bySusan Bradley
Contributing Writer
How-To
Dec 09, 20205 mins
Network SecuritySecurityWindows Security
Review these Windows settings to make sure you're not making it easy for attackers to steal login credentials.
Credit: Weedezign / Getty Images
A recent Crowdstrike blog post talked about how attackers were targeting a specific industry. What caught my eye was how they ensured that they were able to steal the credentials in the firm: “Five minutes after gaining access to the host …, the adversary modified the registry to implement a widely known procedure that enables credentials to be stored in clear text within memory, facilitating credential theft:
reg add hklmsystemcurrentcontrolsetcontrolsecurityproviderswdigest /v UseLogonCredential /t REG_DWORD /d 1 /F”
Last year I wrote about how to prevent the use of WDigest credential theft. Clearly, not everyone has learned the lesson. Attackers use old attacks because they still work—and work well. What can you do to ensure that you aren’t this easy to attack?
Know what you are protecting
I find that if I understand what I’m trying to protect, I can devise better ways to protect it. Understanding how the authentication process works and why certain processes are better starts with understanding the password authentication process in general. Steve Syfuhs, a developer on Microsoft’s Azure Active Directory team, wrote an excellent post on what happens when you enter your password in Windows. (For more information on similar topics, check out his post on how single sign-on works and on how Azure AD sign-on works.)
I urge you to review two excellent posts on the topic of credential harvesting from Reliaquest: Credential Dumping Part 1: A Closer Look at Vulnerabilities with Windows Authentication and Credential Management and Credential Dumping Part 2: How to Mitigate Windows Credential Stealing. They will help you understand how attackers can gain access and how you can protect against it.
Some of the best protections you can have on the Microsoft platform are not included in Windows 10 Professional. Many features might appear to work in Professional, but only upon testing and investigation will you confirm that the protections work only with Windows 10 Enterprise—for example, Credential Guard, Microsoft’s virtualization-based feature that protects passwords or other credentials. As noted in the Credential Dumping Part 2 post, “When Credential Guard is used, instead of storing credential secrets in the LSA memory space, the LSA process will communicate with an isolated LSA process which will store the secrets. This new isolated LSA process is protected by virtualization and is not accessible to the rest of the operating system. The virtualization is handled by a hypervisor.”
If you attempt to enable the Credential Guard setting on the Professional version, Defender may say it’s enabled, but the setting does not protect you. Only with Enterprise or Education versions does the setting protect you from attacks that use tools like mimikatz.
Even without Window 10 Enterprise or Education, you can take steps make you less susceptible to credential stealing.
Set WDigest to 0
I urge you again to set WDigest setting to “0” to block the ability to store plaintext passwords. First, push out the registry key located at:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersWDigest
If the UseLogonCredential value is set to “0”, WDigest will not store credentials in memory. By setting the value of “0”, you’ll ensure that you can monitor the registry for changes. Should an attacker attempt to change the value, you can be flagged when this is attempted.
Set LSASS in protected mode
The next setting you can do if you only have Windows 10 Professional is configure Local Security Authority Subsystem Service (LSASS) in protected mode. LSASS is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It writes to the Windows Security log and verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
To do so use the guidance and using regedit and navigate to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
Then set the value of the registry key to: “RunAsPPL”=dword:00000001.
Reboot your computer to enable the setting.
From a functionality concern, every time you adjust a default setting in Windows, you must review the potential impact to your line-of-business applications. If a third-party authentication application is using LSASS, the functionality could break if it does not adhere to the following mandates regarding signature verification.
First, protected mode requires any process loaded into LSA to have a digital signature by Microsoft. Any unsigned or invalidly signed program will not be able to load within LSA. Drivers must be signed with the WHQL Certification. If they are not signed, it must be signed using the file signing service for LSA. Finally, the application must adhere to the Microsoft Security Development Lifecycle process guidance. Review any third-party authentication platforms or applications to ensure that they will not be impacted by this setting.
Set cached credentials settings
One setting that may be difficult to do in this era of work from home and VPN usage is to limit cached credentials. In Windows systems, the cached credentials for the last 10 domain users are stored within the registry at HKEY_LOCAL_MACHINESECURITYCache. Follow these steps to adjust that setting:
- Go to “Local Security Policy”
- Go to “Local Policies”
- Go to “Security Options”
- Go to “Interactive Logon: Number of previous logons to cache (in case domain controller is not available)”
You may wish to set this setting to “0” or “low” for on-premises assets that do not move from the network. You may not want to change this setting for client workstations.
Adjust Credential Manager
Credential Manager is another location holding network passwords that attackers can access using tools such as Credentialsfileview. You can disable password saving by following these steps:
- Go to “Computer Configuration”
- Go to “Windows Settings”
- Go to “Security Settings”
- Go to “Local Policies”
- Go to “Security Options”
- Go to “Network Access: Do not allow storage of passwords and credentials for network authentication”
Adjusting this setting means that you block yet another low hanging fruit that attackers can use to gain more access to your system.
Related content
- analysisThe 18 biggest data breaches of the 21st century Data breaches affecting millions of users are far too common. Here are some of the biggest, baddest breaches in recent memory.By Michael Hill, Dan Swinhoe and John LeydenSep 12, 202418 minsData BreachPhishingRSA Conference
- brandpostSponsored by Microsoft SecurityBoost security and control at every stage of the cloud application lifecycle From complexity to proficiency: How CNAPP transforms cloud security across the application lifecycle.By Guilio AstoriSep 05, 20245 minsSecurity
- newsCISO budget survey: Modest increases in 2024 However, that has meant hiring has slowed, leading to overworked staff. The risk is that some will leave when the job market opens up.By Howard SolomonSep 05, 20245 minsCSO and CISOBudgetSecurity
news
White House brands BGP routing a ‘national security concern’ as it unveils reform roadmap
BGP has been open to misconfiguration and abuse for decades; The Office of the National Cyber Director (ONCD) wants that to change.
By John E. Dunn
Sep 05, 20241 min
Internet SecuritySecurity
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
