Don’t just push the patch: KB2871997 plain text passwords and digest authentication

Back in May 2014 Microsoft released KB2871997. This patch implements several security features of server 2012 and windows 10 for windows 7, 8 and server 2008R2. The patch is among those that require configuration after installation to be fully effective.

One of the back ported server 2012 security features for Windows 7 included in KB2871997 prevents SSPs from storing plain text passwords in LSA. However the Digest Authentication SSP  continues to store plain text passwords unless explicitly configured not to do so. This is because Microsoft often prioritises compatibility and digest authentication cannot function if this is configured.

An important point that can be overlooked is that even if digest authentication is not in use the digest SSP will still keep a plain text copy a password after interactive logon “just in case” you happen to need to perform a digest auth.

Assuming your environment has no legitimate use for it it can be explicitly disabled by setting a registry key:

HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredentials=0

However this setting should be monitored for changes as an attacker can simply unset it causing logins to once again store a plain text password in addition to the hashes.

A more complete way to mitigate this is to configure protected user groups for remote administration as they will not leave their credentials behind. This depends on good local admin routines such as LAPS being in place also.

It is wise to check patching routines such that they include confirmation that after install configuration is required or not and a plan for implementation when necessary. Given the ubiquity of Windows 7 in business i suspect there are many organisations missing this simple fix even though they have the latest patches.

Remember hackers read patch notes.

 

References:

  1. The Importance of KB2871997 and KB2928120 for Credential Protection
  2. Mitigations for lsa credential exposure | part 1: plain-text password