It’s Time to Deploy Kerberos Armoring
It doesn’t matter whether you refer to it as Kerberos Armoring, Flexible Authentication Secure...
Kerberos may be considered the old-timer of authentication protocols, but Active Directory still relies heavily on it. That’s why Microsoft is now using a new strategy to address vulnerabilities. IT Pro's may operate the same way they did before but might not get the same results as they once did.
I feel that Active Directory admins need to get onboard with the registry changes that truly address the vulnerabilities. They can do this proactively and stay ahead of the curve. Their Domain Controllers will run smoothly without interruptions, because all the hard work of testing was done when there was ample time to do so.
Let me show you.
They say it’s not easy to change a tire on a riding car. I guess it’s also not easy to change the configuration of a service that is at the heart of networking infrastructures of millions of organizations worldwide. That’s precisely what Microsoft is doing these days with Active Directory.
Active Directory is at the heart of over 90 percent of networking infrastructures worldwide. It provides identity and access management capabilities through various networking protocols; LDAP, NTLM and Kerberos which is why proper Active Directory monitoring and management is a critical component for any IT admin.
These protocols have all been around for decades, long before the Internet was available in our homes. They were designed for trusted networks. However, anyone who has ever experienced a NotPetya ransomware attack has learned that there is no such thing as a network one can trust.
In recent years, Microsoft has made significant changes in its Kerberos implementation. Since Windows Server 2000 – the Windows Server release that included the initial release of Active Directory – the product team has added measures to the existing protocol to restrict unwanted uses and prohibit unsafe actions.
Improvements like Kerberos Armoring (Windows Server 2012) and the Protected Users group (Windows Server 2012 R2) can be considered late parts of the first wave of Kerberos improvements. Admins who had eradicated previous versions of Windows and Windows Server, could enable these features centrally and benefit.
However, the sobering reality is that many organizations didn’t pay attention to these basic improvements. Most organizations still have Windows 7-based devices around, even though Microsoft has stopped the support of these operating systems (with some paid exceptions). Even when they were moving fast and furiously and got rid of all the legacy blocking these features, they didn’t enable them…
Of course, Microsoft certifications paid attention to these measures. The questions with these technology names and feature names in their answers were the easiest to answer: these answers were the right ones, because they represented new technology. We can conclude the theory is there, at least while crammed into short-term memory, but in practice it’s not implemented.
The results of many Active Directory health and risk assessments show that most AD admins manage their AD environments like it’s 2003. I think that’s a shame, because implementing the above two features correctly removes the ability to Kerberoast and use Mimikatz on admin accounts. These attacks are getting increasingly common to pop Domain Controllers.
Of course, some organizations have implemented these changes. Attacks against these organizations, and their supply chains, had to get more sophisticated. Researchers have picked all the low-hanging fruit, so you can imagine today’s vulnerabilities are harder to address.
Addressing today’s vulnerabilities in Kerberos and LDAP requires admins to actively prohibit the use of legacy clients, legacy technologies, and legacy cryptography.
A second wave of fixes is needed. In my mind, Microsoft’s answer to the ZeroLogon vulnerability (CVE-2020-1472) immediately stands out as a solution that is part of the second wave. As does Microsoft’s approach to enforce LDAP channel binding and LDAP signing (CVE-2017-8563) and the way Microsoft addressed the Kerberos Security Feature Bypass vulnerability known as CVE-2020-16996.
As part of the July 2017 Patch Tuesday series of updates, Microsoft introduced functionality to enable mitigations for an elevation of privilege vulnerability that exists when Kerberos falls back to NT LAN Manager (NTLM) as the default authentication protocol.
After installing the update, to effectively thwart these LDAP relay attacks, AD admins needed to perform two additional steps:1. Create a registry value to enforce LDAP channel binding (LdapEnforceChannelBinding);
Microsoft automatically rolled out these registry changes with the March 2020 Patch Tuesday. These settings are now enforced and any application, service, or system that doesn’t adhere to the new security standards fails.
During the August 2020 Patch Tuesday (August 11th, 2020), Microsoft used the same playbook to address two vulnerabilities. The vulnerability dubbed ‘ZeroLogon’ (CVE-2020-1472) poses the more serious problem. CVE-2020-16996 is the other Kerberos-related patch that was part of this Patch Tuesday.
The recipe is the same: Install the patch and edit the registry. Except that for ZeroLogon, Microsoft made a Group Policy setting available: The Domain controller: Allow vulnerable Netlogon secure channel connections group policy setting. Fancy… until you realize Group Policy settings are mere registry settings anyway.
The registry settings are to be automatically applied with the February 2021 Patch Tuesday (February 9th, 2021). After installing the February 2021 cumulative update, applications, services, and systems that don’t support the use of secure RPC for the Netlogon secure channel, are blocked, fail, and trigger Event ID 5829 on Domain Controllers.
When we put the above updates on a timeline, the following picture emerges, based on Microsoft Patch Tuesdays. The left edge of a block depicts the release of an update, and the red part depicts the mounting urgency towards (automatic) enforcing new security standards:
Figure 1: Examples of the second wave of identity-related security updates
Now, it gets interesting because the Kerberos KDC vulnerability known as CVE-2020-17049
comes into view. This Kerberos update is interesting, because Microsoft Security Response Center (MSRC)’s security update guide provided troublesome data for the corresponding PerformTicketSignature registry value, initially. Organizations who applied the update lost functionality between domains in multi-domain Active Directory implementations. The security update guide was revised soon after.
Zooming out, we can make out a new strategy from Microsoft when it comes to securing Active Directory and Kerberos. Microsoft changed its ways to address the security kerfuffle that is intrinsic to today’s Kerberos implementations and uses.
It’s clear something needs to be done to secure the on-premises protocols to preserve them as golden oldies for our networking needs.
I think there are three approaches admins can use to deal with the ‘new normal’ in Kerberos:
I’ll be the first to acknowledge that the third approach requires more time each month. It requires reading through Microsoft Security Response Center (MSRC)’s security update guide. It requires knowledge on how your organization uses certain technologies. It requires time, but it delivers something that holds true value. When this approach is embedded into current processes, IT can provide guarantees on the integrity and availability of applications, services, and systems. This earns them good nights filled with sleep and goodwill in the organization.
However, I don’t think you should throw away your process of installing Windows Updates in pre-production environments. Looking at CVE-2020-17049, it also still makes sense to deploy Windows Updates to a separate, yet representative pre-production environment.
Some might argue that AD admins could wait a week before implementing updates, but if every admin performed their job this way, we would only know of problems weeks after Patch Tuesdays…
What will your approach to Active Directory monitoring and management be going forward? Join the conversation on Twitter.
Active Directory is the foundation of your network, and the structure that controls access to some of the most critical resources in your organization. ENow uncovers cracks in your Active Directory that can cause a security breach or poor end user experience. In particular, ENow enables you to:
- Report on highly privileged groups (domain admins)
- AD replication errors
- Identify Expensive LDAP queries
- DNS and name resolution problems
- Troubleshoot poor Exchange performance caused by Active Directory
Don’t take our word for it. Start your free trial today!
Sander's qualities extend beyond the typical triple-A stories in the area of Identity and Access Management. Of course, authentication, authorization and auditing are necessities but my out of the box solutions get the most out of software, hardware and the cloud. Rapid technological advancements have resulted in cutting-edge solutions around Active Directory, Azure Active Directory and Identity Management. Keeping up with these is just a small challenge, compared to my true goal: helping people use the technology on a daily basis. In a way that ICT is not a mere hurdle, but an infinite enabler. His work as a consultant, blogger and trainer are all means to achieve this goal. His multiple Microsoft Most Valuable Professional (MVP) status, Veeam Vanguard status and extensive certification aids him. Through direct communications with the product teams in Redmond, he remains up to date, exchange feedback and accelerate support.