can be easily changed, but as Active Directory admins, we can address the other two factors:

Mitigate Pass-the-Hash (PtH) attacks

Since this type of attacks leverages harvested NTLM hashes, mitigating these kind of attacks makes the bottom fall out of it. Last week, Microsoft released its second version of its Whitepaper on Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft. In it, Microsoft details these steps to mitigating Pass-the-Hash attacks:

  1. Restrict and protect high privileged domain accounts
    1. Separate administrative accounts from user accounts for administrative personnel
    2. Create specific administrative workstation hosts for administrators
    3. Restrict server and workstation logon access
    4. Disable the account delegation right for privileged accounts
  2. Restrict and protect local accounts with administrative privileges
    1. Enforce local account restrictions for remote access
    2. Deny network logon to all local accounts 
    3. Create unique passwords for privileged local accounts
  3. Restrict inbound traffic using the Windows Firewall

Another way is to upgrade to Windows 8.1 and Windows Server 2012 R2 to gain the LSASS Protections.

Banish RC4-HMAC-MD5

As Ned Pyle pointed out, in a blog post on the Ask the Directory Services Team blog on Hunting down DES in order to securely deploy Kerberos, you can scan the network for Kerberos encryption types. This makes it easy to see which systems still rely on the older backward-compatible RC4-HMAC-MD5 encryption scheme.

When it’s not in use, you can safely disable it using the information on Windows Configurations for Kerberos Supported Encryption Type on the Microsoft Open Specifications Support Team Blog through the Network security: Configure encryption types allows for Kerberos Group Policy:

The Network security: Configure encryption types allows for Kerberos Group Policy (click to see in separate window)

To prevent Kerberos impersonation using NTLM hashes leveraged in RC4-HMAC-MD5-encrypted Kerberos, apply this Group Policy setting to all the computer objects in the Active Directory environment. For the purpose of merely preventing password changes with this method, apply the Group Policy setting to all Domain Controllers, as outlined by Microsoft in its TechNet page on Preventing Kerberos change password using RC4 secret keys.

An alternative user object-based method is to use the Protected Users global group. The Protected Users global security group in the Users container triggers non-configurable client-side protection on devices and servers running Windows Server 2012 R2 and Windows 8.1, and (optional) additional Domain Controller protection on Active Directory Domain Controllers in domains running the Windows Server 2012 R2 Domain Functional Level (DFL).

Implementing Protected Users can be hazardous. Active Directory admins can shut themselves out, be unable to troubleshoot delegation effectively. Colleagues may need to change their passwords before protections may kick in.

The Protected Users group is only for user account objects, not for service accounts or computer account objects.

One of the (non-configurable) protection mechanisms that are part of membership of the Protected Users group is limiting the Kerberos encryption types to AES128 and AES256.



It's not the Pass-the-Hash stuff that's interesting to me in Aorato’s Active Directory vulnerability. It's what they're using the hash for; instead of using it for lateral movement or privilege escalation, they're using it to get a valid (weak) Kerberos token to change the password for the affected user with.

Microsoft offers this functionality for backward compatibility, but perhaps they shouldn't need to anymore in a next version?

Related KnowledgeBase Articles

2868725 Microsoft security advisory: Update for disabling RC4 
2871997 Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014  

Further reading

Active Directory Vulnerability Disclosure: Weak encryption enables attacker to change a victim’s password without being logged 
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 2
Windows Configurations for Kerberos Supported Encryption Type  
Protected Users Security Group

Pictures of Ngi-NGNs ‘Systems Management: Beyond Control’ event

Yesterday, the Dutch Networking User Group (NGN) and Dutch Platform for IT Professionals (Ngi) hosted their ‘Systems Management: Beyond Control’ event at the former Cenakel Monastery, part of the Kontakt der Kontinenten Conference grounds in Soesterberg.

Below are pictures of the venue, the speakers, audience and, of course, our own session:

Arriving at the former Cenakel Monastery (click for larger photo)The Stage (click for larger photo)More on the mural behind the stage (click for larger photo)
Erwin Derksen in the first session: Doing Nothing is Not An Option (click for larger photo)Alex de Jong and Roel van Bueren showing their age with floppies in their presentation! (click for larger photo)
Ruben Spruijt on VDI (click for larger photo)Kicking off our session (click for larger, but still blurry photo)Delivering our session (photo by Adnan Hendricks) (click for larger photo)An impression of the audience (no larger version available to protect the innocent)

It was a great event, with great feedback.

Thank you!

Security Thoughts: LSASS Protection in Windows 8.1 and Windows Server 2012 R2

I’ve written about Pass-the-Hash (PtH) attacks before. Today, I’m writing on the cleanup mechanisms to remove lingering password(hashe)s from Windows, that Microsoft has introduced with Windows 8.1 and Windows Server 2012 R2. These mechanisms help protect against Pass-the-Hash (PtH) attacks.


Let’s zoom out first, and see what happens under the hood, when a person logs on to a device: the credentials are sent to the Local Security Authority Subsystem Service (lsass.exe). This service is responsible for providing the single sign-on experience for the person. LSASS hosts a number of plug-ins, representing the protocols that Windows supports, including NTLM authentication, Digest authentication and Kerberos. Credentials are presented to each of these plugins, producing one-way hashes and tickets in the memory space of LSASS, that would remain there for the duration of the user session.

About Pass-the-Hash (PtH) attacks

Last year, I detailed the whitepaper that Microsoft has published in December 2012 with information on Pass-the-Hash attacks and how to to prevent lateral movement throughout a networking environment and privilege escalation though credential theft.

The whitepaper points out the following main tasks to mitigate Pass-the-Hash (PtH) attacks:

  1. Restrict and protect high privileged domain accounts
    1. Separate administrative accounts from user accounts for administrative personnel
    2. Create specific administrative workstation hosts for administrators
    3. Restrict server and workstation logon access
    4. Disable the account delegation right for privileged accounts
  2. Restrict and protect local accounts with administrative privileges
    1. Enforce local account restrictions for remote access
    2. Deny network logon to all local accounts
    3. Create unique passwords for privileged local accounts
  3. Restrict inbound traffic using the Windows Firewall

Basically, these security best practices should avoid malicious persons from gaining access to hashes that are stored by the Local Security Authority Subsystem Service (lsass.exe).

These hashes can be used, just as LSASS would use them to authenticate to resources. There’s no need (or possibility) to revert these hashes back to the password.


Introducing LSASS protection

Now, for small to medium-sized organizations, applying these best practices is hard and costly. Organizations want their people to access resources after they’ve logged on to a device and not need to authenticate each and every time they need access to additional resources. The Local Security Authority Subsystem Service (lsass.exe) allows for this type of single sign-on by storing hashes in its memory.

What if the Local Security Authority Subsystem Service (lsass.exe) could be taught a new trick and not keep these hashes around longer than strictly needed, so we can prevent credential harvesting and Pass-the-Hash attacks spreading throughout these networks?

In Windows 8.1 and Windows Server 2012 R2, Microsoft made changes to lsass.exe to make it do precisely that:

1. LSASS as a protected process

The Local Security Authority Subsystem Service (lsass.exe) can be run as a protected process, protecting it against access from improperly signed binaries.

2. Protection mechanisms for local accounts

Additionally, two well-known groups have been introduced in Windows 8.1 and Windows Server 2012 R2:

  • S-1-5-113
    NT AUTHORITY\Local account
  • S-1-5-114
    NT AUTHORITY\Local account and member of Administrators group

Membership to these groups is added by the system automatically. Membership of these built-in Administrators group no longer allows network traversal. This type of protection prevents lateral movement with local accounts.

3. Protection mechanisms for domain accounts

For domain accounts, LSASS offers these protection mechanisms in Windows 8.1 and Windows Server 2012 R2:

  • The Local Security Authority Subsystem Service (lsass.exe) removes LM hashes from its memory space.
  • The Local Security Authority Subsystem Service (lsass.exe) removes Kerberos tickets for domain accounts from its memory space.
  • The Local Security Authority Subsystem Service (lsass.exe) removes plaintext-equivalent passwords (for domain credentials) from its memory space. These include TSPkg, WDigest, Kerberos, LiveSSP and 3rd party SSP plugins to LSASS.

         TSPkg is off by default in Windows 8.1 and Windows Server 2012 R2.
  • The Local Security Authority Subsystem Service (lsass.exe) enforces credential removal after logoff.
  • The Local Security Authority Subsystem Service (lsass.exe) aggressively tries to end sessions.

    This way, credentials that would normally be left lingering on devices are now cleaned up. Credential reuse is no longer available, and, thus, the Active Directory environment is more secure. These protections prevent both lateral movement with domain accounts and privilege escalation using harvested credentials of privileged domain accounts.


    The latter two protection mechanisms result in the following table, indicating the availability of reusable credentials as seen in the Pass-the-Hash: How Attackers Spread and How To Stop Them presentation by Mark Russinovich and Nathan Ide at Microsoft TechEd North America 2014:




    This new removing lingering credentials behavior for the Local Security Authority Subsystem Service (lsass.exe) does not require any configuration. It, also, doesn’t require a specific Domain Controller version, Domain Functional Level (DFL) or Forest Functional Level (FFL). These new Local Security Authority Subsystem Service (lsass.exe) protection mechanisms are on, by default.

    To make the Local Security Authority Subsystem Service (lsass.exe) run as a protected process, make a change in the Windows Registry using regedit.exe (or any other registry tool you might prefer): Create a REG_DWORD value for RunAsPPLTest with 1  as its data in


    Afterwards, reboot the device.


    Microsoft has built several cleanup mechanisms to remove lingering password(hashes) from Windows in Windows 8.1 and Windows Server 2012 R2.

    When you have no 3rd party authentication providers hooking into the the Local Security Authority Subsystem Service (lsass.exe) and are looking for extended protection against tools like the Windows Credentials Editor (wce.exe) and Mimikatz, I recommend to seriously look at running lsass.exe as a protected process.

    Of course, none of these protections fully protect against credentials theft; a keylogger could still steal passwords…

    Related blogposts

    Security Thoughts: Pass the Hash and other Credential Theft  

    Further reading

    Local Security Authority Sybsystem Service  
    Intercepting pass-the-hash attacks
    Stop pass-the-hash attacks before they begin
    Dissecting the Pass the Hash Attack
    Tools used in the TechEd session by Marcus Murray and Hasain Alshakarti
    TechEd: Pass the Hash: Preventing Lateral Movement (ATC-B210)
    Password Cracking ‘Pass The Hash’ style
    New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash
    Pass The Hash
    Hardening your Windows Client
    Mitigating "Pass the Hash"...

    Eight years of blogging

    Today, I realized I’ve been blogging here for the last eight years.

    When comparing writing almost 600 blog posts these eight years to the development of children, eight years is special:

    Eight-year-olds are becoming more confident about themselves and who they are. At age 8, they will likely have developed some interests and hobbies, and will know what they like and don’t like.


    … and that is exactly how it feels.

    When I started blogging, I didn’t have much experience in writing in English. In school I had written most papers in Dutch, and all the other writing throughout my professional career up to that point were in Dutch, too. I still rely heavily on built-in spell checkers, but these days I feel more confident on my English writing and speaking skills than ever. This is all due to this blog and the things that came from it, like the many International speaking engagements these last few years.

    Also, I’m beginning to see the niche that is filled by this blog and this website. There aren’t much websites on the Internet that focus on Active Directory. The Dirteam.com / ActiveDir.org Weblogs do. Most of the time.

    I’ve also defined pretty clearly what I’m writing on. I’m no longer writing on Microsoft Exchange. I’m, also, no longer writing on Server Core. (You can find it on ServerCore.Net nowadays). What you find here is blog posts on Active Directory and how you can use it as a central means for management and access.

    Thank You!

    Luxuries in Life: 6 inches of Windows Phone goodness

    Eighteen months ago, I purchased a Nokia Lumia 920. It has been my loyal companion for the biggest part of that time, until it recently got stolen. I needed to replace the phone. Luckily it was insured under the circumstances it was stolen, so I had ample budget to look around for a new phone.

    A new phone

    Of course, it needed to be a Windows Phone. It didn’t need to be a Windows Phone 8.1 phone, because I could upgrade it through the Preview for Developers app and the soft buttons aren’t on my wish list.

    My shortlist came down to three phones:

    1. Nokia Lumia 1520
    2. Nokia Lumia 1020
    3. Nokia Lumia 930

    I’m not someone that needs to zoom in on pictures that much. Also, I carry my phones in my pockets. The Lumia 1020 was out pretty fast. With the recent price drops of the Nokia Lumia 1520, and the merely incremental upgrade to the 920 in the form of the 930, the choice between these two phones was pretty simple: I bought a black Nokia Lumia 1520 and I upgraded it to the Windows Phone 8.1 Preview, straight away.


    This phones 6" screen is awesome. It’s 1920x1080 display allows me to have all my tiles on my Windows Phone home screen without pinching (my eyes) or scrolling. Its 3400mAh battery makes this phone last two days between charges and its 20 megapixel camera with PureView technology makes splendid pictures. It’s way faster than a Lumia 920, too, and as a bonus rocks a micro-SD card slot.

    Luckily, it fits my pockets. Glimlach


    After using it for a week, there’s also some things that work less than I expected them. Although most of the screen estate is used efficiently when you compare it to smaller Windows Phone screens (like the 920), some features don’t. For instance, unlocking the lock screen with a numerical password feels like you’re punching a cell phone for seniors. It’s scaled. The same applies to most 3rd party apps.

    Of course, a device like this is destined to be used as a media player. I’ve added some H.264-encoded movies to a micro-SD card, added the card to the phone and then played it. Although the sound is great, the movie playback is very edgy (no smoothing) and the interface of the built-in Video app is very basic, even lacking the ability to fast forward.


    The Lumia 1520 is an awesome phone.

    More Posts Next page »