Event details

Join us for our March 9 “Ask Microsoft Anything” chat about Windows Server updates and upgrades. We’ll cover your questions on how to stay more secure by upgrading older servers (2008 and 2012 versio...
EricStarker
Updated Mar 09, 2023
windows server
MattTheSysAdmin's avatar
MattTheSysAdmin
Brass Contributor
Mar 09, 2023

To 'overcome' our Server 2003 woes, one of our developers has suggested he build some sort of 'Kerberos Proxy', that would essentially receive AES Kerberos tickets and spit out the same ticket encrypted in RC4.

 

After I'd picked myself up off the floor and finished laughing, I was shocked that management were actually exploring this as a real possibility.

 

Question:

I need to dissuade them from going anywhere near this path. Would this actually work? Do you know of any security guidance against this kind of proxy (essentially creating a man-in-the-middle attack on yourself?)? Any large sticks I can beat these people with?

  • Cliff_Fisher's avatar
    Cliff_Fisher
    Icon for Microsoft rankMicrosoft
    Mar 09, 2023
    I don't believe this would be possible due to various tamper protections, but either way, this is absolutely not supported by Microsoft.
    • MattTheSysAdmin's avatar
      MattTheSysAdmin
      Brass Contributor
      Mar 09, 2023
      Thanks Cliff. Any chance you have references to these tamper protections?
      • Cliff_Fisher's avatar
        Cliff_Fisher
        Icon for Microsoft rankMicrosoft
        Mar 09, 2023
        I'd have to have a member of the Kerberos team answer this question, but I'd say two things: Check out the Kerberos protocol docs on MSDN, and consider that to do this, you'd effectively be creating a man-in-the-middle downgrade attack intentionally in your own environment. What's to prevent an attacker with an internal foothold from leveraging this to own the rest of your environment? You'd be opening the environment to tons of liability.
  • Keith_Hoffman's avatar
    Keith_Hoffman
    Former Employee
    Mar 09, 2023
    any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening. So while the Kerberos proxy idea is innovative it is not something we would recommend doing. You'd be better off spending those resources trying to upgrade those 2003 boxes.
    • Keith_Hoffman's avatar
      Keith_Hoffman
      Former Employee
      Mar 09, 2023
      Our recommendations in this case would be to: 1. Upgrade your legacy Server 2003 systems to a supported OS that is still getting security updates 2. Air gap any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening. So while the Kerberos proxy idea is innovative it is not something we would recommend doing. You'd be better off spending those resources trying to upgrade those 2003 boxes.