delete LSA cache password ?

delete LSA cache password ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
delete LSA cache password ? bigstyle [MVP] 04-18-2007
Posted by bigstyle [MVP] on April 18, 2007, 7:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,

First of all, sorry if I make mistakes but I am french :D

Some of you have ever found a solution to prevent attacks that let
hackers discovering some users password thanks to the LSA Cache stored
in the registry ?

1) Can we just delete specific entries in the registry ?

2) I have read that the LSA cache is storing the domain user
credentials but my password doesn't appear when I dump the LSA cache.

3) I have read too that I should have to modify the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\cachedlogonscount but to my opinion this is
not the right key.

Thanks for your advices.

Regards,





--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security



Posted by S. Pidgorny on April 18, 2007, 9:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Not really, no. The issue is that one can read those password hashes from
memory, not even from the registry.
So the way to prevent it is to prevent people from becoming local
administrators.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> Hello,
>
> First of all, sorry if I make mistakes but I am french :D
>
> Some of you have ever found a solution to prevent attacks that let hackers
> discovering some users password thanks to the LSA Cache stored in the
> registry ?
>
> 1) Can we just delete specific entries in the registry ?
>
> 2) I have read that the LSA cache is storing the domain user credentials
> but my password doesn't appear when I dump the LSA cache.
>
> 3) I have read too that I should have to modify the registry key
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\cachedlogonscount but to my opinion this is not
> the right key.
>
> Thanks for your advices.
>
> Regards,
>
>
>
>
>
> --
>
> bigstyle
> MVP Windows Server - Directory Services
> MCSE 2000/2003 Security
>
>



Posted by bigstyle [MVP] on April 18, 2007, 10:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Not really, no. The issue is that one can read those password hashes from
> memory, not even from the registry.
> So the way to prevent it is to prevent people from becoming local
> administrators.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>> Hello,
>>
>> First of all, sorry if I make mistakes but I am french :D
>>
>> Some of you have ever found a solution to prevent attacks that let hackers
>> discovering some users password thanks to the LSA Cache stored in the
>> registry ?
>>
>> 1) Can we just delete specific entries in the registry ?
>>
>> 2) I have read that the LSA cache is storing the domain user credentials
>> but my password doesn't appear when I dump the LSA cache.
>>
>> 3) I have read too that I should have to modify the registry key
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Winlogon\cachedlogonscount but to my opinion this is not
>> the right key.
>>
>> Thanks for your advices.
>>
>> Regards,
>>
>>
>>
>>
>>
>> --
>>
>> bigstyle
>> MVP Windows Server - Directory Services
>> MCSE 2000/2003 Security
>>
>>

Hi,

thank you for your answer.

I have read that only the SeDEbugPrivilege is needed to obtain this
kind of list... :/

There's no way to prevent this dump or to delete this cache ?
The cache is still able after a reboot so I think it will be deleted if
I delete the registry key first and then reboot the computer, what do
you think ?

Thank you

--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security



Posted by S. Pidgorny on April 19, 2007, 5:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options
G'day:


> I have read that only the SeDEbugPrivilege is needed to obtain this kind
> of list... :/

That is correct... And it gives you everything indirectly. LSA secrets, NTLM
hashes, even cryptographic keys (unless in special purpose hardware like
smart cards).

> There's no way to prevent this dump or to delete this cache ?
> The cache is still able after a reboot so I think it will be deleted if I
> delete the registry key first and then reboot the computer, what do you
> think ?

There are some known LSA secret locations
(http://support.microsoft.com/?id=199071) but cleaning up everything is a
big thing to ask.

Well there are ways to revert the system to the pristine state after reboot.
DeepFreeze is the commercial software that does just that.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



Posted by bigstyle [MVP] on April 19, 2007, 11:27 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> G'day:

Hi Svyatoslav
>
>
>> I have read that only the SeDEbugPrivilege is needed to obtain this kind of
>> list... :/
>
> That is correct... And it gives you everything indirectly. LSA secrets, NTLM
> hashes, even cryptographic keys (unless in special purpose hardware like
> smart cards).

That's strange because I have test to dump my LSA cache with only the
SeDebugPrivilege and it didn't work !
>
>> There's no way to prevent this dump or to delete this cache ?
>> The cache is still able after a reboot so I think it will be deleted if I
>> delete the registry key first and then reboot the computer, what do you
>> think ?
>
> There are some known LSA secret locations
> (http://support.microsoft.com/?id=199071) but cleaning up everything is a big
> thing to ask.
>
> Well there are ways to revert the system to the pristine state after reboot.
> DeepFreeze is the commercial software that does just that.

Thanks for this links.

When I try to dump my LSA cache I am not able to see the domain
credentials hash. Only the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
is read and there's nothing about the NTLM hashed.

I would like to understand how an attacker proceed to retrive this hash
because it's a potentially high security risk I think !

Thanks :)

--

bigstyle
MVP Windows Server - Directory Services
MCSE 2000/2003 Security



Similar ThreadsPosted
IE's SSL keystore cache July 27, 2006, 10:12 pm
domain cache credential corrupted January 15, 2007, 9:38 am
Increase Logon Cache in Windows XP April 24, 2009, 10:21 am
When I press delete, I mean DELETE!! January 9, 2006, 12:36 pm
3rd party CA's CRL cache in domain controller? October 30, 2007, 10:01 am
Terminal server security issue with screen cache? December 19, 2005, 12:20 pm
How do I delete my old ca certs... February 19, 2008, 10:45 am
Delete File March 22, 2005, 9:41 pm
Re: Why can't I delete Freedom? April 18, 2005, 12:01 pm
Re: Is it safe to delete this from Registry? June 23, 2005, 5:53 pm

The site map in XML format XML site map

Contact Us | Privacy Policy