Preventing SMB Password Leakage to the InternetAugust 2015 — A security issue has been identified in Windows whereby Active Directory credentials may be sent to hosts on the internet as a result of a malicious attack (or misconfiguration). Once a malicious party has a username, password hash and a source IP address, the hash could be decoded to the original plain text password and provide an attack on other Internet-facing assets, such as Outlook Web Access or Remote Desktop. To mitigate exploitation of such an attack: - Ensure user passwords are strong, unique and lengthy. This makes decoding the hash more difficult, and may mitigate dictionary attacks. Malicious third-parties may prioritise intrusions against systems where the passwords are weaker.
- On individual workstations, configure the firewall to drop SMB packets except on the local subnet:
For Windows Vista and above, open an elevated command prompt and enter: netsh AdvFirewall Firewall set rule name="File and Printer Sharing (SMB-Out)" new remoteip=localsubnet netsh AdvFirewall Firewall set rule name="File and Printer Sharing (NB-Datagram-Out)" new remoteip=localsubnet netsh AdvFirewall Firewall set rule name="File and Printer Sharing (NB-Name-Out)" new remoteip=localsubnet netsh AdvFirewall Firewall set rule name="File and Printer Sharing (NB-Session-Out)" new remoteip=localsubnet - Configure router to drop outgoing packets on ports 135-139 and 445.
|