With a lot of unpatched versions of Windows in an Active Directory domain, one can man-in-the-middle a client when it connects to the domain controller and inject a group policy that gives an attacker local administrator privileges (https://labs.mwrinfosecurity.com/blog/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/). The solution is to use UNC path hardening for SYSVOL. What does this do exactly? How is it related to SMB signing? Presumably, at the end of the day it must be something similar to x509 certificates. If so, when are the public keys exchanged?
-
3As of 2016 there's no reason to have unpatched Windows instances. Windows has very good compability so even most windows integrated applications will have to work on patched versions. Even these patched versions are more stable because there are also application fixes (in service packs). As of 2016 the unpatched operating system is more like a backdoor and should be taken very seriously. – Aria Aug 20 '16 at 11:42
-
1I don't see how that's relevant to the question. – Volker Aug 20 '16 at 19:51
1 Answers
UNC Path Hardening comes from the JASBUG vulnerabilities (MS15-011 and MS15-014).
Microsoft suggests implementing workarounds to the SMB MITM issues easily found in the Responder.py or related tools and techniques (e.g., CORE Impacket, Potato, Tater, SmashedPotato, et al) which include but are not limited to SMB Signing. More information available via these resources:
- "Extended Protection" primer and implementation guide to prevent MITM
- https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth
- http://www.snia.org/sites/default/orig/SDC2012/presentations/Revisions/DavidKruse-SMB_3_0_Because_3-2_v2_Revision.pdf
The basics: Implement protection against SMB MITM and Replay with always-on SMB signing, Extended Protection for Authentication (EPA), and forcing use of SMB 3 (or at least SMB 2.5 with proper RequireSecureNegotiate -- SMB 3 everywhere may require Win10 clients and Win Server 2012 R2 with domain and forest functional level of 2012 R2) while ensuring NBT, LLMNR, WPAD, and DNS don't create other MITM protocol scenarios.
After which, JASBUG can be patched after the UNC Hardened Path configuration is added. Note that the patch does not imply a fix, so the person who commented under the original question does not understand the JASBUG vulnerability (a common finding).
- 18,885
- 6
- 58
- 107