5

Are passwords for Windows accounts always stored in cleartext in memory, while the account is logged on?

Using Mimikatz I've seen lots of examples where passwords are stored in memory, either for domain/local accounts or service accounts.

Therefore I want to know, if passwords for logged on Windows accounts are always stored in memory, or if there is an exception to that rule?

Is it enough for Windows to only store NT hashes (local accounts) and MsCacheV2 hashes (domain accounts)?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
  • 1
    Added request: I'd like to know how this ties in with the Kerberos protocol. – Mike Ounsworth Oct 15 '18 at 12:24
  • @MikeOunsworth - me too. I recently ran across a Kerberos-enabled Windows server that cached domain credentials for logged on domain accounts; it had cached a domain administrators password, although the administrator had not logged on for more than a month. – Shuzheng Oct 15 '18 at 13:03
  • Wait, are you asking about caching at the workstation or at the domain controller? I suspect the answer is different for each. – Mike Ounsworth Oct 15 '18 at 13:23
  • 1
    @MikeOunsworth - I would like to know the answer for both cases really. Any knowledge on the topic is appreciated. – Shuzheng Oct 15 '18 at 18:05

1 Answers1

1

Not always; as usual there are a few measures to take that provide a defence in depth against Mimikatz.

In Win 2012 R2, you can (and should) utilise the new group in the 2012R2 schema called 'Protected Users', described in this TechNet article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)

You already practice the principle of least privilege, another, more general defence.

If you have older Windows machines in your domain, install KB2871997 which should backport the 'Protected Users' group into Windows versions still under support.

Finally, and this might be the most effective and easiest to push out via GP, there is a registry setting that you may set to prevent passwords being stored in plain text in RAM:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest, Key Value 'UseLogonCredential' and set to '0'.