How to Mitigate the Critical Vulnerability of Microsoft Windows 10, 11 SAM

Microsoft Windows 10 and Windows 11 users are at risk of a new, unpatched vulnerability that was recently publicly disclosed.

As we reported last week, the vulnerability – SeriousSAM – allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.

Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and the registry, and ultimately execute arbitrary code with SYSTEM privileges.

Severe vulnerability of SAM, tracked as CVE-2021-36934, exists in the default configuration of Windows 10 and Windows 11, especially due to a setting that allows “read” permissions to the built-in user group which contains all local users.

As a result, built-in local users have access to read SAM files and the registry, where they can also view hashes. Once the attacker has “user” access, he can use a tool such as Mimikatz to access the registry or SAM, steal hashes, and convert them to passwords. Invading domain users in this way will give attackers elevated privileges on the network.

As there is no official patch available from Microsoft yet, the best way to protect your environment from the SeriousSAM vulnerability is to implement hardening measures.

Mitigate the severe SAM

According to Dvir Goren, CTO at CalCom, there are three optional hardening measures:

1. Remove all users from the built-in user group – this is a good place to start, but will not protect you if administrator credentials are stolen.
2. Restrict SAM files and registry permissions – allow access only for administrators. This will, again, only solve part of the problem, because if an attacker steals administrator credentials, you will still be vulnerable to this vulnerability.
3. Do not allow storing passwords and credentials for network authentication – this rule is also recommended in the CIS standards. By implementing this rule, there will be no hash stored in the SAM or the registry, thus completely mitigating this vulnerability.

When using GPOs for the implementation, make sure that the following UI path is enabled:

Computer Configuration Policies Windows Settings Security Settings Local Policies Security Options Network access: Do not allow storage of passwords and credentials for network authentication

Despite the fact that the last recommendation offers a good solution for SeriousSAM, it can have a negative impact on your production if it is not properly tested before being pushed. When this setting is enabled, applications that use scheduled tasks and need to store user hashes locally will fail.

Mitigate SeriousSAM without risking damage to production

Here are Dvir’s recommendations for mitigating without causing downtime:

1. Set up a test environment that will simulate your production environment. Simulate all the possible dependencies of your network as accurately as possible.
2. Analyze the impact of this rule on your test environment. That way, if you have apps that rely on locally stored hashes, you’ll know it ahead of time and avoid production downtime.
3. Push politics as far as possible. Make sure that the new machines are also hardened and that the setup does not drift over time.

These three tasks are complex and require a lot of internal resources and expertise. Therefore, Dvir’s final recommendation is to automate the entire curing process to avoid having to perform steps 1, 2 and 3.

Here’s what you’ll gain with a hardening automation tool:

• Automatically generate the most accurate impact analysis report possible – hardening automation tools ‘learns’ your production dependencies and alerts you to the potential impact of each policy rule.
• Automatically enforce your policy across your entire production from a single point of control – using these tools you won’t need to do manual work like using GPOs. You can check and be sure that all of your machines are ruggedized.
• Maintain your compliance posture and monitor your machines in real time – hardening automation tools will monitor your compliance posture, alert and correct any unauthorized changes to configurations, preventing configuration drifts.

The enhanced automation tools will learn dependencies directly from your network and automatically generate an accurate impact analysis report. A hardening automation tool will also help you orchestrate the implementation and monitoring process.