IE6 check

Monday, March 8, 2010

Recovering from a Kerberos Token Bloat Attack

Last week, as announced in this post, we had our first IT Pro Chalk-Talk session, organized by the Pro-Exchange, IT-Talks and Microsoft community groups.

One of the questions asked was arround token sizes. You know, how large a token can become, how many groups can be accomodated in a Kerberos Ticket and the registry key required to set the maximum token size. All this is fairly well documented on Microsoft's TechNet website.

Also relatively well-known is the tokensz utility that can be used to troubleshoot Kerberos token size related problems.

Less known is what is called a "Token Bloat Attack". A Token Bloat Attack is a kind of Denial of Service attack against your Active Directory Service. This happens when all users (including the default Administrator) are members of more groups than the Kerberos ticket can accomodate (which is 1015, give or take a few depending on e.g. the FQDN of your Windows domain). When a user is a member of more than this number of groups, the Active Directory will refuse to let him log on because not all group memberships can be evaluated, including membership that would deny access to certain resources.

When this happens, the question arizes how to recover from this situation. One might think that restoring the AD from backup would work. However this is usually not the case: usually, extra groups were created to execute the attack. After a restore (and after AD replication), these groups would still be present and users would still be members of these groups.

So, how to recover if you can't restore AD? Fortunately, Microsoft left a simple way to recover: you simply need to restart a DC in the domain using the Safe Boot option (not the Directory Services Restore Mode!). In Safe Mode, AD is loaded and the default Administrator can log on (even if the account is member of too many groups or when the account is disabled)! Of course, after logging on, the Administrator can remove the offending groups in the regular way (using Active Directory Users & Computers or any other way), and life is well ...

1 comment: