Hello, welcome to the Wednesday, July 21st, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Sometimes vulnerabilities are so simple that you kind of wonder why nobody came across them earlier.

Well, maybe someone saw it, but didn't speak up.

The problem here is what has been referred to as the summer of Sam Warnaby.

Sam and System Hives are typically only readable by the administrator in Windows, but starting with Windows 10, 1809, which was the

2018 version of Windows 10, these registry hives became readable by any user. Now, you

couldn't read them directly. There was still some additional security here that prevented reading them directly, but

the volume shadow copy of these hypes that was readable by any user, and that's sort of how

an attacker could gain access to these registry hives, which means an attacker will have access to

hashed passwords, which then, of course, could easily be brute-forced.

Volume shadow copy, well, it's a great feature. It sort of automatically creates backups.

That's basically what the problem is here, and it's enabled automatically if your system

disk is greater than 120 gigabytes, which is pretty much any modern system.

Probably the simplest fix here is to disable the volume shadow copy service, which will prevent

these copies from being created. Of course, you have to delete

existing copies. Be aware that this, of course, removes that safety layer from your systems.

You better trust your other backups that they will be sufficiently granular, but if you mess up

a configuration, you could easily undo this.

And server versions of Windows do not appear to be affected by this problem at all.

At this point, I haven't seen anything official from Microsoft regarding this problem,

...