search

jborean93 / pypsexec

Remote Windows execution like PsExec on Python
MIT License
113 stars 38 forks source link

Security implications of LocalAccountTokenFilterPolicy=1 #32

Closed benjaminrein closed 3 years ago

benjaminrein commented 3 years ago

Hi @jborean93,

I just want to make you aware that setting LocalAccountTokenFilterPolicy=1 creates a huge security risk for the whole network. It enables Pass The Hash attacks (e.g. using mimikatz) in the network. This kind of attack is often used for lateral movement as part of a malware attack (Emotet and the like). I know that a lot of Microsoft Documentation which uses LocalAccountTokenFilterPolicy as a workaround does not clearly state the risk, that changing this setting comes with. I would suggest to include a hint in your documentation.

The use of Local Account Password Solution (LAPS) which changes local passwords at a configureable interval is known to reduce the risk. Unfortunately LAPS needs GroupPolicy and ActiveDirectory to work.

Very detailed explanation: https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

Regards Benjamin

jborean93 commented 3 years ago

I just want to make you aware that setting LocalAccountTokenFilterPolicy=1 creates a huge security risk for the whole network

Honestly I would beg to differ, yes there is a security risk here in that it means any local accounts are elevated when logged on with a network logon like SMB. But this policy only applies to local accounts, specifically local accounts that are not the builtin Administrator account by default. Any domain account, or the builtin admin account (by default) will not be filtered and acts like LocalAccountTokenFilterPolicy=1. So from a Pass The Hash perspective this is only a security issue if you are

  1. Connecting with a local account, and
  2. You are sharing the same password for your local accounts

In a domain environment you usually connect with a domain account which is always elevated on a network logon, bypassing the need for this policy. If you do need to use a local account then this typically must be set as the mechanism to create the PSExec service requires admin rights from the SMB network logon. If you must use local accounts then your environment should not be using the same password, limiting the effectively of a the pass the hash attack and LAPS is a great tool to make sure you are using unique local account passwords.

I think I've thoroughly documented when this setting must be used https://github.com/jborean93/pypsexec#user-account-control.