back to article You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick

Microsoft completed a vulnerability hat-trick this month as yet another security weakness was uncovered in its operating systems. And this one doesn't even need authentication to work its magic. The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond's MS-EFSRPC ( …

  1. Version 1.0 Silver badge

    "Microsoft are no[t] fixing this,"

    I'm sure that they will "fix" it but we have to accept that fixing a security issue that we've discovered doesn't mean that there are no other security holes in the system. Every time this happens we're told that "It's been fixed" but then a week or two later we discover another issue - so how many problems are there out there? We're told that "it's fixed" but does anyone ever check the entire environment? This quote isn't a criticism, it's just the way life is and an accurate statement by someone who worked in this world all his life:

    "The trouble with programmers is that you can never tell what a programmer is doing until its too late." - Seymour Cray

    1. amanfromMars 1 Silver badge

      Re: "Microsoft are no[t] fixing this,"

      "The trouble with programmers is that you can never tell what a programmer is doing until its too late." - Seymour Cray

      And that's the great thing about that which they are programming, there is neither noisy opposition nor nosey competition to hinder or prevent Stealthy Autonomous Progress in Fields Engaging with and Exploiting the Virtual Machine and Earthed SCADA Systems. Great programmers realise it a heavenly blessing in disguise and relish it myriad hellish pathways beta testing tasks with crash testing dummies.

      Do Microsoft not have any such great programmers .... is a very valid question to be asking them .... and their counterpart peers/business competition?

      Should the answers be a resounding and deafening No, there can easily be more than just Great Troubles ahead ..... for the cat is effectively away and mice love to play.

    2. big_D Silver badge

      Re: "Microsoft are no[t] fixing this,"

      The problem is, this is a legacy interface and that means that you can't really fiddle around with it, because everything else that uses it hasn't been updated for over 20 years...

      Most companies could probably disable NTLM and not notice it, to be honest. It was, after all, superceded by ActiveDirectory nearly 2 decades ago!

      But if you have any legacy kit (or kit from lazy vendors, who can't be bothered to do things properly), you have to keep it around.

      That the default configuration doesn't work to Microsoft's advisory is the real scandal. If the problem has long been known (years) and is attacked again and again (this is the second NTLM exploit this year, with the same advisory advice, more or less), why does MS not correct the default installation configuration of a domain to block this type of attack.

      1. Anonymous Coward
        Anonymous Coward

        "why does MS not correct the default installation"

        I believe you already answered yourself - it would break all those old and badly written application (and habits) that rely on NTLM. I agree that all domain-joined machines should only use Kerberos and neuter NTLM.

        1. big_D Silver badge

          Re: "why does MS not correct the default installation"

          But so little actually needs NTLM these days, it would be better to not install NTLM, unless there is a specific need. If there is a specific need, install it in a safe configuration and make the admin make it less secure, if that is what they need.

          Software should always default safe and leave it up to the admin/user to make a complete pig's ear of it. Instead, we usually get software that is a complete pig's ear and we have to spend the time putting it right... Life is too short for such nonsense.

          The industry needs to do what it preaches. If they find the default configuration is unsafe, they should ensure that the default is changed to take account of the new findings.

          1. Brewster's Angle Grinder Silver badge

            Re: "why does MS not correct the default installation"

            "...so little actually needs NTLM these days..."

            Microsoft have plenty of telemetry. They should have a good idea how much this is being used. Draw your own conclusions about why it's left on.

  2. This post has been deleted by its author

  3. elsergiovolador Silver badge

    Right to repair

    This is where bodies like CMA and Trading Standards should be intervening.

    If company does not want to fix the software, they should be required to give up the source code to the customer, so they can get someone or a software shop to fix it for them.

    It's crazy that this isn't even talked about.

    1. Nunyabiznes

      Re: Right to repair

      Upvote, but...

      Would this spell an end to Intellectual Property? Would that be a bad thing?

      I don't know the answer to either of those questions, but you are correct there should be a conversation.

      1. vtcodger Silver badge

        Re: Right to repair

        Would this spell an end to Intellectual Property?

        No? There's still copyright. For the most part, you can't simply copy anything more than small code fragments without permission.

        Would that (killing Intellectual Property) be a bad thing?

        No. Intellectual Property is pretty much an unworkable concept that serves as the basis for unending preposterous lawsuits that the courts are obviously incapable of resolving fairly or rationally. But no one is likely admit that until the end of days when The wolf shall dwell with the lamb, and the leopard shall lie down with the young goat, and the calf and the lion and the fattened calf together; ... and lawyers shall commence to do only useful things with their lives.

        1. doublelayer Silver badge

          Re: Right to repair

          Would this spell an end to Intellectual Property?

          No? There's still copyright. For the most part, you can't simply copy anything more than small code fragments without permission.

          Yes, it would. If you make it legally required to release the code, then either you have to let people change that code by fixing it or the required release will achieve nothing because it would still be illegal to do anything with it. The argument about whether this is good is one I'll let others have, but you can't have your enforced-open-source cake and expect copyright to continue to have any real existence.

    2. big_D Silver badge

      Re: Right to repair

      Giving up the source code is pointless, long term. Once you have paid someone to make the change for you, they will also have to make all future Microsoft security updates themselves as well, so you will be paying them for monthly patches.

      Holding the software developers to task, labeling the software as unfit for purpose and forcing them to reimburse the companies and individuals who have bought the software, plus damages, might wake them up...

      The problem is, where do you go? macOS has its own problems, as do UNIX and Linux variants.

      No software is error free enough to get around such sanctions. And nobody would be willing to pay for and wait for secure, error free software.

      We already use the software, so we need the software now! We can't turn off our computers for 3 or 4 years, whilst a really secure and tested OS and software stack is developed (and that means servers, routers, switches, PCs, tablets, smartphones, smartwatches and all IoT devices), or isolate them all from the Internet.

      It just won't happen. And people are more interested in new bling bling on the GUI than it actually working better under the hood.

      Just look at the last couple of Windows 10 updates (as opposed to monthly patches), hardly anything changes on the surface, but more major plumbing behind the scenes. Most sites complain because nothing has (visibly) changed.

      But Windows 11 comes along, it has dropped most of the safety features that Microsoft was working on in the last years (sandboxing all applications, for example), containerisation and isolation of legacy software, but it has new rounded corners in the GUI and people are flipping out about how cool it is, whilst the real enthusiasts and those that understand software engineering are disappointed, that nothing has really changed, "just" rounded corners.

      1. Doctor Syntax Silver badge

        Re: Right to repair

        It's more likely that elsergiovolador's proposal would work by obliging vendors to fix things. And, of course, with BSD and Linux the users have the ability to access the source ode anyway. Of course there's always the possibility that the vendor might opt to provide entirely undocumented and incomprehensible source code.

        1. big_D Silver badge

          Re: Right to repair

          Having access to the code and being able to do anything with it are 2 different things.

          Even BSD or Linux. Very few C/C++ programmers could even begin to understand the intricacies of the crypto libraries and a cryptographer wouldn't have much idea about the code. There are comparatively few people who are cross-discipline enough to work on many of the specialist areas.

          How many assembler programmers are there, that can work on device drivers?

    3. amanfromMars 1 Silver badge

      Re: Right to repair with surreal interventions/otherworldly improvements

      Novel abiding problems, elsergiovolador, surely require at least similarly novel solutions ‽ .

      Here's interesting news of an institutionalised initiative tempting renegade rogue private pirates/grey and white hatted mobsters to share their disruptive wares for greater exercise in public ........ https://www.nationaldefensemagazine.org/articles/2021/7/26/ndia-launches-emerging-technologies-institute ..... although to imagine it might guarantee one an overwhelming exclusive advantage rather than raise the overall level of Greater IntelAIgent Games Field Play is something yet to be seen and realised ... or admitted :-)

    4. Warm Braw

      Re: Right to repair

      Without wanting to detract from your general point, this is more of a "feature" than a bug: it's an inherent weakness in NTLM rather than a simple error and fixing it would essentially make it incompatible with legacy systems, which is the only reason it's supported in the first place.

      Same for all of those SPECTRE-like CPU problems: you could argue you should be allowed to tinker with the microcode if the chipmaker won' fix them, but as the performance of the chip is dependent on what in retrospect turned out to be flawed design decisions, no-one else is going to be able to fix them either.

      Access to the source code may assist in many cases, but it's not a panacea.

  4. aregross

    RTFM?

    "PetitPotam takes advantage of servers," said Microsoft, "where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks."

    Out of Box, Amazing!

    1. big_D Silver badge

      Re: RTFM?

      Yes, the problem is that the protocol probably can't be fixed, because it is a legacy protocol used for legacy equipment that probably hasn't been updated in a couple of decades.

      The real story is that NTLM is even active on new installs. And, if it has to be active, it doesn't default to a secure configuration and the administrator has to reduce security themselves, if they have no other choice, because a legacy, mission critical LoB system can't work in a secured environment.

  5. NetBlackOps

    Frankly, if I ever took up security research again, I'd love to point fuzzers at each and every protocol stack that Microsoft (and admittedly others) have out there.

    1. Dan 55 Silver badge

      That was Microsoft's job, until Nadella fired their QA.

      1. big_D Silver badge

        It didn't change much, these sorts of problems (especially the default to insecure installation from Microsoft) was there, long before the QA teams were disbanded and they still failed, in over a decade of testing, to find these problems - these problems have been long known, heck, this is the 2nd NTLM attack this year, and the advice for securing the AD predates Nadella at the helm.

        This is institutionalised willful negligence, bordering on criminal negligence.

        1. Ken Hagan Gold badge

          Microsoft have been pleading devs to stop using NTLM for many years now and rolled out its successor over 20 years ago. Admins can enable auditing to see what might break if they disable NTLM and then they can disable it anyway because, well, it's a known train wreck of a protocol.

          So who is actually being negligent here?

          1. big_D Silver badge

            Both sides. If Microsoft know the problem, the standard configuration should default safe and the admins have to make it unsafe, if required.

            And, yes, because Microsoft have neglected to do the right thing on their side, admins need to do ensure they apply what Microsoft advises, but refuses to do itself.

          2. Roland6 Silver badge

            >So who is actually being negligent here?

            Microsoft.

            It seems from the advisories on how to disable NTLM, even now by default AD domain controllers accept LM, NTLM and NTLMv2 requests. If MS had really been pleading with people to not use NTLM, they would have removed it from the default install of Windows Server, AD, Exchange, Remote Desktop....[ We can assume it is there and being used, since MS have released no advisories saying words to the effect: a clean default install (as used by many) of Server 20nn with AD, Exchange, Remote Desktop does not use or install NTLM.]

            What is interesting, by declaring they aren't going to fix it, MS have effectively declared all current versions of Windows Server inecure by design and left their users swinging in the wind. Also I note they haven't said Windows cloud/MS365 et al are not affected...

  6. fiddley

    Seriously, just disable NTLM. It has been dead for a million billion years

    1. Anonymous Coward
      Anonymous Coward

      Kerberos

      The replacement is Kerberos. Let me check.... oh yes, available since Windows 2000. How many Windows NT4 servers are people still running?

      It's well known that NTLM doesn't authenticate which computer you are logging in to. It just hashes the password so you can't snoop on it...

      Also.... A Certificate Server on an open network? Let me introduce some new tech called a firewall.

  7. Anonymous Coward
    Anonymous Coward

    Netbios is still a needed thing

    Netbios is still a requirement for some systems.

    VMware even made it a requirement for horizon 7.11 ignoring dns. That was a surprise when upgrading!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Netbios is still a needed thing

      What does Netbios have to do with anything? It's just how Windows computers find each other on a network that doesn't allow dynamic DNS registration. You can still use Kerberos just fine.

      1. Anonymous Coward
        Anonymous Coward

        Re: Netbios is still a needed thing

        VMware decided in some horizon component to stop using dns and rely on netbios. Google searches reveal M$ Deprecated netbios from I assume win 2000 onwards, yet it hangs around and some products actively use it.

        I mention it because it’s yet another ancient tool that persists but we would be better off without.

        1. Roland6 Silver badge

          Re: Netbios is still a needed thing

          No problm with ancient tools persisting, just that once they have been depreciated they should be removed from the default install. So if you want to use it, you have to deliberately go into the depreciated components setup...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like