Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Preventing Admin cached credentials in Win7 with group policy


  • Please log in to reply
21 replies to this topic

#1 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 30 March 2014 - 10:13 PM

Hi,

 

I've been doing some penetration testing on our network and discovered that I could access Admin and Domain Admin accounts without passwords, by hacking Windows login cached credentials. I'm trying to discover.

  • how to prevent Windows caching Admin credentials with Group Policy.?
  • and then, remove all Windows cached credentials across the network to start fresh.

I don't want to apply a HKLM policy that will prevent all cached credentials as many users need to access machines from time to time when the DC isn't up/connected to their machines.

 

Guidance please.

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 30 March 2014 - 11:28 PM

Don't worry, figured it out.

 

Just reduced the number of machine cached credentials in Group Policy to 1. Killed both birds with 1 stone.



#3 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:43 AM

Posted 31 March 2014 - 10:53 PM

You mean by using NirSoft netpass-64?



#4 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 31 March 2014 - 11:21 PM

not like that.



#5 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 10 April 2014 - 05:18 AM

Even still having 1 cache it still defeats the security. You want it on 0. Also, all servers should have same settings and seperate admin passwords. Otherwise someone getting physical access of the machine can rip the hash off it and pass the hash to the other machines and own those too.



#6 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 10 April 2014 - 05:34 AM

No... even 1 rejects the last logged in user. (the truth came out in the wash)..... Some SYSTEM processes create cached logins.

 

I haven't had a chance to analyze the processes yet. Will post when I do though.

 

edit: DC LAN... machine addresses are not relevant to the net. For example; my workstation machine ip is 41.0.7.49... my ip address is 192.x.x.x.... i live in Australia. Figure that...


Edited by TsVk!, 10 April 2014 - 05:46 AM.


#7 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 10 April 2014 - 05:52 AM

No... even 1 rejects the last logged in user. (the truth came out in the wash)..... Some SYSTEM processes create cached logins.

 

I haven't had a chance to analyze the processes yet. Will post when I do though.

 

edit: DC LAN... machine addresses are not relevant to the net. For example; my workstation machine ip is 41.0.7.49... my ip address is 192.x.x.x.... i live in Australia. Figure that...

Well whoever has physical access of the machine is the owner. If the admin used the same login info througout the network on all the machines then technically all a hacker needs is that one hash to go on a rampage thougout the whole network. If the setting 1 stops this then the default 10 should also work.



#8 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 10 April 2014 - 05:57 AM

I'm yet to see what this number is... 10?, 1?, 7?...

 

I've not analyzed it yet...

 

I hear you... my thoughts also :thumbup2:



#9 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 10 April 2014 - 06:10 AM

Definitely a head scratcher. lol



#10 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 10 April 2014 - 06:15 AM

I'm glad someone is interested. I'll post my results.



#11 trot12345

trot12345

  • Banned
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 13 April 2014 - 07:00 AM

Possibly nevertheless obtaining 1 cache this nevertheless defeats your security. You would like this upon 0. Furthermore, all servers must have exact same settings along with seperate administrative accounts. In any other case someone receiving real gain access to in the unit can easily disparaging offer your hash down this along with complete your hash for the some other equipment along with unique those far too.



#12 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 13 April 2014 - 08:34 AM

You did not read my previous posts, you are wrong.

 

SYSTEM processes use cached credentials also (like I said before). Setting it to 1 saves no user passwords at all... I also don't want it set to zero because I need the last user to be able to access the machine offline... Which will not be an administrator, by design. (all admin machines and servers are Linux, although the DC isn't). There is no way to gain access to it without going through the cluster anyhow. If someone got that far it's pretty much game over, even if they don't know the password.

 

I will posts the results of the tests, when I find out exactly how many system processes are caching credentials... For those who are interested.


Edited by TsVk!, 13 April 2014 - 08:40 AM.


#13 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:05:43 PM

Posted 14 April 2014 - 01:06 AM

Setting cached logins to one is not a bad compromise. It (just about) caters for users with domain connected laptops. Alternatively you can put those in a separate OU with a less restrictive policy.

 

What you are really protecting against is a user using a privilege elevation (or accessing the hard disk from another OS instance). As such you could also mitigate the issue by limiting how vulnerable machines (User desktops, User laptops, Remote desktop session hosts) are administered. Consider not using Domain Admin accounts as a primary login on those devices (login as an unprivileged user and elevate), consider a lesser class of admins who only have administrative power over user terminals. Physically secure servers and back-end storage.

 

Not an easy one to deal with. I'm coming to the conclusion that the best security is probably to turn off the power to the lot! :rolleyes:

 

x64



#14 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:05:43 PM

Posted 14 April 2014 - 01:13 AM

Oh.... and (if you decide to leave the power on!) implement a rigorous patch managment policy. OS, and applications.

x64

#15 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:43 AM

Posted 14 April 2014 - 02:21 AM

Thanks for the words of wisdom. Who on earth would have thought of keeping the systems and software updated? And limiting admin accounts is also a stroke of pure genius...

 

I apologise for my tone, but this thread has gone downhill. No-one has offered any answers to my question.

 

You also failed to notice the secondary point of this thread.;

 

SETTING CACHED LOGINS TO 1 DOES NOTHING BECAUSE SYSTEM PROCESSES USE THE CACHE, NO USER CREDENTIALS ARE STORED!

 

I know how to find the right number for each user group, and I promise I will post the results when I have them.... really.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users