Secure Your Active Directory by Periodically Resetting the Kerberos TGT Account Password
Active Directory uses Kerberos authentication, which in general is considered pretty secure. Kerberos utilizes tickets for its authentication. These tickets are encrypted with a symmetric key that’s obtained from the password of the server, or service, from which you are trying to get authenticated. The Kerberos service expects a Ticket Granting Ticket (TGT) before establishing a session. The TGT has a limited life span and its encrypted with a key obtained from the password of the Kerberos TGT (KRBTGT) account. The password is not something that you or I would know. It’s generated internally by the system and only the Kerberos service knows this password. However, there is a chance that if this password is somehow stolen, the bad guys can get into your domain by impersonating authentication and potentially take over your entire Active Directory domain. Obviously, this could be disastrous for your organization so Microsoft is actively educating customers and doing something about this issue. One area that they are focusing is the Pass-the-Hash (ptH) attack. Attackers can use PtH to capture account logon credentials to get into one computer that has a weak security and then use those credentials to authenticate to other computers and servers on a network.
In July 2014, Vice President of Microsoft’s Security Matt Thomlinson wrote an article called New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks. In his article Matt talked about protection against PtH attacks and some of the steps that the folks responsible for an organization’s security can take. He encouraged us to read these white papers from Microsoft. Matt pointed out a few important things for us to keep in mind. He wrote:
“There are three important points technology leaders should understand about a PtH attack:
-
First, an attacker has to get a foothold on your network before a PtH type of attack occurs. This is commonly achieved using tactics such as phishing, taking advantage of weak passwords, or by exploiting unpatched vulnerabilities.
-
Second, once initial administrative rights to a compromised computer are obtained, an attacker captures account login credentials on that computer, and then uses those captured credentials to authenticate to other computers on the network.
-
Third, the ultimate goal of an attacker might be to compromise the domain controller – the central point of control for all computers, corporate identities and credentials – which effectively gives them control and full access to all of the organization’s IT assets.”
Because security experts have been concerned about the potential PtH attacks, on February 11, 2015 Microsoft released the KRBTGT account password reset script to the public. Essentially, the script resets the password periodically to make the password for the Kerberos TGT more secure. Here’s what it does.
- Performs a single reset of the KRBTGT account password hash and related keys (it can be run multiple times for subsequent resets).
- Replicates the KRBGTG account and its new keys to all writable Domain Controllers (DCs) in the domain immediately.
- Validates that all writable DCs in the domain have successfully replicated the new keys.
Copyright © 2015 SeattlePro Enterprises, LLC. All rights reserved.