Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can Kerberos protocol vulnerabilities be mitigated?

Microsoft's Kerberos protocol implementation has long-standing issues with its secret keys. Expert Michael Cobb explains how to mitigate the authentication vulnerabilities.

A security researcher recently discovered major authentication vulnerabilities in Microsoft Kerberos implementations...

that could enable several kinds of serious attacks. What are these authentication vulnerabilities, and what can be done about them?

The Kerberos protocol was developed by MIT in its Athena Project during the 1980s, and is one of the most widely used authentication methods today. It's a network authentication protocol that works on the basis of tickets, which allows users and services that communicate over a nonsecure network to prove their identities to each other in a secure manner. Clients obtain tickets from the Kerberos Key Distribution Center (KDC) and present them to servers or services they want to access. Microsoft adopted the Kerberos protocol as the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains, but it doesn't use the MIT software, preferring instead to use its own proprietary extension to the Kerberos suite of protocols.

A Kerberos ticket represents a client's network credentials and is of huge interest to an attacker. Each ticket is encrypted with a symmetric key derived from the password of the server or service to which access is requested. To request a ticket, a special ticket called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service. The TGT is encrypted with a secret key derived from the password of the krbtgt account, which is known only by the Kerberos service. A recent blog post by security researcher @dfirblog, details old but dangerous vulnerabilities  in Microsoft's implementations of the Kerberos protocol, which would allow an attacker to obtain that secret key and bypass the authentication system. In a worst case scenario, this could allow an attacker to create a golden ticket and grant themselves full admin rights, and create secret passwords for existing users or for new users who don't exist.

This attack is possible in Microsoft's implementation  of the Kerberos protocol because the KDC encrypts and signs TGTs and Privilege Attribute Certificate data, using the secret key derived from the krbtgt account password, an account that is created by default. Because this account is disabled and not used, the password is rarely changed; in the MIT implementation, the secret key is randomly chosen.

Microsoft has published documents, Mitigating Pass the Hash and Other Credential Theft, Versions 1 and 2, which discuss defense strategies to protect against various credential-based attacks. Administrators should follow the guidance found in these documents to improve the overall security of Kerberos-based authentication. Frequently changing the krbtgt account password can help to prevent forged tickets from being made. Microsoft has also made a script that will enable administrators to reset the krbtgt account password and related keys, while minimizing the likelihood of Kerberos protocol authentication issues being caused by the change. Security teams need to focus on protecting and monitoring privileged accounts and take advantage of Protected Users group and Credential Guard in Windows 10. Monitoring and detection tools should be tuned to spot anomalies in the logs generated by Kerberos, which should be running on a hardened and well-protected server.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn how to mitigate Kerberos authentication's effects on backup

Find out what the best risk analysis methods are for your enterprise

Read about how your enterprise can prevent attacks done with compromised credentials

This was last published in May 2016

Dig Deeper on Privileged access management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your enterprise's experience with the Kerberos protocol?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close