General security

The Administrative Credentials Security Hole

April 19, 2017 by Chris Stoneff

Did you know that almost anyone with a bit of initiative can break into your systems in minutes – quietly and without leaving a trace?

Even when you lock up your servers, apply patches, and use group policies to secure your servers and workstations, it only takes a few minutes for a hacker to gain the keys to the IT kingdom: administrator passwords.

What is the Administrative Credentials Security Hole?

Here’s the problem: the existence of administrative credentials stored on machines throughout the network. What could happen if some of these credentials become known to an unauthorized user? That user would have partial or complete administrative access to the entire domain.

IT administrators have a significant challenge on their hands if their organization’s security requirements dictate that all administrator passwords must change regularly. It is tedious to locate, let alone update, all the local administrator accounts. And that doesn’t include the accounts used by tasks, services, and COM objects on machines throughout the network. Consequently, many of these updates are never done.

Here are some of the credentials that can become compromised:

  • Built-in administrator accounts: Every machine has a local logon account created at the time the machine is built. In many organizations the account name and password is the same on every system. Therefore, all a hacker has to do to become an administrator is to crack the local administrator password on one system. Someone cloud crack the administrator password in seconds using rainbow tables.
  • Service accounts: Many machines use services that require either a local or domain administrator account to run. The bad news about services is that you can find their account names and passwords stored on every machine. Once a hacker has administrator access to a machine, then what? It is simple to run a password cracking program such as rainbow tables to view the secrets area of a Windows system.
  • Embedded credentials: Sometimes usernames and password are stored in clear text or easily reversible encryption and then forgotten about. Due to lack of visibility of these items once implemented they are rarely, if ever, changed. The problem expands over time as fear, uncertainty and doubt grow over how an account may have been used, but rarely documented. These sorts of accounts often represent access to privileged data or personally identifiable information.

Security Best Practices for Workstations

Malicious insiders can easily penetrate the local security of their own machines. From there they can expose the stored credentials. You should take precautions to minimize the problem. First, try to disable the introduction of hacking tools. With group policies in Microsoft’s Active Directory, someone can disable the registry editing tool and hacking tools. But these policies are ineffective if the user can boot to a flash drive or CDROM and run their tools in DOS.

Another option is to remove or disable the ports for flash drives and CDROM drives. This method will be effective. At least until a determined person gets into the case or BIOS and re-enables the devices. The most insidious attack would be to copy the information or image the machine to a location you do not control. Then they can crack it at their leisure.

It seems that for every step you take to counter a hostile user from extracting sensitive information, there is a workaround. This means that the only practical solution is to reduce the value of the information on each workstation. Making sure that all services, scheduled tasks, and COM+ type objects do not reference domain administrator accounts reduces the value.

Next, the local administrator accounts must have their passwords changed on a regular basis. Even better, each machine should have its own unique password. That way, even if someone cracks it, they can’t use the stolen credential to move between systems on the network.

Security Best Practices for Servers

IT administrators who leave an organization can take knowledge of the administrator passwords with them. This is particularly dangerous when all administrator passwords are the same, and rarely changed.

Within a large organization there may be thousands of servers with domain administrator accounts running as services, scheduled tasks, MTS/COM+/DCOM objects, and local logon accounts. Any attempt to change the credentials of these accounts could result in an untold number of critical systems going off-line.

Due to the difficulty of finding all objects used by administrator accounts, many organizations neglect to update this information.

Solutions to the Common Administrative Credentials Problem

The goal of any security program is to stop or mitigate a threat. To resolve the administrative credentials security threat, you must regularly change the administrator passwords. And then make each password unique.

There also needs to be a way of searching through the machines in an organization to find instances of both local and domain administrator accounts. The credentials of those accounts must be frequently updated. And this needs to be done for privileged passwords on every system, device and application in the enterprise.

The least expensive solution involves scripting, a lot of patience, and an up-to-date list of systems. Unfortunately, scripts do not provide any database or GUI front end to perform management. They also lack the ability to manage complex services, COM objects, and scheduled tasks. The problem is not so much in writing the script. The real problem is in testing, troubleshooting, documenting, supporting, and updating the script.

Group policies are a write-only solution with no inherent intelligence. They have no reporting capabilities and rely on the workstation to request an update. This means there can be a lag in time of hours from the application of the group policy in Active Directory to the application of that same group policy on a system. And that’s if it even works.

Automated Privileged Identity Management

So if neither of these options are right for enterprise environments, what are we left with? The answer is commercial privileged identity management. With this solution you can automatically discover privileged accounts throughout your cross-platform enterprise (on-premises and in the cloud), bring those accounts under management, and audit access to them.

You can update each privileged credential as frequently as necessary. Even every couple of hours. This negates the damage inflicted by zero-day attacks and other advanced cyber threats. That’s because even if an intruder compromises a credential, it has a limited lifetime. An intruder cannot leverage the stolen credential to leapfrog between systems.

And with an automated solution handling a complex problem, you can dedicate your limited IT resources to other projects.

Posted: April 19, 2017
Chris Stoneff
View Profile

Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is responsible for meeting the real-world needs of the company’s customers. With over 15 years of systems administration, consulting, training, and product management experience, Mr. Stoneff is instrumental in guiding the development of the Lieberman Software products portfolio. An accomplished consultant and technical trainer, he has taught thousands of administrators on fundamental and advanced concepts of Windows management and security concepts and key technologies.