Enterprises continue to educate users on the need for password security and to establish and enforce password policies. Basic safeguards such as using unique passwords need to be encouraged. For example, if you use the same user name and password on all your websites, and one website is compromised, it is likely that all your websites will be compromised.
Pass the Hash (PtH) is a hacking technique by which an attacker can authenticate to a remote server or service by using the Windows NT LAN Manager (NTLM) authentication protocol or LanMan hash of a user password. A typical PtH attack starts with one end point being compromised by malware, which then manages to gain administrator-level access. With this access, the malware can steal the user’s derived credentials and impersonate the user on other devices. As the attacker moves laterally across the network and finds additional devices to which the user has access, the malware can steal the derived credentials from other users who previously signed in to those devices.
Over time, an attacker can typically gain access to more and more derived credentials that have increased levels of network access. Eventually, it is likely that domain administrator accounts can be compromised, and then the consequences can be even worse.
Here are the Microsoft features that address password and PtH attacks in Windows 10:
- Microsoft Passport
- Windows Hello
- Isolated User Mode
The goal of Microsoft Passport is to remove the need to enter user names and passwords for all compliant websites, applications, and resources. Microsoft Passport approaches this goal by doing the following:
- Replacing passwords with a private key made available solely through a user gesture, which can be a PIN or biometric identifier.
- Streamlining two-factor authentication.
- Using credentials on familiar mobile devices for desktop sign-in.
- Supporting both local and remote components such as phones, USB dongle, and so on.
Windows Hello is a new biometric identification system built in to Windows 10 that recognizes your face, fingerprint, and iris. Windows Hello uses Microsoft Passport as complementary technology for websites supporting the technology, which is based on asymmetric-key cryptography created by the Windows security team to identify a cellphone to a network. All devices incorporating the Intel F200 RealSense 3D Camera support the facial and iris unlock features of Windows Hello.
The world is moving toward small, touch-based sensors that have a high degree of accuracy. These sensors can mitigate the majority of known attacks by using fingerprint authentication. All current fingerprint-capable readers are supported. The following are three examples of supported devices:
- Fingerprint Sensor FPC1021
- Fingerprint Sensor FPC1150
- Next Biometrics NB-1010-S
The face-recognition process involves a RealSense camera, which is embedded above the display. It uses photographic analysis, heat detection, and depth detection to check who is trying to access the device.
Fingerprint, face, and iris recognition share the same design language for enrollment, usage, and recovery with Windows Hello, and the enrollment process is very simple.
Isolated User Mode
There are two pieces to the Windows OS architecture: the Kernel and the User mode. Because the Kernel can be vulnerable to attacks, it is also necessary to protect the User mode code from the Kernel.
Isolated User Mode (IUM) brings a secure Kernel, separated from the normal New Technology Operating System Kernel, or NTOS Kernel, that does not know or have access to the address space of the User mode code, which means literally no normal kernel-mode access to user-mode data.
The IUM provides a runtime environment for Trustlets, which are the processes running in IUM that are Trustlets isolated from one another. Secure Kernel runs in Secure Ring 0 and provides a hardened interface to proxy NTOS system calls.
The Local Authentication Authority (LSA) process in the OS, which serves to authenticate and log users on to the local systems, communicates with the isolated LSA by using remote procedure calls (RPC).
Data stored by using virtualization-based security is not accessible to the rest of the OS.
Credential Guard does not host any device drivers; instead, it hosts only a small subset of OS binaries that are needed for security. All of these binaries are signed with a certificate that is trusted by virtualization-based security.
Virtual TPM is a feature that allows the emulation of a TPM and provides that to guest virtual machines running on a host.
Source: Deploying Windows 10 Press Book