Flaw in Active Directory puts enterprises at risk, says vendor

A startup Israeli security vendor says it has found an encryption vulnerability in Microsoft’s Active Directory it says could allow an attacker to change user passwords.

“The potential for this particular vulnerability to cause harm and theft is high,” Aorato Inc. said in a release today.

“Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure,” Tal Be’ery, the company’s vice-president of research, said in the statement. “The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data. Until enterprises acknowledge the inherent risks associated with relying on Active Directory and build a strategy to mitigate risks, we will continue to see attackers walking off with valuable information undetected.”

Aorato went live in January with a product called DAFTM, which detects suspicious behavior of those who connect to Active Directory. However, in a detailed description of the problem it says for the vulnerability it discovered there is no solution. It recommends organizations look for authentication protocol anomalies,

With no inherent solution to mitigate this flaw, Aorato recommends enterprises watch for authentication protocol anomalies and correlate the abnormal use of encryption methods with the context in which the victim’s identity is used.

The problem, the company says, is with NTLM, an older authentication protocol still used in Windows; Kerberos is used in more recent versions, but for compatibility NTLM is enabled by default. Briefly, Aorato says NTLM’s encryption is weaker than Kerberos.

An attacker can use a free penetration test tool such as WCE or Mimkatz to steal the NTLM hash from an employee’s device, Aorato says. Because this authentication component is known to be a security hazard through a pass-the-hash attack, Aorato says, many enterprises try to limit the use of NTLM. But  it says there is still the possibility of an attacker getting a valid Kerberos ticket if they can get a user’s NTML hash. However, though some organizations look for suspicious activity, this particular one isn’t logged, Aorato says, so no alerts are issued.

The company says it has notified Microsoft of the problem. It says Microsoft has made this vulnerability publicly known, but Aorato says the fact that the behavior isn’t logged should be addressed by Microsoft.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now