Over the last year, Microsoft had been dropping lots of hints it would be reworking its authentication system in Windows 10. Multi-factors, support of FIDO, and the use of virtualization technology to secure credentials were all slated to be in its latest and greatest OS. With the general release of Windows 10 late last month, we now get to see what’s in the sausage.
For starters, you should read the July 28 announcement on their blog. In the very first bullet point, they announce Windows Hello, which is Microsoft’s take on password-free authentication, using either facial, thumbprint, or iris recognition for validation. Hello will support the FIDO open-standard as well.
Get the Free Pen Testing Active Directory Environments EBook
Also in that first bullet point is a reference to something called Credential Guard. It’s described as a way to “protect corporate identities by containing them in the hardware-based secure execution environment.”
Ok, Credential Guard must be using the virtualization technology they had been yakking about for the last few months— for example, see this presentation by Microsoft’s Nathan Ide at this year’s RSA conference.
To find out more, I searched the TechNet portion of the Microsoft website and came across this overview article on Credential Guard. As I read more, it was beginning to look like this was the long awaited PtH messiah.
For those who’ve been following along with us, Pass the Hash (and Pass the Ticket for Kerberos) is a way for hackers to directly exploit user credentials that are kept in memory. The hash of the password — remember hashing? — is at the core of Windows NTLM challenge and response authentication protocol.
If you have the hash, it’s the same as having the password: you just pass or feed it into the NLTM protocol to gain entry. Once inside a system, hackers love PtH because they don’t have to crack hashes to take over a user’s identity.
Great news, for hackers. So how do they get the hash?
The answer: Windows keeps hashes in LSASS memory, making it available for Single Sign On or SSO. In an SSO environment, the computing world most of us live in, you enter passwords once when logging in to your corporate laptop. When you need to access other services, Windows just dips into LSASS to pull out the credential — the hashed password — so you don’t have to re-enter it.
It’s a user convenience that we all take for granted, but it has the side effect of giving hackers a huge opening to exploit.
Pen test tools like Mimikatz, for example, access LSASS memory, thereby allowing cyber thieves to pull out credentials (preferably of users with elevated privileges) and take on multiple identities as they traverse the target system.
Bottom Line: Hashes Will Be Really Hard to Get
Mr. Softee has known about PtH for many, many years. To its credit, it sort of recognized the problem and has given very good advice on how to reduce the risks of credential stealing — see this paper.
And that’s where Credential Guard finally comes in. In Windows 10, the designers reworked the LSASS process so that it lives in its own virtualized container. Yeah, it’s using similar ideas and techniques to those found in virtual machines that enable a host operating system to run various guest operating systems.
These guest operating systems are sort of like their own min-universes, separate from each other, except through some well-defined worm holes — I’ll get to that in a second.
So what’s going on in Credential Guard?
Last month at Black Hat, Microsoft heavy weights, Seth Moore and Baris Saydag, gave a presentation, Defeating Pass-the-Hash, that explained the implementation details.
It gets gnarly, but the LSASS address space is now really, really separated from other user processes so that apps like Mimikatz can’t peek into it. You’ll have to read the paper to understand the fine points — note the use of the words hypervisor and ring levels.
But here’s the speedy executive overview based on my current understanding. The developers left the LSASS programming logic intact to continue supporting credential processing as before. The memory space, though, is walled off from other apps with Credential Guard acting as the gateway.
Neat Wormhole Technology
System and other apps, of course, still need to verify the credentials of users, but now they do so through a well-protected and authenticated connection to Credential Guard. So you can think of Credential Guard as the guardian of the wormhole between its special memory space and everything on the other side.
I know this post is starting to sound like Interstellar. Nevertheless, the technology is quite interesting and really does seem to finally close off PtH.
I’d like to think that Pass the Hash will eventually become a problem of the past as companies migrate to the Windows 10 Enterprise Edition — the only version that Credential Guard runs on.
Of course, you shouldn’t discount hackers’ power to find weaknesses and zero-day exploits.
So the wiser security view to take is that the cost to play Pass the Hash has gone up immensely. It may still be possible in the future, but it will require a far more sophisticated effort than is currently the case.