Browser can cause Active Directory to leak credentials: Researchers

Windows 10 has been out barely two weeks and already a vulnerability has been spotted, one that exists in every supported version of the operating system and its browsers that causes computers on an Active Directory domain to leak users’ credentials.

The problem was outlined at last week’s Black Hat security conference and detailed here.  Briefly, the attack is called an SMB relay and causes a Windows computer on an Active Directory domain to leak the user’s credentials to an attacker when visiting a Web page, reading an email in Outlook or opening a video in Windows Media Player. The attacker then relays the credentials back to the server to authenticate as the user.

According to the report, knowledge of the possibility of an SMB relay attack dates back to 2001. But it was thought it only inside local networks. In fact, Internet Explorer has a user authentication option that is set by default to “automatic logon only in Intranet zone.” However, researchers at Black Hat said a problem Windows DLL file causes the option to be ignored.

The news report says Microsoft [Nasdaq: MSFT]  is aware of the problem.

What can a CISO do until it is fixed? There are several mentioned, including this one from Microsoft: Use a firewall to block SMB packets from leaving the local network. The researcher who made the presentation admits this would prevent credential leaks, but added that it isn’t very practical in the age of employee mobility and cloud computing. A host-based filtering solution would be more appropriate, he feels.

The firewall integrated into Windows can be used to block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet, but still allow them on the local network so it doesn’t break file sharing, he added.

Given the large number of organizations — particularly small and medium-sized firms — that use Active Directory, this is a big problem that needs to be addressed.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web