4

Some organizations will configure their Windows systems to require Smart Cards for all account logins, as part of a two-factor authentication implementation. However, this can easily be bypassed without two-factor authentication under certain conditions.

The bypass requires Administrator credentials (username & password only - Smart Card & PIN not required), and either physical access to the system or access to the system's Remote Registry service.

With physical access to the system, there's much more you could do than simply disabling 2FA enforcement. So this is of fairly little concern. The Remote Registry angle, on the other hand, does seem to be a significant break in the system.

Enforcement of Smart Card login is handled by the following Registry item:

  • Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • Value: scforceoption
  • Settings: 0 for disabled, 1 for enabled.

Remote Registry is commonly used in corporate environments to facilitate centralized monitoring and management services. However, access to the Remote Registry service only requires single-factor authentication with a username and password. Given:

  • Remote Registry is enabled on the target computer.
  • Nothing between the local computer and the target is blocking Remote Registry.
  • You're logged in locally with an account on the same domain, which has Adminsitrator rights on the target computer.

The following command will easily allow you to disable Smart Card enforcement on a remote target, without having to use a Smart Card to authenticate to it:

reg add \\[TargetHostName]\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v scforceoption /t REG_DWORD /d 0

With some clever use of runas, you don't even have to be logged in locally with the Administrator account or use a system on the same domain. So long as you have the username and password, and can hit the Remote Registry service, a remote bypass of 2FA policy without using 2FA is possible.

While this is by far not the most critical vulnerability in the world, it does seem to be a weakness in Windows' two-factor authentication policy. Are there configuration options that can be used to compensate for this - e.g.: turn on 2FA for Remote Registry - without actually having to disable Remote Registry?

Improve this question
2
  • ephams.com/2013/08/09/…
    – AviD
    Commented Dec 11, 2014 at 22:00
  • There's no such thing as smart card authentication across the network due to the second fundamental security principle. What did you expect?
    – Joshua
    Commented Jul 26, 2018 at 3:11

1 Answer 1

Reset to default
1

It is by Kerberos design - it verifies Smart-Card on initial logon only for interactive logons. Remote Registry - is not an interactive logon.

Yes, there are 3rd party solutions to enable strong 2FA control on a low level (DC level LSA) by using Subauthentication package LSA plugins - Authlite (hacks LSA on the fly) and Rohos Logon.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .