The Phantom Menace

Achieving complete control over a company is a feat that requires a black belt and serious Jedi hacking skills. You must create a chain of multiple zero-day exploits to get into a network (we all know they are really “cheap”), use a hacking mask to bypass face recognition authentication and, finally, extract data using an FM radio receiver and video card — something only a true master can pull off.

Extreme examples sound great, but they usually belong to action novels and click-bait articles, as real-life hacks are less dramatic. Attackers tend to follow the path of least resistance. Very often, after reading detailed descriptions of the latest security breach, you can find out that admin/admin credentials were used, or hackers used some forgotten account with P@ssw0rd or Company123 passwords.

Unfortunately, many security teams believe that their focus can determine their reality. They expend a lot of effort trying to protect their assets from rare and exotic attack vectors while ignoring or underestimating the big hole right under their feet. The Pareto Principle applies to IT security as well: it is possible to spend 20% of your effort to protect your company from 80% of the attacks. I often recommend reading reliable analyses, such as DBIR (my favorite annual report) to find out about the most common attack techniques, how to stay on target, and how to set up your defenses. In the latest report, you’ll see that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

In a data center, very very close, not a long time ago… This is a story of how one weak password can bring down the whole empire.

Attack of the clones

The local administrator account is one of the most common security underdogs. It is often ignored – after all, it gives you only local privileges, right? Well, size matters not. This account is present on every Windows-based computer in your company, where it co-exists with other, more interesting accounts. Local accounts are decentralized in nature, but unfortunately, they often share the same password. This vulnerability can easily be used for privilege escalation.

To solve this issue, the most common approach has been to use a centralized method to change the password on a regular basis. The administrator would choose new password and push it to all workstations. This method hasn’t really solved the problem, though – there are still multiple machines that share the same password, only the password would gets changed more often. In 2014, Microsoft stopped supporting this method through Group Policy Preferences (GPP), even publicly documenting the private key used to encrypt the password in Group Policy. Even if you have some other solution than GPP, this is not really a solution, as the core problem still exists — you have multiple accounts with local administrative privileges that are using identical passwords.

As soon as an attacker finds out that local accounts are using the same password, he will start by cracking this password. He knows the hash, now he needs to recover the plain text password from it. Most people are familiar with two approaches to cracking of passwords: brute force (attackers try every single combination of characters) and dictionary attacks (phrases from dictionary are used). This often leads to a false sense of security — that it’s hard and time-consuming to crack passwords using these two methods.

Well, that used to be the case, but no more. Today, the reality is that we’ve successfully trained our users to use passwords that are hard for them to remember, but are easy for computers to calculate. Attackers have a lot of different options; for example, they can use pre-calculated rainbow tables. To give you an idea of how fast an attacker can crack a password with rainbow tables, I asked my wife to create a password for me (she chose “Qwerty312”) and I generated an NTLM hash out of the password (“115F8AA43E6D29FCCEB4A9FC92991A8F,” not that this is important to know). Without anything installed on my computer or spending a cent on professional cracking services, I was able to crack that password in just few seconds, using one of the online rainbow table services.

Another option is to use a GPU-based cracking tool which allows attacker to test billions of passwords per second. Or if you really want to be a professional, why not invest into specialized hardware, such as Brutalis or Invictus?

Even if you cannot run your own datacenter with clusters of machines used for hash calculations, there is another flexible option you have: simply spin up a few GPU-enabled instances in your favorite cloud provider. Using distributed computing, it’s possible to crack even very complex passwords in a short time, especially since attackers need to crack only single (local) password.

After an attacker obtains the local administrator password, he can use the Pass-the-Hash technique to impersonate any domain account running on any of the compromised computers, without the need to know the password of this domain account. This is a recipe for a very simple and powerful escalation of privileges. You get control of one local account, compromise domain account running on the same system, pass on what you have learned and control the whole network in a very short time. If all local accounts are using identical passwords, it’s easy for an attacker to generate a graph to gain access to domain controller in a very short amount of time. This is how security dies… with thunderous applause.

This is a critical lesson to learn. This is a new day, a new beginning. Understanding graph security theory, knowing the tools and methods that attackers are using is crucial to building an effective defense.

Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. — John Lambert, General Manager, Microsoft Threat Intelligence Center

The LAPS Awakens

Do you think there is no solution to this problem? If you’re nodding “yes,” well, I find your lack of faith disturbing — even if security challenges are often complicated, they can always be solved. There are two potential solutions: either disable local accounts completely, or make sure that password is unique on each of the machines. The first approach, while theoretically possible, is not desirable, as the local account is traditionally used if there are any problems with connectivity or domain membership.

That leaves us with only one option: randomize all local passwords. There are many third-party solutions that implement this functionality, but there is one solution that is available to everyone – Local Administrator Password Solution (LAPS) from Microsoft. LAPS is using Group Policy engine (through new client-side extension) to automatically generate random password on each of the domain computers.

LAPS is a simple, elegant, and fully functional solution. The basic logic of LAPS is here:

Access to this confidential attribute is protected through access control lists (ACL). There are always two locations where passwords are stored — no more, no less — locally at each of the computers and centrally in Active Directory. The complexity and expiration of passwords can be configured in Group Policy.

Domain administrators can also decide which users are authorized to read this password, for example helpdesk administrators, either through a simple client application, using provided PowerShell cmdlet or using a third-party solution.

Using a simple user interface to read password.

Implementation of LAPS is simple – you can follow instructions in this operation guide or read this blog post from Trond Eirik Haavarstein.

Local account strikes back

So, problem solved, right? If you have a bad feeling about this, you are right; it’s a trap! While single image management allows you to quickly build your army of clones, there are some aspects of virtual machines that you want to keep unique, such as computer name, any unique ID used by antivirus or randomized local password. With non-persistent machines and single-image management, decentralizing, and randomizing of passwords can prove challenging, as you can see in the following diagram:

A New Hope

Sometimes there are things no one can fix. Luckily, this is not one of those situations – as with similar challenges, quick script or configuration change can make solution compatible with single image management. In this case, our goal is to generate new password every time that virtual machine is reverted to default state.

We can achieve this by adding the shutdown script to all our non-persistent virtual machines that will change the expiration date attribute (“ms-Mcs-AdmPwdExpirationTime”) in Active Directory to the already-expired value. Next time, when the machine boots up, LAPS will detect that the password has expired and it will automatically generate and synchronize a new password for this machine. This solution is working for both XenApp and XenDesktop virtual machines.

You can download my shutdown script at the end of this article. Implementation is simple — just create a shutdown script in Group Policy and apply it to all your non-persistent machines. You also need to install LAPS extension on all master images. Below, you can see an example configuration in my environment:

LAPS shutdown script implementation.

The Last Password

To summarize: weak and/or stolen passwords can be your greatest enemy. The combination of weak, singular passwords for all your local administrator accounts can quickly lead to complete disaster and the easiest method to prevent this from happening is to make sure that each one of your Windows machines is using randomly generated, hardened passwords. It’s not really the password complexity, but rather its length that really matters.

Short, complex and hard to remember passwords are easy for computers to guess – it’s only challenging for your end users to remember them. Using an easy-to-remember long passphrase/sentence is far more reasonable. For example, my password in 2006 used to be “It’s year twothousandandsix”, which would take 5 vigintillion years for a typical computer to crack.

If you’ve attended one of my sessions about authentication, you know I’m a big believer that the future is passwordless. AI/ML-powered analytics that will be more and more accurate at understanding different personas, combined with biometric authentication will not only be more secure than passwords, but also more user-friendly, which is critical for adoption. Being able to centralize authentication and provide the same level of security for different types of applications will be great advantage in upcoming years.

It’s easy to say “It’s not my fault” after a security breach, but it is our job to do everything we can to prevent breaches and, when that is not enough, contain the impact and minimize the recovery time. Do. Or do not. There is no try.

I would like to thank Jiri Formacek (creator of LAPS, now running more advanced version at AdmPwd.E) and Tom Endean from The SysAdmins Blog for great help and great discussions.

“This software application is provided to you “as is” with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.”

Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know!