[dayglored]

Looks pretty bad.

[dayglored]

Major vulnerability in Windows Kerberos security ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

Thanks to ShadowAce for the ping!!

[ctdonath2]

Kerberos, or Cerberus, is a mythical three-headed dog that guarded the underworld.
He was named by Hades.
Kerberos means “spotted”.

So yeah:
The god of the Greek underworld named his three-headed guardian dog “Spot”.

[Lurkina.n.Learnin]

Is this just on servers or is it something all users have to worry about?

[deoetdoctrinae]

[SunTzuWu]

Until you read the last line.

[tacticalogic]

It is important to be aware that only organizations that already have a fully compromised domain controller are vulnerable to this technique.

If they already own your DC you're screwed anyway.

[Organic Panic]

I just had the fun surprise of Windows 10 after about 2 months. One of the updates wiped out the installations of my CAD FEA and CNC software. GREAT!!! And it’s too late to roll it back and the only solution is to upgrade my software...To the tune of $8500. Luckily it’s only one laptop and my old one still works fine.

Back to Windows 7

This admin vulnerability sounds bad. But it sounds to me something Obama is very interested in.

[stylin19a]

The flaw cannot be fixed and the only solution is to introduce and use Microsoft's Credential Guard program

Must be running Windows 10 enterprise edition.

[Ray76]

Taking a peek at the wayback archive shows that MS has known about this since 2014 at least.

[GingisK]

Microsoft crud is just to complex to comprehend. It has gotten well away from its authors. Even USB mice don’t work correctly any longer ... I suppose contact bounce isn’t being taught in Microsoft Land any longer.

[Company Man]

As I understand it Kerberos authentication is only used in enterprise environments.

[r_barton]

Create a bootable Linux Live USB stick and boot your Windows computer. You can see, access, change or delete any file on the hard disk with NO password required. A janitor with a Linux Live USB stick could look at every file on every Windows computer in your office.

[rarestia]

There are numerous safeguards to protect against this.

Use the “Protected Users” group in AD
Turn off Kerberos delegation for privileged users (protects against PTH as well)
Use fine-grained password policies for privileged users and require 15+ character pass phrases
Use attribute-based access control for privileged resources such as domain controllers

You can also change your krbtgt account password on a regular basis. We have ours scripted as a scheduled task that runs weekly. It’s as secure as salting your password hashes.