Bkjia.com exclusive translation] Alas, I miss the time when attackers were able to easily retrieve passwords. At that time, only three steps are required to defend against such attacks: first, protect your own password hashes from being stolen; second, use high-intensity passwords; third, ensure that a long password is used to avoid cracking.
Nowadays, it is outdated to include passwords in the list. Today, attackers are using a clear hash injection attack. In this way, the mixed balls can obtain hashes-whether from the password hashed storage database or in the memory-and use them to regenerate a complete set of authentication sessions.
Password hash-or any authentication mode-is the core of Logon success or failure. This type of information is the key to the ban, so almost every security protection mechanism is trying to prevent attackers from obtaining authentication information. If he or she has access to the super administrator, any operation or any implementation means will be feasible for them, and the whole process will be smooth-because for the defense system, they are completely legal.
Hash-based attacks can successfully conquer any operating system and any authentication protocol, and even a powerful Security Authentication System developed by MIT. This technology is also applicable to smart card login because in Microsoft's Windows system, the storage and calling of password hashes on network terminals are still derived from the authentication mechanism on the LAN Manager ).
I have been trying to instill this idea into our customers, that is, what is really terrible is not the hash attack itself. What we need to pay attention to and have the ability to focus on is how to stop the mixed balls from the preparations necessary before implementing the hash attack. When attackers have obtained the super administrator identity, they are still obsessed with how to defend against hash attacks, as if they have been stolen by their cars, we are also lucky to see if the handwheel on the car can slow down his pace. However, when hash attacks repeatedly attack, it will inevitably attract the attention of us and our customers. In fact, such attacks are becoming increasingly popular.
Anti-Injection
As I mentioned earlier, the ultimate mechanism that can completely defend against hash attacks does not exist, but it does not mean that we should sit down in front of such attacks. After all, security is not a binary code, nor a non-black or white alternative. The true meaning of security is to take a moderate balance between full security and full danger.
I have seen technologies that combat advanced persistent threats by disabling low-intensity password hashes, this method works even if the attacker's tool is very powerful and can easily cope with high-strength passwords. In fact, attackers do not know that the weak hash has been disabled. Therefore, they do not think it is necessary to try the hash attack.
Among all forest's hash attack defense solutions, preventing attackers from obtaining super administrator access is undoubtedly the most important and core means. Unfortunately, over the years of discussions on traditional computer security defense, I have repeatedly stressed the necessity of minimizing logon user permissions, anti-malware tools, whitelists, firewalls, and so on. However, my customers often do not take the initiative to seek help from hash attacks until they realize that their defense systems are useless.
We can set up obstacles to prevent attackers from extracting hash information from memory. In Windows, the password hash can be extracted from the memory using the following logon types: interaction, batch processing, service, unlock, remote interaction, and cache interaction. On the surface, this seems to include all the login types we are familiar with, but note that network login is not here. Therefore, passwords cannot be extracted from the memory when accessing the shared NetBIOS drive.
In addition, although the logout operation can often help us clear the password hash in the memory, the application and API may keep it completely, so this approach is not completely reliable. It is ideal to log out and restart the computer. It ensures that no password hashes are left in the memory.
Block the above Channels
I often remind customers to minimize the number of privileged account logon types mentioned above. In most Running Environments, I usually use Remote Desktop Protocol or other types of interactive remote software for management, troubleshooting, and access to servers and workstations. This method is simple and efficient, but the side effects are also obvious-High-permission information is often left in the running environment, and if this happens on a trojan or untrusted machine, the consequences are undoubtedly very serious.
Instead, I encourage customers to manage computers in non-interactive ways. Using the console tool instead of the Remote Desktop Protocol, we can also remotely connect to the target computer. Most Microsoft Management Console tools can redirect to new remote target computers. In addition, the PowerShell script is used to replace the manual password input process.
I have many excellent colleagues who share the same view with me, that is, try to cancel all accounts with super administrator permissions-or keep up to one account. In the Microsoft Active Directory System, I am a full-time Microsoft employee. We can use the "Authorization" function to grant administrator permissions to specified users, but it is not as controllable as super administrators, this solution is similar to setting up a domain administrator or an enterprise business administrator. As far as I know, no domain administrator or business administrator really needs super administrator high-level execution capabilities when they are fully working. On the contrary, granting only the necessary permissions to the staff does not affect their normal operations. After the hash is stolen, attackers cannot obtain the super administrator account.
Some of my clients pin their hopes on frequently changing passwords or using one-time passwords. Indeed, if attackers obtain such hashes, their operation time will be relatively short. There are a variety of vendor tools to help us achieve the above goals. At the same time, to prevent repeated use of passwords, you can also prevent other security blocks from being dangerous when the password hash is lost.
It is best to try the latest operating system. They always have defense systems not available in earlier versions. For example, in Vista, Windows 7, and Windows Server 2008 and later versions), the traditional NT hash is replaced by the Kerberos-based AES hash. Although the initiators of hash attacks may still be able to intrude into AES, at least for the moment, they are not very good at this, because no hash attack tool is currently available for AES. Although this security status is only temporary, we still need to remember that the concept of security is vague. Any solution that effectively reduces the risk of hash attacks is of great value.
"Pop-up" window is very important
Another important suggestion is that administrators should have the greatest security considerations when performing management tasks and only use trusted computers. We should not shirk our management responsibilities, but implement the whole process of daily web browsing, email receiving, and accessing social networking websites. In addition, try to create a "pop-up" window when handling management tasks. These pop-up windows are more difficult to expect) are affected, which protects the hash information of the Super administrator from the other side. When the pop-up window is at the top, the administrator should use a non-interactive remote tool to manage other dialog boxes. In this way, the hash content is actually stored in the memory of another computer. If the Administrator logs on to another untrusted computer in interactive mode, ensure that the security operation is canceled and then restarted.
Some enterprises even set the "pop-up" Domain for administrator purposes. They adopt a one-way and selective way of trust, so as to prevent a certain type of identity authentication information from exploiting the gaps between trusted and untrusted standards.
You can also use IPsec or AuthIP to restrict mutual logon between specific computers to prevent attackers from using stolen hash information on all computers. Finally, remember to keep the anti-malware that can detect hash attack tools always running. A busy day begins as soon as we discover the dangerous factors lurking around our network.
I hope that some of the new methods I have shared in this article can help you reduce the various risks caused by hash attacks. If you have unique insights or skills in this regard, please do not hesitate to advise.
Bkjia.com exclusive translation. Unauthorized reprinting is not declined! For reprinted by the partner media, please indicate the source and source of the original article !]