If you’re concerned with security issues then you may be wondering what the release of Windows 8.1 on October 17th will provide in this area. The most important new features are designed to thwart Pass-the-Hash (PtH)attacks. In a pass-the-hash attack the attacker gains access to a machine as a regular user who is also a local administrator. They then locate and steal network administration-level credentials that Windows has stored (as a “hash” value) on the computer and uses those credentials to log on to higher-value targets such as servers. There have always been mitigation options that organizations could adopt, for example not using domain admin accounts to log onto users’ workstations when troubleshooting. However PtH attacks still continue and there are automated tools that make PtH attacks even simpler which are readily available on the Internet.

Let’s look at the changes in Windows 8.1 that now make Pass-the-Hash attacks harder to carry out.

First, when a user logs on locally to a Windows 8.1 machine their credentials are not cached on the local machine, not even in the memory.  There is also a new domain global security group called “Protected Users.” Members of that group have more stringent requirements for logging on (for example, they must use Kerberos authentication). The same restrictions apply when a member of the Protected Users group logs onto an R2 version of Server 2012; however the protection is currently not ported backwards to earlier versions of the server and workstation operating systems. Another requirement to be aware of is that your Active Directory domain functional level has to be at Windows Server 2012 R2 before the Protected Users group will be available, so this is a benefit you are likely to reap in the future rather than immediately. Nevertheless Windows 8.1 handles credentials in a more secure manner than previous versions, even without the added bonus of the Protected Users group. For example, Microsoft has hardened the Local Security Authority Security Service (LSASS) process so that it is more difficult for attackers to inject code into the process and use the code to extract security information, which was one way that attacks were carried out in the past.

A related new feature provides extra protection when network administrators log on remotely to computers, called Restricted Admin Mode for RDP connections. When you connect to a remote computer using the command,  MSTSC.EXE /RESTRICTEDADMIN, you will be authenticated to the remote computer but your credentials will not be stored on that computer as they would have been in the past. This means that if the remote computer has been infected with PtH-style malware your credentials will not be exposed to theft by that malware.

Another important security enhancement is the increased use of device encryption. Device encryption by Windows of the OS volume now comes included on all versions of Windows 8.1. It is enabled once a local administrator logs onto the machine with a Microsoft account (e.g. a Windows Live account), as long as the computer uses a UEFI boot process and has a TPM chip in its hardware. If the protected machine is not part of an Active Directory domain then the encryption keys will be stored in the Sky Drive storage area of the Microsoft account. It should be noted that though Device Encryption uses Bit Locker technology there are no configurable options for the Device Encryption feature – other than disabling it so that you can use 3rd-party encryption services.  If you need the ability to configure the encryption then this is done, as in previous versions, using Bit Locker. There is no need to re-encrypt the drive with Bit Locker, you just start using Bit Locker on the device that is already protected by Device Encryption and the features and options of Bit Locker are added to the machine. However, the Bit Locker functionality is still only available in the Professional and Enterprise editions of Windows 8.1.

There are other security improvements in Windows 8.1, such as an enhanced biometric experience built into the OS and improved Mobile Device Management security, however device encryption and the defenses Microsoft has added against Pass-the-Hash attacks are good enough reasons in themselves to upgrade your workstations to Windows 8.1.

New Signature has years of deep experience with Windows 8, so if you have questions about deploying the operating system then please give us a call.

Protected Users Group