As promised, this is the official response from Microsoft when I asked them how to protect against the DCOM/NTLM reflection abuse:

“The team has responded that with the current model there are no hardening recommendations we can offer. They are taking this report as something to pursue for next-version hardening but I don’t have an estimate on which version this would be released in. This isn’t something we could address with a security update or CVE and as such I’ll be closing this case. “

Changes to the DCOM subsystem are not something we would do via a security update since there is significant risk involved – this would be something which was addressed in a future version of Windows. An important part is the SeImpersonate privilege is designed to allow a service to impersonate other users on the system. Changing this model could have very negative impact on how services work.

Yes, you got it. There is no reasonable way to protect from this attack if you have SeImpersonate or SeAssignPrimaryToken privileges.

Same old, same old: Protect sensitive accounts and applications which run under the service accounts

Juicy Potato (abusing the golden privileges)

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s