This week there has been a lot of news about a flaw in Windows that could be used by web sites to easily gain access to a visitor's Windows login name and password. When I tested this flaw it was downright scary.
Using a test site for this flaw, the site was able to get my test Microsoft Account login name and the hash of its password in a few seconds. Then it took the site less than 30 seconds to crack the password! What is even scarier, is that this flaw is not new and was discovered in March 1997!
Yes. I changed the password already.
News about this flaw was recently reported again by VPN company Perfect Private and by ValdikSS, who is affiliated with the Russian VPN service ProtoVPN. They have both set up test sites that demonstrate this flaw so that visitors can determine if they are affected and should change their passwords.
I have no idea what information they keep from these tests, so I would change your password if they are able to detect your info. The web sites that can be used to test whether you are vulnerable to this flaw can be found here:
http://msleak.perfect-privacy.com/ (Perfect Privacy's Test Page)
http://witch.valdikss.org.ru/ (ValdikSS's Test Page)
While in the past this flaw was serious, it has become downright dangerous now that more and more people are using Windows 10 and logging into Windows with a Microsoft Account. With the use of Microsoft Accounts, credentials that can be used on the Internet are now more readily exposed through this flaw. Furthermore, since so many users use the same credentials on their Microsoft account as they do on other services, a hacker could potentially gain access to many other sites that a victim uses. This means that a victim's email accounts, bank accounts, government accounts, business accounts, etc could become compromised.
This bug works by somehow getting a user to open a remote SMB network share to access a file, When you connect to a SMB share, Windows automatically sends your user name and your hashed password to try to automatically login into the share. The problem is that this happens even when the share is located off of your network or over the Internet. See the problem now?
Essentially, all an attacker has to do is create a web page that contains a link to an image hosted on a SMB server under their control. They can then monitor the server for credentials being passed to it and then run password cracking programs on the exposed password hashes. As many people use extremely weak passwords, these programs can crack the passwords incredibly fast. When I say fast, I mean cracking a weak password in 4 seconds.
Unfortunately, Microsoft has not released an advisory regarding this flaw. When I, and other sites, have reached out to Microsoft, we all received the same token response.
We’re aware of this information gathering technique, which was previously described in a paper in 2015. Microsoft released guidance to help protect customers and if needed, we’ll take additional steps.
- a Microsoft spokesperson
Unfortunately, to mitigate this flaw, there is not a lot of good info out there. Microsoft didn't really offer anything useful that I could get to work and Perfect Private advises you to stay away from Microsoft Edge and Internet Explorer. I knew there was a better way, so I dug around and found a few methods that prevented this information from being disclosed.
Preventing NTLM Credentials from being sent to Remote Servers
Below is a technique that a user can use to prevent Windows and applications from disclosing login credentials to remote servers. To prevent any application in Windows from disclosing your credentials, you need to configure certain Windows policies that disable outgoing NTLM traffic to remote servers. For Windows Home users, these policies will need to be configured via the registry. Windows Pro and greater users can configure the policies via the Group Policy editor.
If you enable this policy, no NTLM traffic will be sent to remote servers and this may cause issues in an enterprise or corporate environment. To resolve these issues you can configure another policy that allows you to add excepts to this restriction. More information can be found in the sections below.
Update 8/7/16: Updated the mitigation information to include registry keys that Home users can use to enable the policies below.
Use the Windows Registry to prevent NTLM Credentials from being sent to Remote Servers:
If you are using Windows Home then you do not have access to the Group Policy Editor to add the necessary Windows policies. Instead you will need to add them via the Windows Registry. Those those who do not wish to use the Windows Registry Editor, I have created a Registry file that can be used to disable NTML Credentials from being sent to remote servers here. If you need to add server exceptions, you will need to follow the instructions below.
To do this, open the Windows Registry Editor by start the C:\Windows\regedit.exe program. Then navigate to the following path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 as shown below.
Now right click on the MSV1_0 key as shown above and select New and then DWORD (32-bit) Value. A new value will be created and Windows will prompt you to name it as shown below.
Please enter RestrictSendingNTLMTraffic and then press the enter key on your keyboard to finish naming it. You should now see a new registry value called RestrictSendingNTLMTraffic under the MSV1_0 key. Now double-click on the RestrictSendingNTLMTraffic value and you will be shown a dialog asking you to enter data for this value.
In the Value data: field enter 2, which stands for Deny All, and then press the OK button. Windows will no longer send NTML traffic to remote servers. If you perform another credential leak test, it should state that are no longer vulnerable.
You can now close the Windows Registry Editor and use your computer as normal.
If you need to allow certain remote servers to receive NTLM traffic from this computer, you will need to create another registry key. Using the previous instructions, you can create a new value located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ called ClientAllowedNTLMServers. When creating this value, create it as a Multi-String Value, or REG_MULTI_SZ.
When you double-click on this value to enter its data, you will see a box where you can add text. In this box you should add the names of servers, each on their own line, that you wish to allow NTLM traffic to be sent to.
Use the Group Policy Editor to prevent NTLM Credentials from being sent to Remote Servers:
In order to prevent Microsoft Edge and Internet Explorer from leaking your account credentials, you need to enable a particular policy on the computer called Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. This policy will prevent Windows from sending credentials to remote servers when accessing a SMB share. Though I tested this on my computer with absolutely no problems, this could cause issues in a corporate environment. Therefore, please perform tests before putting this change into production. There is another policy that I will describe below that should allow you to white list certain servers so that credentials are sent as normal.
To enable this policy, you should open the Group Policy Editor and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers as shown below.
To enable this policy, double-click on the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers and configure it to Deny all as shown below. You can also select Audit All to generate Windows event logs that show what remote servers you are sending credentials. This can be used to create a whitelist in the other policy described later in the article.
Now that you have restricted outgoing NTML traffic, Windows will no longer send your NTLM credentials to remote shares. You can test this, by going to one of the credential leak test sites described earlier in the article. It should now say the computer is not vulnerable.
For those who need to send credentials to a remote server, you can add certain servers to a whitelist through the To enable this policy, you should open the Group Policy Editor and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication as shown below.
To enable this policy, double-click on the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication and add the servers that you wish to whitelist. This will allow the credentials to be sent to these servers as normal.
Your computer will now be protected from the NTML Credentials Leak, while at the same time being able to use remote SMB servers as needed.
Disabled Internet Windows Authentication in Internet Explorer
Comments
CKing123 - 7 years ago
Scary!
So I use Chrome, so I am safe from this vulnerability, right?
Allen - 7 years ago
Yeah it doesn't work on Chrome or Firefox
CKing123 - 7 years ago
Thanks!
cybercynic - 7 years ago
The Group Policy Editor is not included with Win 10 Home Edition.
Demonslay335 - 7 years ago
In testing, we found there may be something you can do with your firewall too. I was never able to get their site to find me vulnerable on Edge, even with all of my security software off and that GPO was not set. I could only assume my company's ASA was blocking it already. :P Honestly, just don't use Edge or IE anyways, there are a million other reasons not to...
GDonor - 7 years ago
What is that site you used to test your account?
Lawrence Abrams - 7 years ago
You an use either of these two tests:
http://witch.valdikss.org.ru/
https://msleak.perfect-privacy.com/
JohnC_21 - 7 years ago
What's really scary? Windows forcing users to use Edge on all Cortana searches.
tqaweekly - 7 years ago
Just made my episode of my tech podcast on this, with source to this article, I definitely believe my less tech savvy users will benefit from knowing this, computer out early next week, going to film it this weekend. I usually tell my users to use anything by Edge or Internet Explorer, even stopped supporting old browsers entirely in my web-site designs because of issues with flaws.
Lawrence Abrams - 7 years ago
Awesome! Please post a link when its live.
alexfam - 7 years ago
Is there any way to fix this for those without Group Policy Editor ?
Lawrence Abrams - 7 years ago
Should be..gotta figure out the registry entries associated with this. Will try this weekend.
Portaller - 7 years ago
Microsoft's Group Policy reference spreadsheet shows the registry key as "MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic".
ScathEnfys - 7 years ago
That value doesn't exist on my machine, but that doesn't mean it doesn't work... Gonna give it a try and see.
EDIT: Found it:
[HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0]
"RestrictSendingNTLMTraffic"=dword:2
JohnC_21 - 7 years ago
A setting in IE is supposed to prevent the flaw.
https://www.bleepingcomputer.com/forums/t/622445/windows-credential-leak-flaw/?p=4057186
sikntired - 7 years ago
So, does this affect those of us who have Windows 7 Home and if so, how do we go about correcting this flaw?
ScathEnfys - 7 years ago
Yes, it does. This GP setting is associated with a registry value. I think this fix should work but it's late so I might have made a mistake. The gist is that a new DWORD named RestrictSendingNTLMTraffic needs to be created with the value of 2 under HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0. Fix:
REGEDIT 4
[HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0]
"RestrictSendingNTLMTraffic"=dword:2
DodoIso - 7 years ago
Wow! What an amazing finding! Plus I hate those Corporate Robot Replies... Congratulations! And thanks!
ScathEnfys - 7 years ago
Posted this on a VPS forum I moderate. Most VPSes are Linux ofc, but many users use Windows for their desktop OSes.
sikntired - 7 years ago
Thanks ScathEnfys for the tip on creating new DWORD. However, I really don't like messing around with the registry as I don't want to break my machine.
Lawrence Abrams - 7 years ago
Updated the guide to include setting these policies via the Windows Registry for home users.
Pugglerock - 7 years ago
This will be handy to send around to my work colleagues who own a copy of Windows 10...And for me to update myself on my own system!
auto1571 - 7 years ago
I use a local account for logging into Windows, never use IE or Edge. As a result of this I'm not vulnerable right?
sikntired - 7 years ago
I tried this suggested workaround and it appeared to have worked as I tried both test sites and results were "Not Vulnerable". OS Windows 7 Home Premium.
go to Control Panel -->Internet Options -->Advanced Tab , scroll down to near bottom of list, un-check Enable Integrated Windows Authentication
then go to one of the test site in the OP's article and verify that you are immune.
Lawrence Abrams - 7 years ago
Thanks. I couldn't get this to work when I tested it. Will update article to include this info with the caveat that it may not help everyone.
horsefilms - 7 years ago
This is why I love this site. Thanks for all the hard work!
kbcowboy - 7 years ago
This may work for home users and small business without an Active Directory domain, however, if this is done in a 2010R2 Active Directory domain using GPO, things will break and you will have to undo it.
Lawrence Abrams - 7 years ago
Thanks for the comment. What if you add the exceptions as described in the article?
kbcowboy - 7 years ago
Since what it breaks is for the PCs, where all the browsing occurs, I would have to add every PC as exceptions. At which point the GPO change serves no purpose. Leave it to Microsoft to consider servers as remote that are on the same LAN and subnet as the PCs. I may just switch everyone to Firefox or Chrome.
DonnEdwards - 7 years ago
It also breaks Remote Desktop Connections within a LAN. You have to log in even after saving credentials.
Lawrence Abrams - 7 years ago
Crap.. Thanks for the info. I had a feeling this would affect corporate environments like this.
kbcowboy - 7 years ago
For home use and workgroups in a business environment, it's a really good solution.
DonnEdwards - 7 years ago
I used the registry settings on two different versions of Windows 10 and afterwards I was unable to connect via file sharing to any other computers on my LAN. Removing the registry key and rebooting immediately fixed the problem.
This makes it way too complicated to implement on a company LAN. MS is going to have to provide a proper fix.
It also forces a login every time you use Remote Desktop Connection to a PC on the LAN, even if you have set up saved credentials.
Auger - 7 years ago
Yep, unfortunately it broke my file sharing to my NAS, have not tried to add an exemption yet.