Securing Your Data in an Open World

Developing a Secure Active Directory

INTRODUCTION

Agenda

Risks

Mitigations

Validation and Auditing

Tips from the Field

PASS THE HASH

Convenience of SSO at cost of additional risk.

What makes a “hash” in this context?

h = 𝑓(𝑥)

Predates Windows NT 3.1 but still very much applicable today.

A stolen hash creates the potential for impersonation.

A stolen hash inherits any authorizations granted to the account.

PASS THE HASHBASIC SCENARIO

Bob logs on to CORP\BOB-E550.

Windows SAM stores his hash in kernel memory.

Alice logs on remotely to BOB-E550.

Alice is a member of BUILTIN\Administrators.

Alice performs a memory dump of BOB-E550 from an elevatedprocess.

Alice exfiltrates the memory dump to her workstation using SMB.

Alice extracts Bob’s hash from the memory dump offline.

PASS THE HASHBASIC LESSONS

Limiting opportunities for untrusted processes to elevate is important.

User Access Control (UAC) is a first line of defense.

What if Bob was a Domain Admin?

If Alice has local admin, do you trust Alice enough to see everything in RAM on that

system.

If we can’t protect a user’s identity, the concept of identity or authentication on our

network is weakened.

PASS THE HASHCROSS-SYSTEM

PC-A and PC-B both have a local user named “helpdeskadmin”

The plaintext password for .\helpdeskadmin is Tr1viAl&triNg.

The equivalent hash for the account is the same on both machines.

A compromise of the hash by a process on PC-A can be used to attack any other

Windows host that has that same username and password combination, even without

knowledge of the plaintext password.

PASS THE HASHCROSS-SYSTEM LESSONS

Again, process elevation creates the opportunity.

Diversification of local user passwords across machines is important.

See MS KB3062591: Local Administrator Password Solution (LAPS)

Bewareprevious solutions; not all similar solutions use secure communications for

storing the local admin password.

Restrict remote logon of local accounts where it isn’t needed.

PASS THE HASHRECENT DEVELOPMENTS

Windows 10/Server 2016 introduces Isolated User Mode.

Store NTLM hashes in a virtualized micro-kernel.

Hypervisor executing the micro-kernel acts as a gatekeeper.

Limited implementation details available.

Concerns of how much protection this really provides.

Ultimately, will need to be audited and tested before we know.

LANMAN and NTLM

For compatibility, AD can still communicate using LM or NTLM.

Both have known and easy to exploit weaknesses.

Allowing older protocols creates opportunity for downgrade attacks.

Similar to SSL/TLS downgrade attacks popular in 2014.

Group Policy can be used to restrict or eliminate use of NTLM.

LMv1 and NTLMv1

Source: SANS Digital Forensicshttp://bit.ly/1JXjuuG

PRIVILEGED GROUPS AND USERSBEST PRACTICES

Disable BUILTIN\Administrator.

Disable network logon for the local administrator account .

Do not perform day-to-day activities as with your admin account.

Do not keep users in Enterprise or Schema Admins.

Do not log on to client systems with privileged network accounts.

Don’t disable password expiration on privileged accounts.

Don’t use Domain Admin as a shortcut for domain-wide needs.

KERBEROS

Provides enhanced authentication architecture and cryptography.

Not a Pass-the-Hash mitigation; see Pass-the-Ticket.

Keeping your entire Windows environment patched is key to maintaining a secure

Kerberos environment.

Vectors exist where Kerberos tickets are forged; See MS14-068.

Kerberos, like any many protocols, requires iteration to improve its security and so

we mustpatch.

Source: SANS Digital Forensicshttp://bit.ly/1JXjuuG

ENTERPRISE CA

Why run an Enterprise CA?

For existing Windows CAs, implications of SHA-1 deprecation.

http://bit.ly/mscasha1to2

A Windows CA is not fire-and-forget; it needs maintenance, too.

ANONYMOUS BINDS & ENUM

Enabled on many domains upgraded from NT/Server 2000.

Anonymous bind off by default in Server 2003 and later for new domains.

Easy intelligence source for hostile actors.

For binds, modify dsHeuristics object in an editor like ADSI.

For enumeration, a Group Policy setting exists.

Can impact pre-2000 clients and domain trust functionality.

Need to understand what relies on anonymous access today.

May not be feasible to disable; part of the hardening process.

MONITORING

When active defense fails, a passive approach can help.

Changes to privileged groups (integrity monitoring).

Invalid attributes in Kerberos requests.

Presence of NTLM authevents Security log.

Statistical anomalies (Fail Audit volume, request volume, lockouts).

Security Information and Event Management products exist for this.

AD / NTFS Auditing is extremely valuable if configured well.

READ-ONLY DCs

Many associate RODCs with branch offices or poor connectivity.

An option for providing LDAP data in potentially hostile or untrusted environments:

Low physical security.

Multi-tenant environments.

Can restrict the replication of password hashes to RODCs.

Why? Offline attacks after physical loss.

By the same token, must physically secure writeable DCs’ disks and their backups.

DATA PROTECTION

Not an active protection, but like any data, a backup is equally critical.

While not exactly a security topic, it is often overlooked.

It’s not enough to snapshot your virtual DCs.

In fact, it’s dangerous if the DC is anything older than 2012 R2.

A Windows System State backup of any DC will back up the AD database.

Several agent-based backup products can capture the system state.

AUDIT AND VALIDATION

All of these measures are helpful, but less meaningful without validation.

Third party firms.

Microsoft Consulting opportunities.

SaaS vulnerability scanning services.

In-house testing (MBSA).

OTHER TIPS

Enforce CTRL+ALT+DEL as the secure keystroke on clients.

Avoid using web browsers on servers.

Inspect software thoroughly before executing on a server.

Don’t disable the Windows Firewall.

Don’t disable UAC on any Windows systems if it can be avoided.

STAY INFORMED

Attend security sessions at conferences (MS Ignite, VMworld, etc).

Engage with an IT security provider where it makes sense for you.

Monitor consistent, well-maintained sources:

US-CERT (us-cert.gov)

SANS ISC (isc.sans.edu) and Threat Level status.

Microsoft Technical Security Notifications (http://bit.ly/mssecnot)

Talk about security within your organizations.

Thank You