Preventing SMB Password Leakage to the InternetAn ongoing security issue exists in Windows and related products whereby Active Directory credentials may be sent to hosts on the internet as a result of a malicious attack (or misconfiguration). Once a malicious party has a username, password hash and a source IP address, the hash could be decoded to the original plain text password and provide an attack on other Internet-facing assets, such as Outlook Web Access or Remote Desktop. The issue is that various types of URLs and links which are formatted for SMB (eg \\Server\Share) willl sometimes trick an application into resolving that link, and NTLM credentials will be send to the remote host. This behaviour is being stopped in various applications as it is discovered, but due to the ubiquity of SMB URL support, it is an ongoing problem. To mitigate exploitation of such an attack: - Ensure user passwords are strong, unique and lengthy. This makes decoding the hash more difficult, and may mitigate dictionary attacks. Malicious third-parties may prioritise intrusions against systems where the passwords are weaker.
- On individual workstations, configure the firewall to drop SMB packets except on the local subnet:
For Windows 8.1 and above, open an elevated command prompt and enter: PowerShell "New-NetFirewallRule -DisplayName 'Block Outbound SMB to Internet' -Direction Outbound -Action Block -Protocol TCP -RemotePort 135-139,445 -RemoteAddress Internet -InterfaceType Wireless,Wired" PowerShell "New-NetFirewallRule -DisplayName 'Block Outbound SMB to Internet' -Direction Outbound -Action Block -Protocol UDP -RemotePort 135-139,445 -RemoteAddress Internet -InterfaceType Wireless,Wired" - Configure router to drop outgoing packets on ports 135-139 and 445.
|