It’s October – a month full of all sorts of spooky things: ghosts, goblins, and the potential for a blizzard when we go trick or treating on Halloween (hey, it could happen…remember 1991?).
For IT and security professionals, October is also a month where we pepper our clients with tips and tricks to make themselves and their networks more secure. I’ve put together a list of 7 scary things that might be lurking in your network, and could give attackers an easy win should they find their way into your environment:
1. Pick Better Passwords
I can’t tell you how many times we still run into accounts with easy-to-guess passwords like Password12345! or seasonal passwords like Fall2024! A good password is something that’s easy for you to remember, but hard for baddies to guess.
I’m fond of passphrases, which are several words put together. For example, on a financial site I might make the passphrase "Can I retire yet?!" (That’s not my actual passphrase, so don’t try to hack me please).
2. Manage Your Microsoft "Roastable" Accounts
If you’re running Active Directory, there’s a good chance you have one or more “roastable” accounts in your environment. The password hash (a scrambled version of the actual password) of a Kerberoastable or AS-REPRoastable account can be requested by any user on the network, meaning an attacker could run the hash through a large word list and possibly figure out the plain text password.
Make sure you set an extremely long passphrase (or better yet, passphrase!) on these accounts, and for Kerberoastable accounts, consider converting them into group Managed Service Accounts (gMSA).
3. Lock Your SQL Servers Down
In a default Microsoft SQL Server installation, any user can trick the SQL server into authenticating to another system. This means an attacker on your network can setup a “listener,” ask the SQL server to authenticate to the attacker’s system, and then “catch” the incoming authentication – which would give the attacker the username and password hash of the account running SQL.
And because SQL servers often run under the context of a Domain Admins member, the attacker may be able to quickly crack that account’s password and completely takeover your network in just minutes.
Remove execute rights on xp_dirtree and fileexists for the "Public" database role – and review some SQL security best practices for more information.
4. Turn on SMB Signing
There’s a setting on Windows systems called SMB signing that is very important to security, but unfortunately Microsoft doesn’t enable it on all systems by default – you have to set it up manually.
The risk here is that if an attacker can trick a high-privileged account into authenticating to a system under their control, the attacker can relay that communication to other systems with evil instructions attached. Using the SQL Server example in #3, an attacker could trick the server into authentication, then relay that communication to every system in your environment with a command that essentially says “Install ransomware!”
The victim systems will believe these instructions came from a high-privileged account, and follow the instructions blindly! Follow Microsoft’s guidance to enable SMB signing everywhere.
5. Disable Old Networks Protocols
By default, Windows systems will choose to talk to each other insecurely, which gives an attacker the opportunity to them into authenticating to a rogue device.
For example, let’s say a system called DESKTOP is looking for a now-retired system called PRINT-01. DESKTOP will essentially yell out to the whole network, “Is anybody out there PRINT-01?” And if DESKTOP doesn’t find PRINT-01 right away, it will try again using some insecure protocols. When that happens, an attacker on the network can virtually raise its hand and say, “Actually yes, I am PRINT-01, so please talk to me!”
When that happens, DESKTOP will try to authenticate to the evil system instead, which might allow the attacker to capture and crack the password (see #3) or relay it (see #4) to other machines. Check out this great article on disabling these insecure communications to remediate the issue.
6. Don't Let Attackers Steal Your Domain Controller
If your network has been around for several years, you might have a critical insecure setting in your environment that could let an attacker pretend to be a domain. Check your domain’s LAN Manager level, and if it is set to Send NTLM response only / Send LM & NTLM or Send NTLM response only, an attacker only needs a few hours to craft an attack that would compromise the entire domain.
Review Microsoft’s article about these settings and make a plan to migrate to a more secure configuration as soon as possible. Not sure if your domain is configured insecurely? Download a free copy of PingCastle and run it using any Active Directory account (no special privileges required).
7. Protect the Most Important Account Active Directory
In every Active Directory environment there’s a sneaky – but critical! – account called krbtgt. You never log in with it directly, it can’t be deleted, and it never asks for a password reset. But this account serves as something of a skeleton key to Active Directory – so it’s absolutely critical to protect.
When companies get compromised, they often change every user password as part of recovery efforts (which is a good thing). However, many companies also forget that the krbtgt account needs to be rotated as well, otherwise an attacker with the krbtgt password hash can remain in full control of your domain. Check out Microsoft’s script to reset the krbtgt password, and consider rotating the credential yearly.
Stay Ahead of Cyber Threats
As you can see, there are many potential threats lurking in your network, but with the right precautions, you can keep your systems secure. With robust penetration testing, you can uncover and fix vulnerabilities before they become major issues.
Visit Loffler's Cybersecurity page to explore our top-notch penetration testing services, brought to you in collaboration with 7 Minute Security. Additionally, learn more about Loffler's Managed Cyber and vCISO services, and find out how they can help you protect your business.
Brian Johnson is the President of 7 Minute Security, which specializes in security assessments, penetration testing, and training. He is especially passionate about teaching others about security, and hosts a weekly YouTube livestream and podcast to help consumers and businesses strengthen their security posture. When he isn’t camped out behind a keyboard, he enjoys indoor skydiving and outdoor activities with his family, as well as singing and playing guitar in an acoustic duo.