Protect against password cracking in Windows
Solution 1:
No to avoid it, as to steal kerberos ticket or NTLM hash keep in mind the user must be a local administrator, and the application must be run as a admin too.
Please see that note from mimikatz;
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
As such it fall into the 10 immutable laws of security; See the one in bold;
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.
As you fall into the 10 immutable laws of security, Microsoft will never fix that, as a admin can do anything on the computer, even installing a keylogger, who know, as you must understand it's more how you protect your environment against such attack vector that is important.
So at first I would suggest to use restricted group GPO to make sure no one can add itselft to the local admin group.
Secondly I would remove all other boot device than the HDD to secure who can boot on a flash device, to prevent someone that could wipe a local admin account's password.
Thirdly I would protect with a strong password the BIOS.
Lastly, I would use a encryption method for the hard disk, to prevent non-authorized change by a cold boot if someone remove the hard disk from the machine.
There is surelly other tips, but you must abide to a strong security's model if you want to secure your enterprise work space, and enable account auditing if you want to catch a bad actor.
Solution 2:
With default settings it's not possible to dump clear text WDigest credentials from the LSA memory anymore, but having local administrator privileges all these new security features can still be disabled, as Microsoft loves to keep backwards compatibility. So, after adding a couple of registry keys Mimikatz – or Kiwi for Windows 10 – starts to function again for all passwords entered after the modifications.
-
In Windows 8.1 security features were added that stops storing WDigest credentials in clear text, and they were backported to earlier Windows versions in KB2871997, fixing every version since Windows 7. When the feature is enabled, Mimikatz starts showing
(null)
for the password, but it can be disabled with:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest] "UseLogonCredential"=dword:00000001
-
In Windows 10, Windows Defender Credential Guard is protecting passwords. After disabling the security feature as described above, the passwords are shown, but they are not in clear text:
However, Windows Defender Credential Guard can be disabled through Group Policy. As this policy effectively just adds two registry keys, it's egually easy to disable e.g. from command prompt.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] "EnableVirtualizationBasedSecurity"=dword:00000000 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA] "LsaCfgFlags"=dword:00000000
Once a user uses his password again, it appears in clear text:
As this could easily be used for stealing Domain Administrator credentials, people should not have local admin privileges on their workstations, and separate accounts without Domain Administrator privileges should be used for local administration.