Few members of Server 2012R2 Protected Users Group are not able to log in locally or remotely to their computers and servers

Posted by Ahmed Nabil | 2 comments»
Microsoft introduced a new security group named "Protected Users Group" with Server 2012 R2 and windows 8.1 clients to offer additional protections against the credential theft/compromise and help in your overall mitigation plan for Pass of the Hash (PtH) attack. Its highly recommended to add all your service and high privileged accounts to this group for more protection.

For more information on this Security group, please check the below link.

https://technet.microsoft.com/en-us/library/dn466518.aspx


Microsoft Published two documents (Version 1 & 2) explaining in details the Pass of Hash Attack and possible mitigation, i would highly advice downloading these documents from the below link

http://www.microsoft.com/en-eg/download/details.aspx?id=36036


Problem:

Back to our main post, we had a scenario with some companies adding their main critical service accounts and admin accounts in the Protected Users Group. Some of these accounts (not all of them) reported that they were not able to log in to their local machines or remotely to any server whether its 2008 or 2012 family. The error message the user receives is as shown below:





As soon as these users are removed from the Protected group, they just work back normally. The weird thing is that this error occurred only for few accounts in the Protected Users group and not all accounts.

The following event was logged in the Event viewer at the same time of log in failure



Solution:

Upon further investigation on this problem we were able to identify a common factor for all these accounts that were unable to log in after being added to the Protected Users group:


  1. They were old accounts, created few years ago when the domain was 2003 Domain/Forest Functional Level.
  2. These accounts have Non-Expiry passwords (Since most of them are service accounts) !

Microsoft SCOM sent alerts when one of these users tried to connect/log in to the domain controller which helped understanding and solving the problem.



As per the SCOM alert, this was the fix. Resetting and changing these specific user passwords fixed the problem and they were able to log in either locally or remotely normally.


What was the problem ?

As we mentioned before these accounts were created long time ago when the domain/Forest functional level was 2003 and at that time there were no Kerberos hash created and password didn't change from that time.


Password hashes are kept on the domain controller with all available etypes (Encryption Types). It seems that the passwords for these accounts which were set not to expire did not have the AES hash but only got the NTLM hash. Protected Users group is only using AES and that's why these users were not able to connect because their passwords can't be verified since there is no AES hash.

After resetting the password all those hashes were available and the problem was fixed :)

For more information on Hashes and how passwords works in Windows environment please check the below articles.







Hopefully this post can help any user with the same problem and shed some light on how passwords work in Windows environment.









Lenovo CTO admits SuperFish adware Spoof attack, Is this the end of problem ? or Just the Beginning ?

Posted by Ahmed Nabil | 0 comments»
Lenovo CTO admits the problem of SuperFish adware which was loaded on several consumer Lenovo PCs/Laptops and confirms the company has published the needed removal tools

http://www.pcworld.com/article/2886690/lenovo-cto-admits-company-messed-up-and-will-publish-superfish-removal-tool-on-friday.html

Lenovo additionally is promising its customers with a more cleaner and safer future products in attempt to save its reputation after what happened lately with the SuperFish.

http://news.lenovo.com/article_display.cfm?article_id=1934


How did the story begin ?

Lenovo came under fire last Month (February) after it was discovered that it was preinstalling the SuperFish Adware on Lenovo Laptops since 2010. The reports came heavily from different sources confirming this fact until Lenovo itself admitted the issue and released a removal tool.


http://www.cyberdefensemagazine.com/lenovo-sold-laptop-with-pre-installed-superfish-malware/

http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/


The United States Cert (US-Cert) released this issue as a spoofing attack https://www.us-cert.gov/ncas/alerts/TA15-051A

Lately The United States Department of Homeland security asked Lenovo to uninstall SuperFish from its products http://www.reuters.com/article/2015/02/20/us-lenovo-cybersecurity-dhs-idUSKBN0LO21U20150220


What is SuperFish ?

Its an advertising company based in California and was founded in Israel back in 2006 developing various advertising software based on visual search engine. This Adware installs its own certificate and act as a Man in the Middle proxy with HTTPS connections that are encrypted making users vulnerable.

For More details on how it work, please check the following link:

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/



Microsoft and MacAfee Antivirus reacted quickly and their engines were updated to remove the SuperFish vulnerability from Lenovo Laptops

http://mashable.com/2015/02/21/microsoft-mcafee-lenovo-superfish/



Will this end the problem ? Well many of the consumers and IT professionals already blacklisted Lenovo Laptops and they won't be using it anymore. A Lawsuit is already filed against Lenovo although they admitted it was a mistake. For more details please check the following article:

http://www.computerweekly.com/news/2240241032/Lenovo-faces-lawsuit-for-pre-installing-Superfish-adware


Things didn't stop on the Lenovo reputation or the legal actions, Actually things are getting worse, it was tracked that the SuperFish is based on a 3rd party SDK (Software Development Kit) called SSL Decoder created by an Israeli company named Komodia. Several users now are compiling lists of software and applications using this SDK.

For more details, please check the following article:

http://www.pcworld.com/article/2887253/superfish-vulnerability-traced-to-other-apps-too.html

So what should we do in this totally un-secure environment, I believe we should stick back to the basis as educating users and our selves. The Internet can be a good educational place but at the same time there is this dark side that no one would like to face nowadays.

We need to be extra cautious for Public Wi-Fi networks, regularly check our passwords and ensure they are hardened, regularly check our Credit Cards and ensure our devices are protected by at least two protection layers (Personal Firewall, Antivirus/Spyware and Vulnerability scanners).


Securing our devices is getting harder and threats are changing all the time and sometimes are shipped with trusted software. We need to be extra cautious as long as we are on the Internet.