Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 28, 2006

Attack #5: DoS Attack Based on the MaxTokenSize Property

A Web Exclusive from Windows IT Pro
Jan De Clercq
Feature
InstantDoc #49352
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
Main Article    Deflect AD Attacks

Attack #5:
DoS Attack Based on the MaxTokenSize Property
Microsoft extended the base Kerberos protocol to enable a Kerberos authentication ticket to include authorization data. A Windows Kerberos ticket and Ticket Granting Ticket (TGT) both contain a special field called the Privilege Attribute Certificate (PAC), which enables the Kerberos protocol to transport authorization data such as user group memberships and user rights in the Kerberos authentication tickets.

The Kerberos ticket has a fixed size, which indirectly also limits the PAC size. If a user is a member of a large number of groups (100 or more), this ticket size might be exceeded and Windows authentication and group policy processing might fail. Users that have the Active Directory (AD) permission to create and modify groups could exploit this weakness to mount a Denial of Service (DoS) attack against administrator accounts. Such an attack could prevent administrator accounts from logging on to the network.

Attack #5
Prevention
To prevent this attack, you must start by being extremely careful when delegating AD administrative permissions for group management. You must also restrict the permission to manage an administrator's account group membership. This restriction is difficult to achieve with the default permissions in AD because delegated administrators don't need any special rights to add any user account in the forest to the local and universal groups the administrators are allowed to manage. So, you must place Enterprise Administrators or Domain Administrators accounts in special organizational units (OUs) without read permissions for delegated administrators.

In addition, you can adjust the maximum size of a Kerberos ticket by using the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize registry subkey. The MaxTokenSize subkey is documented in the Microsoft article "New resolution for problems that occur when users belong to many groups" at http://support.microsoft.com/?kbid=327825.

The MaxTokenSize subkey (REG_DWORD) should be adjusted on all Windows machines from which users use Kerberos to log on to a domain. In Win2K, the default MaxTokenSize value is 8000 bytes. In Win2K SP2 and later and in Windows 2003, the default value is 12,000 bytes.

T o reduce the PAC size, Microsoft also implemented a new method to store authorization data in the PAC in Win2K SP4. The new PAC authorization data storage method can be summarized as follows:

  • If the groups are local or are from other domains, the entire SID of the group (e.g., S-1-5-21-1275210071-789336058-1957994488-3140) is stored in the PAC.
  • If the global and universal groups a user belongs to are local to the domain the user is in, then only the Relative Identifier (RID) of the group (e.g., 3140) is stored.

Microsoft provides a special process on the client and server side to explode RIDs back to the SID format during the Windows authorization process. Note that even on platforms where this new PAC authorization data storage method is available, you might still need to adjust the MaxTokenSize or reduce the number of group memberships for a user.

To avoid wasting space in a Kerberos ticket's PAC field, you should remove the SIDHistory attribute from your AD accounts when your migration from the NT 4.0 domain to the Windows 2003 or Win2K domain is done by following the instructions in the Microsoft article "How To Use Visual Basic Script to Clear SidHistory" at http://support.microsoft.com/?kbid=295758.

Microsoft released the Tokensz tool to troubleshoot problems related to the Kerberos token size. You can download the tool from http://www.microsoft.com/downloads/details.aspx?familyid=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en. The following Tokensz command lists the current system value for MaxTokenSize and the size of the current token: 

tokensz /compute_tokensize 
/package:negotiate 
/use_delegation 
/target_server:< MachineName >

You can find more details about how to use Tokensz in the Microsoft white paper "Troubleshooting Kerberos Errors" at http://www.microsoft.com/downloads/details.aspx?familyid=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
CES 2009: Ballmer Announces Windows 7, Windows Live, Live Search Milestones

During his first-ever Consumer Electronics Show (CES) 2009 keynote address last night in Las Vegas, Microsoft CEO Steve Ballmer announced the pending public availability of a feature-complete Windows 7, the final version of Windows Live Essentials, and ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

10 Reasons to Deploy Windows Vista

The decision to upgrade your XP systems to Vista is simple when you consider features such as easier backup, a great desktop search, and vastly improved security options. ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events Security Summit

How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Download Data Protection Manager 2007
Disaster recovery at a low cost

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.


Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Empower Your Processes with PowerShell 201
Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

New Release: Windows IT Pro Master CD
13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2009 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing