Windows 2008 Server introduced a new feature known as Group Policy Preferences that allows administrators to deploy specific configurations that affect computers/users within a domain. This post details a serious problem associated with the use of Group Policy Preferences, specifically when a policy includes a username and encrypted password, which can result in a normal user being able to escalate their level of privilege on their local desktop/laptop and potentially compromise the security of the entire domain. Continue reading
Windows 2012 R2 servers use a newer version of the Remote Desktop Protocol (RDP) that has a feature that will be interest to both penetration testers and system administrators. This post describes the new “Restricted Admin” feature, the security benefits it brings and a potential downside of the feature: Pass-the-Hash attacks. We’ll briefly recap what Pass-the-Hash attack are and demonstrate such an attack against a Windows 2012 R2 server. A proof-of-concept (PoC) tool to carry out Pass-the-Hash attacks against Windows 2012 R2 server is also released – a trivial modification to the excellent FreeRDP client. Continue reading
By default, Windows systems will allow low privileged users to create directories (but not files) in the root of the `C:’ drive. In this post we ask if that’s really a security problem and ultimately conclude that, yes sometimes it can be. Continue reading
Windows has had the ability to embed HTML into it’s user interface for many years. Right back to and including Windows NT 4.0, it has been possible to embed HTML into the task bar, but the OS has always maintained a sandbox, from which the HTML has been unable to escape. All this changes with Windows Vista. Continue reading