Stronger Keys for Netlogon Remote Protocol in Windows 7
Background
Netlogon Remote Protocol (MS-NRPC) provides a secure communication between domain members and domain controllers. In the protocol, a client delivers a logon request to the domain controller over an established secure channel between a DC and clients. The secure channel is achieved by encrypting the communication traffic with a session key computed using a secret key (machine password) shared by the client and the domain controller. The algorithm used for encrypting and signing the communication determines the strength of security. In Windows 7/Windows Servers 2008 R2, there are new changes to enhance the security strength.
In this blog, we will examine these changes from the protocol layer as well as windows implementation.
AES encryption and SHA2 hashing
The support for AES encryption and SHA2 hashing is added into Windows 7/Windows 2008 R2. The negotiation for the new capability between client and server is done through the NegotiateFlags parameter in NeteServerAuthenticate2 or NetrServerAuthenticate3. There are two flags related to the session key and Netlogon credential computation.
· NETLOGON_SUPPORTS_AES (0x01000000)
It is only available in Windows7/Windows 2008 R2. It is added for indicating the support of AES Encryption and SHA2 hashing by client and server. By default, the Windows 7 or Windows server 2008 clients start negotiation with this bit turned on. If the server returns STATUS_ACCESS_DENIED, then the client retries negotiation again with weaker key.
· NETLOGON_SUPPORTS_STRONG_KEY (0x00004000)
It has existed since Windows 2000. If this bit is enabled, a 128 bit session key, a so called strong key, is computed using the MD5. By default, all Windows initialize this flag to FALSE.
The logic to determine the key strength based on the negotiate flag is as follows.
If NETLOGON_SUPPORT_AES is turned on, Then
256 bit HMAC-SHA256 session key is computed.
NetLogon credentials are computed using AES encryption
If NETLOGON_SUPPORT_AES is turned off, Then
NetLogon credentials are computed using DES encryption
If NETLOGON_SUPPORT_STRONG_KEY is on
128 bit MD5 session key is computed
If NETLOGON_SUPPORT_STRONG_KEY is off
64 bit session key is computed using DES encryption algorithm with ECB mode.
By adding support for AES encryption and SHA hashing, Netlogon significantly increase the security strength.
Setting RejectMD5Servers
This Netlogon client setting is only available in Windows 7/Windows 2008 R2. If this flag is turned on, the client will have to reject any server that doesn’t have NETLOGON_SUPPORTS_AES enabled in the returned NegotiatedFlag parameter from the server, and the client will not retry the secure channel establishment with MD5.
This setting is not negotiated between the client and server, instead , it is read from the following registry key:
SYSTEM\\CurrentControlSet\\Services\\Netlogon\RejectMd5Servers
Default Value: FALSE
Setting RejectMD5Clients
This Netlogon server setting is only available in Windows 7/Windows 2008 R2. This flag indicates whether the server MUST reject incoming clients that are using MD5 encryption. This setting is not negotiated between client and server, instead , it is read from the following registry key:
SYSTEM\\CurrentControlSet\\Services\\Netlogon\RejectMd5Clients
Default Value: FALSE
Reference
[MS-RPC] https://msdn.microsoft.com/en-us/library/cc237008(PROT.10).aspx