Denys Rudyi - Fotolia


Don't pass the hash for Windows 8.1 security

Single sign-on lets users skip multiple logins but also threatens Windows 8.1 security. Fix the vulnerability in that OS and Windows Server 2012 R2.

"Pass the hash" attacks are a problem for many administrators, and no, I'm not referring to those living in Washington or Colorado. Such attacks have a reputation for being a Windows problem because of the popularity of the platform in most networks, but it is a problem for any operating system that supports single sign-on. Fortunately, Windows Server 2012 R2 and Windows 8.1 security features include countermeasures.

"Pass the hash" refers to stored credentials that are sent between systems that allow users to avoid having to type in their passwords again. If an attacker can grab that credential, then he or she can gain access to any resource to which the user has permissions.

Single sign-on always comes with the potential for a pass-the-hash attack. It is an "always-on" situation, and the only way to zero out the probability of this attack is to kill single sign-on across your enterprise. Besides certain government agencies, however, this will simply not be tolerated by users or management. So you'll have to learn how to live with this security risk and mitigate it as best you can. You're not alone -- organizations such as Target, Saudi Aramco, The Wall Street Journal and The New York Times have all been confirmed victims of this and other types of attack.

How does this work? Once a user authenticates to a Windows system, an NT LAN Manager one-way function hash of his password is stored on the local system. Once that verifier is there, other systems will challenge the user to prove that he knows the password before granting access, but Windows satisfies this challenge by simply using the hash and sending it to the challenging system -- typically without alerting the user.

Clever attackers and phishing can trick users into performing some action that opens the door for malware to harvest these credentials and be free to roam. Unfortunately, the domain or local admin credentials are often captured in the process.

There are two types of pass-the-hash attacks, depending how credentials are used and where.

  • Credential reuse: This is when someone grabs a user's credentials and then reuses the credential verifier that has been entered. The hash is used where it is originally located, on the same system, without necessarily spreading.
  • Credential theft: This is when an attacker lifts a set of credentials, takes it to an entirely different location or system, and then uses it there. This is how attacks can spread rapidly across a vulnerable network.

Windows 8 has four new built-in capabilities that can mitigate pass the hash attacks in a variety of sensitive scenarios.

  • Local account: Microsoft has added two new well-known security groups, "local account" and "local account and member of administrator's group," which can be used to deny access to systems from the network side through Group Policy or Local Security Policy. You can add both of these new groups to the "Deny access to this computer from the network" policy to restrict administrative access should stored credentials be harvested.
  • Domain account: Domain account reuse is a tougher nut to crack, but Microsoft has tightened Windows 8.1 security by shrinking the areas that can reuse credentials, aggressively reducing the "timeout" period of a session before the user is again prompted for a password and including a new Protected Users relative identifier. It has also reworked the Local Security Authority Subsystem Service process to make it more intelligent about which authentication method it chooses in certain scenarios.
  • Restricted remote administration: Some desktop administrators may not know that using the Microsoft Remote Desktop Connection client to log in as a local or domain admin to another system could make those systems susceptible to pass-the-hash attacks. In OS versions prior to Windows 8.1, those credentials are sent as a hash to the other system just like any other service. Windows 8.1 introduces the mstsc/restrictedadmin switch, which directs the device to authenticate directly to the other machine without passing a hash to the system. This protects against the attack in this vector, since no credentials are shared.
  • Authentication policies and silos: Only Windows Server 2012 R2 domain functional level deployments -- and not any earlier -- support the ability to keep users and computers in separate authentication compartments. This permits a user to authenticate within his "compartment" without being able to access outside of it. Sensitive users and computers can be put into these silos to prevent the spread of a pass-the-hash attack from compromised accounts. This is probably the least interesting mitigation for those with existing Active Directory deployments, simply because the functional level dependency requires you to update all of your domain controllers to the latest version of Windows Server.

For more information on pass the hash, how OS internals make the attack work, and detailed demos and walkthroughs of the new Windows 8.1 security measures, I recommend Mark Russinovich and Nathan Ide's talk from TechEd 2014.

Next Steps

Don't make assumptions about Windows 8.1 security

Change default Windows 8.1 settings to ease troubleshooting

Point of sale security breaches offer endpoint management lessons

Will management and security enhancements in Windows 8.1 entice IT?

The U.S. Postal Service addresses productivity and passwords with single sign-on

Dig Deeper on Windows 8 and 8.1