Issue 29

What passwords do when no one is watching

Teodor Olteanu
End User Computing Lead


In this article, I will describe the typical mistakes that can lead to some serious security issues and also the proper solutions that allow us to defend against this kind of threats. If you care about security in Windows, this article is for you!

Of course there are more than 5 common mistakes…but if you start to think about all of these shown in this article, your network will become significantly more secure! The reasons of these mistakes are very typical: lack of time, lack of monitoring systems, lack of knowledge. Often, common mistakes are very serious and can lead to some serious security breaches. Nobody likes when the passwords of your users are being cracked, right?

Hackers keep trying new tricks, and the system administrators keep adding new technologies to the field so that it is barely possible to fight against cryptography and new operating system security mechanisms. But administrators are often very busy and security may not be their primary focus. Administrators’ mistakes and people's misbehavior can be a great help to those who want access to a piece of information.

Follow me as I try to tackle 5 of the most common mistakes system administrators make about security and find out how some small improvements can have a huge impact on your network’s security.

Mistake 1: Misunderstanding passwords

A recent password audit, found that an employee was using the following password: “MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento”._

When asked why she had such a long password, she rolled her eyes and said:

“Hey! IT said that it has to be at least 8 characters and include at least one capital.”

This is a joke, of course. But the reality is that a long and complicated password will not protect you in all the situations!

A study made by BitDefender in 2010 shows that 75% of people use the same password for social media sites and the corporate email. Cases of important sites like Facebook, LinkedIn, Twiter and others that have been hacked and the passwords of thousands of users stolen are well known. So if a hacker has your user’s Facebook password it may have the password to his/her corporate e-mail address and so to your company’s confidential data.

Wherever and whenever you enter a password in the password field, there is at least one mechanism that must know it in order to use it later for the designed purpose - authentication. The common knowledge is that when we set up our password in Windows it is hashed and stored either in SAM (Security Accounts Manager) or the ntds.dit database in Active Directory. But if your operating system can re-use the password it means others can decrypt it!

In many cases attackers don’t even need to know the passwords and can use the “pass the hash” technique in order to run malicious code with elevated privileges. But recently more advanced tools have been developed that allow the decryption of the hashes that are stored into the memory.

Mimikatz is an exploitation tool written by Benjamin Delpy (gentilkiwi) that pulls plain-text passwords out of WDigest (a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication) interfaced through LSASS (Local Security Authority Subsystem Service). So if you logged in on one system with a domain administrator account and somebody has run Mimikatz on the system then practically your whole infrastructure is owned by the attacker.

There is no single defense against this technique, so standard defense practices apply - for example the use of firewalls, intrusion prevention systems, 802.1x authentication, IPsec, antivirus software, full disk encryption, reducing the number of people with elevated privileges, pro-active security patching etc.

Preventing Windows from storing cached credentials may limit attackers to obtaining hashes from memory, which usually means that the target account must be logged into the machine when the attack is executed. The principle of least privilege suggests that a least user access approach should be taken, in that users should not use accounts with more privileges than necessary to complete the task at hand. Configuring systems not to use LM or NTLM can also strengthen security, but newer exploits are able to forward Kerberos tickets in a similar way. Also limiting the scope of debug privileges on system may block some attacks that inject code or steal hashes from the memory of sensitive processes

Other things to review are stored passwords used to run certain services. And the recommendation here is to never run a service on an Administrative account, use gMSA (Group Managed Service Accounts). Scheduled tasks that run on a specific account are also vulnerable, because as in the case of services – password can be revealed.

If you want to know more on how Windows manages cached and stored credentials then this short technical overview will give you a clear picture of what happens with saved passwords: technet.microsoft.com/en-us/library/hh994565.aspx

Mistake 2: Ignoring Offline Access

Offline access allows someone to have physical access to a system and thus use the methods described above to access confidential data. It doesn’t need to be necessarily the case of someone that has managed to penetrate your office building unseen. It can be a visitor, the cleaning man, a stolen laptop or someone that brings his laptop home and other people have access to it.

In order to mitigate against data loss in this case, there are several steps of protection that we can implement:

Mistake 3: Using Old Technology

It is hard to be up to date with technology but some of the antique operating system like Windows XP and Windows 2000 should be thrown on the scrapheap!

Perform periodic revisions and plan to upgrade operating systems that are not supported anymore or for which the support will expire soon. Unpatched system and applications can leave open backdoors so have a monthly patching strategy and keep your systems up to date with the latest security patches. Well known points of attack are also Java and Adobe products so besides Microsoft products keep in mind that you’ll have to upgrade also these types of apps.

Mistake 4: Lack of Network and System Monitoring

In the case of the network there is one well known rule: do not allow traffic that you do not know. Also be aware that most of the protocols have space for data in them. For example many admins focus their network monitoring on TCP and UDP protocols. ICMP is often overlooked, but it is nearly as viable for data transfer. Why not put the sensitive information there and send it out? Data transfer through ICMP is possible but nobody monitors ICMP traffic. Do you allow pings outside your network?

Another big threat is installing pirated content that can have malware attached to it. Keep your toolbox where you have installation kits for the apps you use internally up to date and keep the checksums in a different place. Malformed installation files are not necessarily recognized by antivirus software and injection of the file with malware can happen even before you get the file, so be careful from where you download your installation kits. Two questions to think about here are: Do you check for the files’ signatures before installation? Do you perform periodic security checks of your folder with installation files?

It is recommended that you deploy a software inventory solution so that you can find out what software is installed in your network.

Mistake 5: Lack of Documentation & Training

Is this really the admin’s mistake? Yes, I believe this is one of the biggest mistakes made in an IT organization. Most companies are not prepared for the IT staff going on a vacation! Be proactive, split and rotate tasks between admins, organize trainings for your users and keep your internal wiki up to date.

Perform periodical audits of your infrastructure and do not forget to audit permissions and ACLs. The cheapest and most effective attacks are often nontechnical. People tend to take shortcuts and it’s hard to control their intentions. Monitor them and show that you’re doing it.

Default passwords can also create huge security holes. Blank the passwords in MSSQL can lead to full machine compromise. Default / blank passwords on web-based management interfaces lead to various levels of compromise.

Use vulnerability scanners and scan the network for HTTP, FTP, Telnet, and SSH services. Also be sure to use different passwords for the local administrator account and the domain administrator account. If you are not convinced about the danger of default passwords then check out the shodan.io website. This site is a database of services that are exposed to the internet and which use default or blank passwords. It’s amazing what you can find here – from webcams, to routers and file shares, all open to the internet.

In conclusion, if you have to take one thing from this article, try to pick one of the mistakes I’ve described above and take it to your work place and think about it. Examine the way you currently work and do something before it’s not too late.

If you feel I’ve opened your apethite for further reading on this subject, please check out Paula Januszkiewicz’s talks. She is my favourite security expert and has also insipred me to write this article. Also browse the Trustworthy Computing site at microsoft.com/twc. TwC is a long-term, collaborative effort to deliver more secure, private, and reliable computing experiences for everyone.




  • Accenture
  • BT Code Crafters
  • Accesa
  • Bosch
  • Betfair
  • MHP
  • BoatyardX
  • .msg systems
  • Yardi
  • P3 group
  • Ing Hubs
  • Colors in projects


Teodor Olteanu wrote also