In this blog post, we will delve into the significance of security tokens, explore the risks associated with token stealing, and outline robust strategies to defend against unauthorized privilege escalation.
The Essence of Security Tokens
Every Windows logon and process is accompanied by a security token, encapsulating the security context and privileges associated with an account. Special tokens, namely impersonate and delegate, play pivotal roles in access control and single sign-on. While impersonate tokens facilitate local security context shifts, delegate tokens are more potent, enabling authentication across network resources.
The Peril of Token Stealing
Token stealing poses a significant threat if a user with the necessary privileges gains access to a token on the system. This can lead to local privilege escalation, unauthorized user management, and the potential for lateral movement within a network. Attackers commonly exploit this technique to elevate privileges from local admin to domain admin, especially in scenarios where extracting hashes from LSASS is challenging.
When Tokens Are Present
Tokens are present on a system only when an account is logged in, making servers, with multiple simultaneous users, a lucrative target. Exploitation often occurs when administrators connect via RDP but fail to perform a proper session termination, leaving tokens vulnerable.
Defending Credentials: Best Practices for Tokens
To defend against token-related threats, it's essential to adopt proactive measures:
Prevent Admin Account Compromise: Safeguarding highly privileged accounts is paramount to preventing token misuse.
Stop Remote Interactive Sessions: Limiting the use of highly privileged accounts for remote interactive sessions minimizes the risk of token stealing.
Proper Termination of RDP Sessions: Ensure RDP sessions are terminated correctly to prevent the persistence of tokens on a system.
Windows 8.1+: Force Restricted Admin Mode: Forcing the use of Restricted Admin Mode in Windows 8.1+ mitigates the risk of token theft during interactive logons.
Windows 10: Deploy Remote Credential Guard: Leveraging Remote Credential Guard in Windows 10 provides enhanced protection against token-related attacks.
Active Directory Designations: Designate high-value accounts as "Account is Sensitive and Cannot be Delegated" in Active Directory to restrict token delegation.
Group Policy for Disconnected Sessions: Set a time limit for disconnected RDP sessions using Group Policy to terminate old sessions effectively.
Advanced Token Defense Mechanisms
For more robust token defense:
In Windows 8.1+, enforcing "Restricted Admin" usage prevents the availability of hashes and tokens on remote systems during RDP sessions.
Designating high-value accounts in Active Directory as non-delegable adds an extra layer of protection.
Windows 8.1+ systems benefit from the Protected Users security group, which does not create delegate tokens, providing an elegant solution for generic domain-admin level accounts.
By implementing these strategies, organizations can significantly enhance their resilience against token-based attacks, reinforcing their overall security posture. Stay vigilant, stay informed, and stay secure in the face of evolving cybersecurity challenges.
Akash Patel
Comments