Tag Archives: lsass.exe

IT security projects fail because people are not affected personally

 4 April 2015

In the past weeks I had a lot of discussions with system operators about services running as real users, very often as domain users, if not as domain administrators. In some cases these accounts are used to run services on workstations as well.

From a security point of view this is a nightmare. Once an attacker got the login data of one of the service accounts, he can move across the network and collect credentials. The game is over when he gets access to a workstation where a user signs in with domain administrator credentials.

Executing the service as a local defined account with individual passwords would be a good choice to tackle this problem but, from an operations point of view this is the nightmare because the administrative effort will go straight through the roof.

This clash of interests is a really big challenge for the change manager. ADKAR is a often used model to guide activities during a change processes. But how could a change manager create Awareness in this case? Just telling the system operators to do things differently will not help. You must touch people’s minds with good stories and pictures.

Seeing is believing’ is my recipe: Find a workstation where a globally defined service account is used to run a service and extract all passwords from the LSASS process with MIMIKATZ. MIMIKATZ extracts the password hashes and the WDIGEST and Kerberos passwords in plain text.

Mimikatz Output


The MIMIKATZ output contains the passwords for the service accounts and, if applicable, for the domain administrator. Store this output encrypted in a file, highlight the service accounts and use the file as eye-opener in the next awareness session.

In my experience this  creates the necessary emotional involvement which is required for the next steps in the change process.

There is nothing left to say but …

Wishing you an Easter
that touches your heart
and lives in your thoughts
as a sweet reminder of
just how special you are.

Windows 2008 R2 Server is a bad choice as successor for Windows 2003 Server

26 March 2015

Windows 8.1 / Server 2012 R2 represent a quantum leap for users and companies in terms of security. Important new security features like

  • Restricted Admin mode for remote desktop connections,
  • LSA Protection,
  • Protected users group and
  • the removal of clear text credentials from the lsass process

make an attacker’s life harder. Compared to Windows 8.1 / Server 2012 R2 the last Windows versions are inherently insecure.

Therefore it’s truely confusing when IT groups give users the advice to migrate from Windows 2003 Server to Windows 2008 Server for operational reasons. In the past weeks I often heard terrifying statements like ‘If you prefer to be the guinea pig, go for version 2012’. From a security point of view this is a catastrophe.

With update KB2871997 Microsoft backported some of the new security features to Windows 7/8/Server 2008 R2. For a very good overview please see Sean Metcalf’s report published on Active Directory Security.

Unfortunately the most important features, Restricted Admin Server mode and LSA protection, were not backported. Protection for Windows 7 is better with the update, but Windows 2008 Server is still relatively simple to attack.

With that, the recommendation is to migrate to Windows 2012 R2 Server, provided that the application vendor gives support for this version.

I strongly recommend to enforce Restricted Admin Server mode to protect the administrator credentials.

Have a good day.