Reply to post: Nothing to see here

Windows' authentication 'flaw' exposed in detail


Nothing to see here

Basically if you have superuser access to a machine you can nick another users credentials, well big woop. I can criticise Windows more than the next man but any system can steal credentials if you are superuser (e.g on Unix steal tgt from /tmp or memory, or on another auth system, straight from memory)

Then if you are superuser you can pretend to be a DC (KDC). Also no huge surprise there. Best practice on a MIT KDC was to put on a single function box, either with no remote access or at least not authenticated by Kerberos to try to reduce this risk. But on all modern Directory services being an integrated solutions (combined with LDAP, DNS etc is more important and makes life easier but does increase your attack surface.

Add to this a healthy dose of don't use ntlm and rc4 (who knew). Probably best to turn off all ntlm and just use Kerberos in AD in pure AES, though this hasn't been the easiest thing to do in AD (MS should have ditched ntlm fully years ago and Still haven't and is still crap even v2).

No criticism of the original paper just the slightly alarmist tone of this article.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019