Protect against password cracking in WindowsWindows XP Allows Account with Blank PasswordPassword expiration notice for Active DirectoryIs my password compromised because I forgot to hit Enter after ssh username?Reset windows 7 local admin password on encrypted driveWhere does server store the users random salt for passwordHow to interactively change the password of a user account on a remote windows machine (in the same LAN) from a local machine's command line prompt?reset lost administrator password for Windows Server 2003 (AD)?Can I pre-hash a Windows password and pass the hash when creating the account?Windows Server 2003 DC VM password recoveryStatus of reversible encryption password
Looking after a wayward brother in mother's will
Is there any use case for the bottom type as a function parameter type?
If a massive object like Jupiter flew past the Earth how close would it need to come to pull people off of the surface?
Can a wire having a 610-670 THz (frequency of blue light) AC frequency supply, generate blue light?
Uses of T extends U?
Employer demanding to see degree after poor code review
Can a Beholder use rays in melee range?
How does an ARM MCU run faster than the external crystal?
What caused the tendency for conservatives to not support climate change reform?
Question about exercise 11.5 in TeXbook
Draw a checker pattern with a black X in the center
What does it mean when you think without speaking?
How does apt-get work, in detail?
Leading and Suffering Numbers
Mother abusing my finances
Can a non-EU citizen travel within schengen zone freely without passport?
How do you deal with an abrupt change in personality for a protagonist?
How do Russian speakers idiomatically express the idea of "Ce n’est pas donné à tout le monde de ..." in French?
Transform the partial differential equation with new independent variables
How to prevent bad sectors?
How to extract lower and upper bound in numeric format from a confidence interval string?
How can I find where certain bash function is defined?
Is it possible to change original filename of an exe?
Could I be denied entry into Ireland due to medical and police situations during a previous UK visit?
Protect against password cracking in Windows
Windows XP Allows Account with Blank PasswordPassword expiration notice for Active DirectoryIs my password compromised because I forgot to hit Enter after ssh username?Reset windows 7 local admin password on encrypted driveWhere does server store the users random salt for passwordHow to interactively change the password of a user account on a remote windows machine (in the same LAN) from a local machine's command line prompt?reset lost administrator password for Windows Server 2003 (AD)?Can I pre-hash a Windows password and pass the hash when creating the account?Windows Server 2003 DC VM password recoveryStatus of reversible encryption password
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I know that exists tools for get the passwords in plain text from memory in Windows (read memory and decrypt password from LSASS process).
This behavior still exists in The Windows Server 2019 ?
Is there any way of avoiding that a local admin user get the password from a Windows machine using some of this tools, for example Mimikatz?
Thanks.
password lsass
asked May 22 at 1:36
RogerRoger
284
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I know that exists tools for get the passwords in plain text from memory in Windows (read memory and decrypt password from LSASS process).
This behavior still exists in The Windows Server 2019 ?
Is there any way of avoiding that a local admin user get the password from a Windows machine using some of this tools, for example Mimikatz?
Thanks.
password lsass
asked May 22 at 1:36
RogerRoger
284
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I know that exists tools for get the passwords in plain text from memory in Windows (read memory and decrypt password from LSASS process).
This behavior still exists in The Windows Server 2019 ?
Is there any way of avoiding that a local admin user get the password from a Windows machine using some of this tools, for example Mimikatz?
Thanks.
password lsass
asked May 22 at 1:36
RogerRoger
284
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I know that exists tools for get the passwords in plain text from memory in Windows (read memory and decrypt password from LSASS process).
This behavior still exists in The Windows Server 2019 ?
Is there any way of avoiding that a local admin user get the password from a Windows machine using some of this tools, for example Mimikatz?
Thanks.
password lsass
password lsass
asked May 22 at 1:36
RogerRoger
284
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked May 22 at 1:36
RogerRoger
284
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked May 22 at 1:36
RogerRoger
284
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked May 22 at 1:36
RogerRoger
284
asked May 22 at 1:36
RogerRoger
284
284
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Roger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
No to avoid it, as to steal kerberos ticket or NTLM hash keep in mind the user must be a local administrator, and the application must be run as a admin too.
Please see that note from mimikatz;
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
As such it fall into the 10 immutable laws of security; See the one in bold;
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical
access to your computer, it's not your computer anymore.
Law #4: If
you allow a bad guy to run active content in your website, it's not
your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its
decryption key.
Law #8: An out-of-date antimalware scanner is only
marginally better than no scanner at all.
Law #9: Absolute anonymity
isn't practically achievable, online or offline.
Law #10: Technology
is not a panacea.
As you fall into the 10 immutable laws of security, Microsoft will never fix that, as a admin can do anything on the computer, even installing a keylogger, who know, as you must understand it's more how you protect your environment against such attack vector that is important.
So at first I would suggest to use restricted group GPO to make sure no one can add itselft to the local admin group.
Secondly I would remove all other boot device than the HDD to secure who can boot on a flash device, to prevent someone that could wipe a local admin account's password.
Thirdly I would protect with a strong password the BIOS.
Lastly, I would use a encryption method for the hard disk, to prevent non-authorized change by a cold boot if someone remove the hard disk from the machine.
There is surelly other tips, but you must abide to a strong security's model if you want to secure your enterprise work space, and enable account auditing if you want to catch a bad actor.
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
add a comment |
With default settings it's not possible to dump clear text WDigest credentials from the LSA memory anymore, but having local administrator privileges all these new security features can still be disabled, as Microsoft loves to keep backwards compatibility. So, after adding a couple of registry keys Mimikatz – or Kiwi for Windows 10 – starts to function again for all passwords entered after the modifications.
In Windows 8.1 security features were added that stops storing WDigest credentials in clear text, and they were backported to earlier Windows versions in KB2871997, fixing every version since Windows 7. When the feature is enabled, Mimikatz starts showing
(null)for the password, but it can be disabled with:[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest]
"UseLogonCredential"=dword:00000001In Windows 10, Windows Defender Credential Guard is protecting passwords. After disabling the security feature as described above, the passwords are shown, but they are not in clear text:
However, Windows Defender Credential Guard can be disabled through Group Policy. As this policy effectively just adds two registry keys, it's egually easy to disable e.g. from command prompt.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000000
[HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA]
"LsaCfgFlags"=dword:00000000Once a user uses his password again, it appears in clear text:
As this could easily be used for stealing Domain Administrator credentials, people should not have local admin privileges on their workstations, and separate accounts without Domain Administrator privileges should be used for local administration.
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
add a comment |
I would like to propose a solution that does actually work fairly well in practice. The other answers hint that it's impossible to protect perfectly, but you can make it difficult enough that most attackers will give up and move on to easier targets.
First, enable Credential Guard. This will move the secrets out of LSA so attackers can't read the passwords out of process memory.
Second, enable LSA Protected Process mode (RunAsPPL=1). This will prevent attackers from injecting code into LSA or reading memory.
Third, enable HVCI to prevent attackers from disabling the above protections from within the kernel.
Forth, lock this all down with UEFI so even if an attacker does screw with the registry keys, it's incredibly difficult to disable since the config is locked in by UEFI boot settings.
answered May 24 at 22:17
SteveSteve
24315
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Roger is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968324%2fprotect-against-password-cracking-in-windows%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
No to avoid it, as to steal kerberos ticket or NTLM hash keep in mind the user must be a local administrator, and the application must be run as a admin too.
Please see that note from mimikatz;
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
As such it fall into the 10 immutable laws of security; See the one in bold;
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical
access to your computer, it's not your computer anymore.
Law #4: If
you allow a bad guy to run active content in your website, it's not
your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its
decryption key.
Law #8: An out-of-date antimalware scanner is only
marginally better than no scanner at all.
Law #9: Absolute anonymity
isn't practically achievable, online or offline.
Law #10: Technology
is not a panacea.
As you fall into the 10 immutable laws of security, Microsoft will never fix that, as a admin can do anything on the computer, even installing a keylogger, who know, as you must understand it's more how you protect your environment against such attack vector that is important.
So at first I would suggest to use restricted group GPO to make sure no one can add itselft to the local admin group.
Secondly I would remove all other boot device than the HDD to secure who can boot on a flash device, to prevent someone that could wipe a local admin account's password.
Thirdly I would protect with a strong password the BIOS.
Lastly, I would use a encryption method for the hard disk, to prevent non-authorized change by a cold boot if someone remove the hard disk from the machine.
There is surelly other tips, but you must abide to a strong security's model if you want to secure your enterprise work space, and enable account auditing if you want to catch a bad actor.
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
add a comment |
No to avoid it, as to steal kerberos ticket or NTLM hash keep in mind the user must be a local administrator, and the application must be run as a admin too.
Please see that note from mimikatz;
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
As such it fall into the 10 immutable laws of security; See the one in bold;
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical
access to your computer, it's not your computer anymore.
Law #4: If
you allow a bad guy to run active content in your website, it's not
your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its
decryption key.
Law #8: An out-of-date antimalware scanner is only
marginally better than no scanner at all.
Law #9: Absolute anonymity
isn't practically achievable, online or offline.
Law #10: Technology
is not a panacea.
As you fall into the 10 immutable laws of security, Microsoft will never fix that, as a admin can do anything on the computer, even installing a keylogger, who know, as you must understand it's more how you protect your environment against such attack vector that is important.
So at first I would suggest to use restricted group GPO to make sure no one can add itselft to the local admin group.
Secondly I would remove all other boot device than the HDD to secure who can boot on a flash device, to prevent someone that could wipe a local admin account's password.
Thirdly I would protect with a strong password the BIOS.
Lastly, I would use a encryption method for the hard disk, to prevent non-authorized change by a cold boot if someone remove the hard disk from the machine.
There is surelly other tips, but you must abide to a strong security's model if you want to secure your enterprise work space, and enable account auditing if you want to catch a bad actor.
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
add a comment |
No to avoid it, as to steal kerberos ticket or NTLM hash keep in mind the user must be a local administrator, and the application must be run as a admin too.
Please see that note from mimikatz;
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
As such it fall into the 10 immutable laws of security; See the one in bold;
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical
access to your computer, it's not your computer anymore.
Law #4: If
you allow a bad guy to run active content in your website, it's not
your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its
decryption key.
Law #8: An out-of-date antimalware scanner is only
marginally better than no scanner at all.
Law #9: Absolute anonymity
isn't practically achievable, online or offline.
Law #10: Technology
is not a panacea.
As you fall into the 10 immutable laws of security, Microsoft will never fix that, as a admin can do anything on the computer, even installing a keylogger, who know, as you must understand it's more how you protect your environment against such attack vector that is important.
So at first I would suggest to use restricted group GPO to make sure no one can add itselft to the local admin group.
Secondly I would remove all other boot device than the HDD to secure who can boot on a flash device, to prevent someone that could wipe a local admin account's password.
Thirdly I would protect with a strong password the BIOS.
Lastly, I would use a encryption method for the hard disk, to prevent non-authorized change by a cold boot if someone remove the hard disk from the machine.
There is surelly other tips, but you must abide to a strong security's model if you want to secure your enterprise work space, and enable account auditing if you want to catch a bad actor.
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
No to avoid it, as to steal kerberos ticket or NTLM hash keep in mind the user must be a local administrator, and the application must be run as a admin too.
Please see that note from mimikatz;
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
As such it fall into the 10 immutable laws of security; See the one in bold;
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical
access to your computer, it's not your computer anymore.
Law #4: If
you allow a bad guy to run active content in your website, it's not
your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its
decryption key.
Law #8: An out-of-date antimalware scanner is only
marginally better than no scanner at all.
Law #9: Absolute anonymity
isn't practically achievable, online or offline.
Law #10: Technology
is not a panacea.
As you fall into the 10 immutable laws of security, Microsoft will never fix that, as a admin can do anything on the computer, even installing a keylogger, who know, as you must understand it's more how you protect your environment against such attack vector that is important.
So at first I would suggest to use restricted group GPO to make sure no one can add itselft to the local admin group.
Secondly I would remove all other boot device than the HDD to secure who can boot on a flash device, to prevent someone that could wipe a local admin account's password.
Thirdly I would protect with a strong password the BIOS.
Lastly, I would use a encryption method for the hard disk, to prevent non-authorized change by a cold boot if someone remove the hard disk from the machine.
There is surelly other tips, but you must abide to a strong security's model if you want to secure your enterprise work space, and enable account auditing if you want to catch a bad actor.
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
edited May 22 at 2:42
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
answered May 22 at 2:34
yagmoth555♦yagmoth555
12.7k31842
12.7k31842
add a comment |
add a comment |
With default settings it's not possible to dump clear text WDigest credentials from the LSA memory anymore, but having local administrator privileges all these new security features can still be disabled, as Microsoft loves to keep backwards compatibility. So, after adding a couple of registry keys Mimikatz – or Kiwi for Windows 10 – starts to function again for all passwords entered after the modifications.
In Windows 8.1 security features were added that stops storing WDigest credentials in clear text, and they were backported to earlier Windows versions in KB2871997, fixing every version since Windows 7. When the feature is enabled, Mimikatz starts showing
(null)for the password, but it can be disabled with:[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest]
"UseLogonCredential"=dword:00000001In Windows 10, Windows Defender Credential Guard is protecting passwords. After disabling the security feature as described above, the passwords are shown, but they are not in clear text:
However, Windows Defender Credential Guard can be disabled through Group Policy. As this policy effectively just adds two registry keys, it's egually easy to disable e.g. from command prompt.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000000
[HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA]
"LsaCfgFlags"=dword:00000000Once a user uses his password again, it appears in clear text:
As this could easily be used for stealing Domain Administrator credentials, people should not have local admin privileges on their workstations, and separate accounts without Domain Administrator privileges should be used for local administration.
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
add a comment |
With default settings it's not possible to dump clear text WDigest credentials from the LSA memory anymore, but having local administrator privileges all these new security features can still be disabled, as Microsoft loves to keep backwards compatibility. So, after adding a couple of registry keys Mimikatz – or Kiwi for Windows 10 – starts to function again for all passwords entered after the modifications.
In Windows 8.1 security features were added that stops storing WDigest credentials in clear text, and they were backported to earlier Windows versions in KB2871997, fixing every version since Windows 7. When the feature is enabled, Mimikatz starts showing
(null)for the password, but it can be disabled with:[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest]
"UseLogonCredential"=dword:00000001In Windows 10, Windows Defender Credential Guard is protecting passwords. After disabling the security feature as described above, the passwords are shown, but they are not in clear text:
However, Windows Defender Credential Guard can be disabled through Group Policy. As this policy effectively just adds two registry keys, it's egually easy to disable e.g. from command prompt.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000000
[HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA]
"LsaCfgFlags"=dword:00000000Once a user uses his password again, it appears in clear text:
As this could easily be used for stealing Domain Administrator credentials, people should not have local admin privileges on their workstations, and separate accounts without Domain Administrator privileges should be used for local administration.
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
add a comment |
With default settings it's not possible to dump clear text WDigest credentials from the LSA memory anymore, but having local administrator privileges all these new security features can still be disabled, as Microsoft loves to keep backwards compatibility. So, after adding a couple of registry keys Mimikatz – or Kiwi for Windows 10 – starts to function again for all passwords entered after the modifications.
In Windows 8.1 security features were added that stops storing WDigest credentials in clear text, and they were backported to earlier Windows versions in KB2871997, fixing every version since Windows 7. When the feature is enabled, Mimikatz starts showing
(null)for the password, but it can be disabled with:[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest]
"UseLogonCredential"=dword:00000001In Windows 10, Windows Defender Credential Guard is protecting passwords. After disabling the security feature as described above, the passwords are shown, but they are not in clear text:
However, Windows Defender Credential Guard can be disabled through Group Policy. As this policy effectively just adds two registry keys, it's egually easy to disable e.g. from command prompt.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000000
[HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA]
"LsaCfgFlags"=dword:00000000Once a user uses his password again, it appears in clear text:
As this could easily be used for stealing Domain Administrator credentials, people should not have local admin privileges on their workstations, and separate accounts without Domain Administrator privileges should be used for local administration.
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
With default settings it's not possible to dump clear text WDigest credentials from the LSA memory anymore, but having local administrator privileges all these new security features can still be disabled, as Microsoft loves to keep backwards compatibility. So, after adding a couple of registry keys Mimikatz – or Kiwi for Windows 10 – starts to function again for all passwords entered after the modifications.
In Windows 8.1 security features were added that stops storing WDigest credentials in clear text, and they were backported to earlier Windows versions in KB2871997, fixing every version since Windows 7. When the feature is enabled, Mimikatz starts showing
(null)for the password, but it can be disabled with:[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest]
"UseLogonCredential"=dword:00000001In Windows 10, Windows Defender Credential Guard is protecting passwords. After disabling the security feature as described above, the passwords are shown, but they are not in clear text:
However, Windows Defender Credential Guard can be disabled through Group Policy. As this policy effectively just adds two registry keys, it's egually easy to disable e.g. from command prompt.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000000
[HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA]
"LsaCfgFlags"=dword:00000000Once a user uses his password again, it appears in clear text:
As this could easily be used for stealing Domain Administrator credentials, people should not have local admin privileges on their workstations, and separate accounts without Domain Administrator privileges should be used for local administration.
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
edited May 22 at 5:57
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
answered May 22 at 5:50
Esa JokinenEsa Jokinen
24k23361
24k23361
add a comment |
add a comment |
I would like to propose a solution that does actually work fairly well in practice. The other answers hint that it's impossible to protect perfectly, but you can make it difficult enough that most attackers will give up and move on to easier targets.
First, enable Credential Guard. This will move the secrets out of LSA so attackers can't read the passwords out of process memory.
Second, enable LSA Protected Process mode (RunAsPPL=1). This will prevent attackers from injecting code into LSA or reading memory.
Third, enable HVCI to prevent attackers from disabling the above protections from within the kernel.
Forth, lock this all down with UEFI so even if an attacker does screw with the registry keys, it's incredibly difficult to disable since the config is locked in by UEFI boot settings.
answered May 24 at 22:17
SteveSteve
24315
add a comment |
I would like to propose a solution that does actually work fairly well in practice. The other answers hint that it's impossible to protect perfectly, but you can make it difficult enough that most attackers will give up and move on to easier targets.
First, enable Credential Guard. This will move the secrets out of LSA so attackers can't read the passwords out of process memory.
Second, enable LSA Protected Process mode (RunAsPPL=1). This will prevent attackers from injecting code into LSA or reading memory.
Third, enable HVCI to prevent attackers from disabling the above protections from within the kernel.
Forth, lock this all down with UEFI so even if an attacker does screw with the registry keys, it's incredibly difficult to disable since the config is locked in by UEFI boot settings.
answered May 24 at 22:17
SteveSteve
24315
add a comment |
I would like to propose a solution that does actually work fairly well in practice. The other answers hint that it's impossible to protect perfectly, but you can make it difficult enough that most attackers will give up and move on to easier targets.
First, enable Credential Guard. This will move the secrets out of LSA so attackers can't read the passwords out of process memory.
Second, enable LSA Protected Process mode (RunAsPPL=1). This will prevent attackers from injecting code into LSA or reading memory.
Third, enable HVCI to prevent attackers from disabling the above protections from within the kernel.
Forth, lock this all down with UEFI so even if an attacker does screw with the registry keys, it's incredibly difficult to disable since the config is locked in by UEFI boot settings.
answered May 24 at 22:17
SteveSteve
24315
I would like to propose a solution that does actually work fairly well in practice. The other answers hint that it's impossible to protect perfectly, but you can make it difficult enough that most attackers will give up and move on to easier targets.
First, enable Credential Guard. This will move the secrets out of LSA so attackers can't read the passwords out of process memory.
Second, enable LSA Protected Process mode (RunAsPPL=1). This will prevent attackers from injecting code into LSA or reading memory.
Third, enable HVCI to prevent attackers from disabling the above protections from within the kernel.
Forth, lock this all down with UEFI so even if an attacker does screw with the registry keys, it's incredibly difficult to disable since the config is locked in by UEFI boot settings.
answered May 24 at 22:17
SteveSteve
24315
answered May 24 at 22:17
SteveSteve
24315
answered May 24 at 22:17
SteveSteve
24315
answered May 24 at 22:17
SteveSteve
24315
24315
add a comment |
add a comment |
Roger is a new contributor. Be nice, and check out our Code of Conduct.
Roger is a new contributor. Be nice, and check out our Code of Conduct.
Roger is a new contributor. Be nice, and check out our Code of Conduct.
Roger is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968324%2fprotect-against-password-cracking-in-windows%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
