Windows 10 Security Questions Prove Easy for Attackers to Exploit

New research shows how attackers can abuse security questions in Windows 10 to maintain domain privileges.

Attackers targeting Windows are typically after domain admin privileges. Once they have it, researchers say, the security questions feature built into Windows can help them keep it.
In a presentation at this weeks Black Hat Europe, security researchers from Illusive Networks demonstrated a new method for maintaining domain persistence by exploiting Windows 10 security questions. Despite good intentions, the feature, introduced in April, has the potential to turn into a durable, low-profile backdoor for attackers who know how to exploit it.
Windows admins are prompted to set up security questions as part of the Windows 10 account setup process. Tom Sela, head of security research at Illusive Networks, said the addition reflects a broader effort by Microsoft to build security into Windows 10. However, it also shows the delicate balance companies must strike in maintaining usability while improving protection.
I think Microsoft also wants to introduce new usability features, Sela explained in an interview with Dark Reading. There is a fine line with advancing security but also adding new usability features that may compromise security.
Magal Baz, security researcher at Illusive Networks, said the questions are more of a usability feature, designed for convenience, than a security mechanism. Today, if you forget your Windows login password, youre locked out of your machine and have to reinstall the operating system to regain access, he said. The questions feature lets users log back into their accounts by providing the name of their first pet, for example, in lieu of their password.
Now in terms of security ... I dont think that it is well-protected, he explained. Because those questions and answers have the same power as a password, youd think they would be as secure. However, unlike passwords, answers to security questions are not long and complex, they dont expire, and most of the time they dont change. All the limitations that make passwords safer are not applied on the security questions, Baz pointed out.
In addition to having answers that can be found on social networks, the security questions are not monitored. There are no policies around it – its just there, he continued. It allows you to regain access to the local administrative account. Theres a reason why companies including Facebook and Google have stopped using security questions to secure accounts, Baz added.
Unlocking Admins Answers
Before describing how this approach works, its important to add context first. In recent years, attackers have not only sought domain access but a means of maintaining a reliable and low profile on the domain. The process of becoming a domain admin has become much easier, Baz added. A couple of years ago, it was thought this could take months ... it has shrunk into hours, he says.
To turn the questions feature into a backdoor, an attacker must first find a way to enable and edit security questions and answers remotely, without the need to execute code on the target machine. The attacker must also find a way to use preset Q&A to gain access to a machine while leaving as few traces as possible, Baz and Sela explained in their presentation.
Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a users security questions and answers, installing a backdoor to access the same system in the future.
An attacker could remotely use this feature, for any and all of the Windows 10 machines in the domain, to control security questions and answers to be something he chooses, Baz said. The implications for someone abusing this without the account holders knowledge are huge. Unlike passwords, which eventually expire and can be edited any time, security questions are static. The name of your first pet or mothers maiden name, for example, dont change, Baz pointed out.
Sela and Baz described use cases in which this tactic can be useful for an attacker. Someone could spray security questions across all Windows 10 machines and ensure a persistent hold in the network by ensuring everyones dog is named Fluffy – and Fluffy is the name of everybodys birthplace, place where their parents met, model of their first car, etc.
Whats more, security questions and answers arent carefully protected. The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being, Baz continued. The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner.
The security questions also dont come with auditing capabilities, Sela added. Even [for] IT administrators that would like to be aware of that, out of the box, Windows doesnt give them a way to monitor the status of those security questions.
Best Practices and Deleting Security Questions
Admins should constantly monitor security questions to make sure they are unique, or disable them by periodically changing them to random values, Baz and Sela said.
Even before the question of security questions, its a good practice to have as few local admins as possible on the network, Baz said.
Security admins dont feel good about the tool, the researchers said, noting how many people are looking for ways to get rid of it. As part of their presentation, Baz and Sela also shared an open-source tool they developed that can control or disable the security questions feature and mitigate the risk of questions being used as a backdoor into a Windows 10 machine.
Related Content:
Backdoors Up 44%, Ransomware Up 43% from 2017
DHS, FBI Issue SamSam Advisory
Holiday Hacks: 6 Cyberthreats to Watch Right Now
MITRE Changes the Game in Security Product Testing

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Windows 10 Security Questions Prove Easy for Attackers to Exploit