Reply to post: Re: WMI (and seriously - passwords in memory?)

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

patrickstar

Re: WMI (and seriously - passwords in memory?)

Atleast MIT and Heimdal kerberos store the credentials in a file in /tmp...

In Windows, they are stored in the LSASS process. I don't know where you think they are stored or how accessible they are, but at the very least you need an administrative account with SeDebugPrivilege.

I don't have Kerberos on any of my Solaris boxes, but even if they are actually stored in kernel memory in the native Solaris implementation as opposed to a userspace process or file, none of these systems have a great track record of keeping attackers out of the kernel, especially when they have administrative privileges. And certainly none of them have a great track record of keeping attackers from gaining that.

That's why you have the whole Credential Guard thing - so that even if the kernel is compromised you can't read them out without also compromising the minimal virtual system holding the creds.

There is no difference between the ability of processes to read memory space on Linux, Solaris, Windows or any of the other systems, by the way. They all use the same basic VM/memory protection model.

And you can't hash the credentials and still have them usable as a cache. The whole point of a cache is to be able to re-use them. At most you could encrypt them with a key that's harder to access than the credentials itself, which is basically what Credential Guard is doing (though a better solution would be a HSM/TPM enforcing rules for when they can be used).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon