Over the past few months, several Microsoft security personnel have indicated that the upcoming release of Windows 10 and future Windows Server 2016 will mark a new dawn in securing users in Windows authentication protocols. Following the long-awaited prospect of mitigating authentication-based attacks in Windows 8.1, it seems Microsoft is looking to further reduce this inherent legacy of SSO access controls. Pass-the-Hash and Pass-the-Ticket (PtH/PtT) techniques, for example, are some of the more popular hacking methods that enable attackers to remotely access servers and services, bypassing conventional password requirements. While they are not entirely the most sophisticated ways to initiate and preserve access to a target desktop or server, they are still popular, mostly since it’s practically impossible to entirely disable them. With the general shift from perimeter-based security to the user-centric approach, these forms of attacks, together with the protocols that they abuse, are again a hot topic for discussion.
Back in 2012, Windows 8 releases (Win8, Win8.1, Win Server 12) marked a substantial effort to reduce attackers’ abilities to put their hands on hashed passwords by addressing specific modules used by common exploit kits. Nevertheless, even up-to-date Windows-based environments still suffer from traditional authentication-based attacks, taking advantage of newly found vulnerabilities that override past success. Increasing attention to the risks generated by SaaS applications and cloud-based IT environments, Microsoft will need to continue addressing users and user-authentication as part of its complete network suit.
Based on Microsoft’s own statements from this past year, we learned that Windows 10 will feature an innovative architectural solution to PtH/PtT exploits, in which user access tokens will be stored within a secure container running on top of Hyper-V (Microsoft’s VM). Microsoft claims this solution will eliminate token extraction abilities used in the methods stated above. Another interesting feature to look out for is a new credentialing system that will support Active Directory, Azure Active Directory and personal Microsoft accounts. This system should help regulate the spike in user identities roaming inside the network, caused by the addition of personal and mobile devices to the corporate ecosystem. Security teams will verify that keeping tabs on every mobile or tablet introduced to the environment could become a complete nightmare. Another important addition is the introduction of Two-Factor Authentication, aimed at mitigating credential abuse for malicious purposes. Attackers will now have a much harder job bypassing KPI or biometric measures that may be included in some companies.
From a behavioral analysis perspective, the above changes are both a blessing and a curse. On one hand, we can expect an improvement in behavior baselining and cross-domain user correlation. On the other hand, potential exploits in the new credentialing and hashing systems will pose a new challenge when seeking credential compromises, and will surely require further investigation and simulations going forward. As strong supporters of the user-centric approach for cyber security, we will look to see if these upcoming changes and challenges will translate into a reduced overall threat of credential-theft over time.
To conclude, and despite the recent Wi-Fi credential sharing scandal, we hope overall adoption of Win10 will encourage Microsoft to continue investing in more ways to reinforce Windows authentication protocols, making it even harder to steal, harvest, manipulate, and elevate Windows credentials for malicious purposes.