Benjamin Delpy did it again. This time his attention was focused on the aged SCCM1. Once developed in the late 90s, it looks back on a turbulent history with some twists and turns. Unfortunately the security behind it looks exactly the same what you would expect and at best can be considered as “rotten” when still using 3DES2 to communicate with clients3.
The video of a current Windows 2019 server with RDS/RDP terminal services clearly stand for itself. No prior code injection, no previously installed tools or libraries - just mimikatz4 on any connected AD machine and all passwords of current logged in users become visible in plain text5.
According to Benjamin Delpy, Mimikatz reads the passwords directly from the terminal server’s memory. So far, this has been tested on current Windows terminal servers 2016/2019 and Windows 10 LTSC. Further tests also confirm 2012R2 as well as Windows 10 21H1. With the release dated on 18.05.20216, the PINs of smartcards can also be extracted in plain text on the server. External credential providers (e.g. PrivacyIDEA) are not affected yet.
The main problem: Why is Microsoft disregarding industry best practice and keeping user passwords and smartcard PINs (!!!) unprotected and readable for everyone in plain text in the server’s main memory?
The next weeks and months are going to be very interesting. For decades, I have propagated the idea of locking Windows-AD networks behind controllable Linux application gateways or proxies. Unfortunately, the situation in many companies is that everything is integrated into an AD which is not locked away quickly. This is clearly visible in companies that can not even be reached by phone in the event of a ransomware incident.
If I may quote myself from last year, regarding home office workplaces and how they can reasonably and sustainably connect to business applications on an RDS/RDP terminal server 6:
For me, terminal servers with free HTTPS gateways are an essential part of sustainable development.
Told you so!