Thanks to ShadowAce for the ping!!
Kerberos, or Cerberus, is a mythical three-headed dog that guarded the underworld.
He was named by Hades.
Kerberos means “spotted”.
So yeah:
The god of the Greek underworld named his three-headed guardian dog “Spot”.
Is this just on servers or is it something all users have to worry about?
Until you read the last line.
If they already own your DC you're screwed anyway.
I just had the fun surprise of Windows 10 after about 2 months. One of the updates wiped out the installations of my CAD FEA and CNC software. GREAT!!! And it’s too late to roll it back and the only solution is to upgrade my software...To the tune of $8500. Luckily it’s only one laptop and my old one still works fine.
Back to Windows 7
This admin vulnerability sounds bad. But it sounds to me something Obama is very interested in.
Taking a peek at the wayback archive shows that MS has known about this since 2014 at least.
Microsoft crud is just to complex to comprehend. It has gotten well away from its authors. Even USB mice don’t work correctly any longer ... I suppose contact bounce isn’t being taught in Microsoft Land any longer.
As I understand it Kerberos authentication is only used in enterprise environments.
Create a bootable Linux Live USB stick and boot your Windows computer. You can see, access, change or delete any file on the hard disk with NO password required. A janitor with a Linux Live USB stick could look at every file on every Windows computer in your office.
There are numerous safeguards to protect against this.
Use the “Protected Users” group in AD
Turn off Kerberos delegation for privileged users (protects against PTH as well)
Use fine-grained password policies for privileged users and require 15+ character pass phrases
Use attribute-based access control for privileged resources such as domain controllers
You can also change your krbtgt account password on a regular basis. We have ours scripted as a scheduled task that runs weekly. It’s as secure as salting your password hashes.