CA Security Advisor Research Blog

Did you know, that when you change your NT password, the old one is still active and can be used for authentication into Active Directory or even to map a network drive for the next hour?

NTLM (NT LAN Manager) is a Microsoft authentication protocol used to authenticate clients in various Microsoft network protocol implementations, including Active Directory, Exchange Server services (POP3, IMAP, SMTP), SMB, etc. Windows 2003 Server Service Pack 1 modifies the NTLM network authentication behavior in such a way that users can use their old password to access network resources for a definite amount of time after the password is changed. This is also the case for LDAP authentication into Microsoft Active Directory. The period of time for which the old password will be active is configured by editing a registry key on the domain controller; its default value is set to an hour. This "feature" only applies to network access and to domain user accounts. The domain controller will not allow interactive logon with the old password. Which means, the old password is still good for mapping a network drive using IP address (when using a machine name - NTLM is not involved as Kerberos authentication occurs), logging into any application that uses NTLM, logging into Active Directory through LDAP functions, etc. This behavior is described in article 906305 of the Microsoft Knowledge Base. It is also noted in the article that no security weakness is caused by this kind of behavior as long as only one user knows both passwords.

Now ask yourself, do you realize that when you change your NT password that the old one is still active? Developers, do you realize that when you write code which authenticates Active Directory users using LDAP functions, the program will accept their old password up to one hour after the password change? Do system administrators know that the one-time password change is not always enough to protect a user whose password has been compromised? Well, those things are very important to remember.

It can be seen this way - hackers have a one hour window after they have stolen a password to authenticate in Active Directory and access network resources, even if the attack was noticed and the password was immediately changed. Is one hour a lot of time? According to Internet Storm Center, an unprotected computer survival time varies from a few minutes on up, and it's usually less then one hour!

In sight of the described Windows Active Directory behavior, in my opinion, it is necessary to emphasize measurements that help eliminate any risk related to the password change procedure in general and related to that particular option.

1. Users should always be suspicious about your password being stolen. Don't give up your password even to your administrators. It's easy to become a  victim to social engineering techniques. Even a quick change of password will not stop the lucky hacker from using the password he/she just got from you. In this case change, your password twice!

2. System administrators should configure domain controller settings in order to minimize the lifetime of old passwords and it should not exceed the time needed for the password change propagation. To do this, on your domain controller create the next registry key of DWORD type:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OldPasswordAllowedPeriod
Set the period of time in minutes. Note that no reboot is required for the setting to take effect.

3. Developers should know that when NTLM authentication is used, even indirectly through LDAP functions, the behavior described above will still be in place. In its default configuration your program will accept both new and old passwords for an hour after the password change. And according to Microsoft,  this is not a bug, but "by design" behavior.

Special thanks to Roman Popko and Kiril Schechter who discovered this issue in the CA SSO (Single Sign-On)  project.