Windows passwords salting

P Mowleeswaran 20 Reputation points
2024-06-24T13:53:38.19+00:00

Dear Team,

I would like to know whether the windows passwords are slated or not and how windows machines (client or server) stores the passwords in the database and where it is stored (work group computers and domain joined computers).

Regards,

Mowlee

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,716 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,228 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,851 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ganeshkumar R 665 Reputation points
    2024-06-24T14:35:38.41+00:00

    Windows operating systems use a combination of hashing and salting techniques to securely store passwords. Here's a detailed overview of how Windows handles password storage, both for local accounts on workgroup computers and domain accounts on domain-joined computers.

    1. Local Accounts on Workgroup Computers

    Hashing and Salting:

    • Windows uses a secure hashing algorithm to hash passwords. As of Windows Vista and later, the NTLM (NT LAN Manager) hash is used.
    • NTLM hashes are unsalted by default, which means the same password will always produce the same hash. This can make them vulnerable to precomputed attacks (like rainbow tables), but Windows mitigates this with additional security measures like account lockout policies and password complexity requirements.

    Storage Location:

    • Password hashes for local accounts are stored in the Security Account Manager (SAM) database.
    • The SAM database is located in the Windows directory at C:\Windows\System32\config\SAM.
    • The SAM file is protected by the operating system and cannot be accessed while Windows is running. It is also encrypted to prevent unauthorized access.

    2. Domain Accounts on Domain-Joined Computers

    Hashing and Salting:

    • For domain accounts, Windows uses the Kerberos protocol for authentication, which relies on a combination of NTLM hashes and Kerberos tickets.
    • The NTLM hashes are used as part of the Kerberos authentication process, but they are not directly used for authentication in most cases.
    • Domain passwords are hashed using the same NTLM algorithm and stored in the Active Directory database.
    • Active Directory can use additional encryption and hashing mechanisms, including salting, depending on the configured policies and the version of Windows Server.

    Storage Location:

    • Password hashes for domain accounts are stored in the Active Directory database, which is hosted on the Domain Controllers (DCs).
    • The Active Directory database is stored in the NTDS.dit file, typically located at C:\Windows\NTDS\NTDS.dit on the domain controller.
    • The NTDS.dit file is protected by the operating system and includes additional security features, such as encryption and access control.

    Additional Security Measures

    LSA Secrets:

    • Windows also uses Local Security Authority (LSA) secrets to store sensitive information, including cached domain credentials.
    • LSA secrets are stored in the registry under HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets.
    • Access to LSA secrets is tightly controlled by the operating system.

    Credential Guard:

    • Windows 10 and Windows Server 2016 introduced Credential Guard, which uses virtualization-based security to isolate and protect credentials.
    • Credential Guard helps protect against credential theft attacks, such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).

    By understanding these mechanisms, you can better appreciate the security measures Windows implements to protect user passwords and credentials.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.