How weak passwords and other failings led to catastrophic breach of Ascension

A deep-dive into Active Directory and how "Kerberoasting" breaks it wide open.

See full article...

 

[Incarnate]

I haven't worked as a Windows sysadmin in 15 or so years, as my first "real" job, and I knew even then that NTLM was insecure. There was plenty of guidance from Microsoft on how to secure AD properly and avoid all of these problems. Any competent, properly-resourced IT department would have been able to do this, which strongly implies senior leadership didn't consider it to be a priority (let me guess, offshored IT handed out to either the lowest bidder or the CIO's nephew...).

Maybe jail time for CEOs whose companies fuck up this badly would prevent some of these issues, but somehow I doubt it.

Yes, NTLM is not secure, but for most organizations there is not a way to totally disable NTLMv2. Microsoft has been working towards this, and there was a lot of information posted in 2023, but it has been silent since then. Even some Microsoft provided services like the print spooler are dependent on NTLM.

Don't confuse properly mitigating kerberosting with NTLM as a whole.

https://syfuhs.net/deprecating-ntlm-is-easy-and-other-lies-we-tell-ourselves
https://techcommunity.microsoft.com...e-evolution-of-windows-authentication/3926848

 

[Incarnate]

Edit: I was wrong.

Doesn’t NTLM use the LAN Manager hashing algorithm that splits a 14 character password into two half 7 character passwords that are then hashed?

And that’s why Medin’s maths is wrong? Possibly leaving a 10 character password as two 5 character ones?

I had my 14 random character password cracked by a malicious, power-tripping sysadmin in 2008.

You're not totally wrong. If you haven't configured the right mitigations, the easiest way to prevent this is having a 15 character password.

https://learn.microsoft.com/en-us/t...curity/prevent-windows-store-lm-hash-password

 

[Incarnate]

Microsoft's defense is obvious and already discussed in the article: "we issued guidance telling people what to do, so it's not our fault that people don't listen."

The issue is that, as a provider of a massive infrastructure product, Microsoft needs to contend with the reality that most people simply don't read. Of those who do, only a small portion will have the time, inclination, or resources to harden a(n often legacy) network according to constantly-updating advice, especially when you factor in the pain point of retraining users.

Governments face a similar problem when designing laws. If everyone simply behaved, then we'd have no need for them. The presumption that enough people won't behave (maliciously or due to incompetence) as to cause aggregate dangers/harms is enough justification to introduce and enforce rules.

Big companies want the benefits of being "big" without taking responsibility for being the referee. And while in a narrow sense you can make an argument for that, you'll never see any executives admitting "our product is good unless you don't follow x, y, z recommendations published regularly unless there's a zero-day".

If Microsoft disabled this, they could easily break critical applications for organizations. They could break older medical device equipment, manufacturing/production line equipment, and ERP systems that could bring organizations to a halt. It is the 3rd party products or applications that companies haven't updated in years or decades that are the primary issue here. I'm sure Microsoft has the telemetry behind this to understand how it could break certain organizations.

Your view if this particular issue is way too narrow.