PSU Security Conference 2015 - LAPS Presentation

Managing Local Administrator Passwords with LAPS

2015 PENN STATE SECURITY CONFERENCE

DAN BARR – [email protected]

SYSTEMS ADMINISTRATOR, APPLIED RESEARCH LABORATORY

10/14/2015 PENN STATE SECURITY CONFERENCE

The Shared Password ThreatShared passwords are one vector used in Pass-the-Hash attacks

It only takes one compromised client to effectively compromise every system using the same local Administrator password

Makes lateral movement within a “trusted” network trivial

Even if the clear text password isn’t compromised, you’re still in big trouble

So, how do we manage passwords on a large # of systems?◦ And rotate them often?

◦ And control who can access them?

◦ Without spending a small fortune on additional complex infrastructure or products?


What is Pass-the-Hash (PtH)?(The short, short version)Credential replay attack

Attacker does not need the cleartext password!

Hashes can be harvested from:◦ Memory (lsass.exe process)

◦ Local SAM database (local accounts and cached AD credentials)

◦ NTLM traffic sniffing (but requires brute-force since hash is encrypted over the wire)

NTLM and Kerberos (via ticket replay/forwarding) are both vulnerableCompromised Client Admin Client Clients Servers Databases

Attacker


More on PtHFor more in-depth information and a demo of Pass-the-Hash:

Security Features of OneForest Active Directory Deployment

Keith Brautigam & Jake DeSantis

Thursday at 2:50pm


What is LAPS?•Local Administrator Password Solution

•Free tool made public by Microsoft in May 2015

•Formerly only available to MS Premier Support agreement holders

•Securely manages unique, random local Administrator passwords on managed systems

•Completely implemented using AD & Group Policy, no additional infrastructure needed

•Developed due to frequency of shared admin passwords used as a primary attack vector in customer security incidents handled by Microsoft

•Does NOT eliminate PtH, just reduces the impact


How does it work?•Schema extension adds two attributes to Computer objects:• ms-Mcs-AdmPwd: Confidential, RODC Filtered

• ms-Mcs-AdmPwdExpirationTime

•Client-side GPO extension (DLL) installed via MSI

•Managed via simple GUI, PowerShell, or native AD management tools

Active Directory

Group Policy Framework

AdmPwd.dll

LAPS UI

PowerShell

Group Policy Editor

AD Computer Accountms-Mcs-AdmPwd

ms-Mcs-AdmPwdExpirationTime


LAPS Features & RequirementsFEATURES

•Passwords stored centrally in AD

•Optional audit/debug logging to client’s Security Event Log

•Define password parameters: length, complexity, age

•Force a password reset

•GUI, PowerShell, or native AD tools for management

REQUIREMENTS

AD: At least Server 2003 SP1

Officially-supported clients:◦ Vista with current SP & above

◦ Server 2003 SP2 & above

Unofficially works on XP


LAPS Process

GP RefreshCheck expiration timestamp in AD

attribute

If expired, generate new

password based on configured

rules

Store new password in AD

attribute and update expiration

timestamp

If successful, update local account PW


LAPS Security ConsiderationsKerberos encryption used in transit

Use AD object access auditing to track password retrievals

Currently only handles one account per client◦ Does not have to be built-in Administrator

Password is stored in clear text◦ Encryption at rest would require key exchange

(symmetric) or PKI (assymetric)

◦ ACLs adequately protect

◦ Maintains the solution’s simplicity

◦ Compromised AD means game over anyway

AD attribute is marked confidential, need one of the following permissions to read it:

◦ “Full Control” on computer object, OR

◦ “All Extended Rights” on computer object, OR

◦ “Control Access” on ms-Mcs-AdmPwd attribute

Not replicated to RODCs

Not exposed in audit logging


Group Policy Settings


LAPS UI


PowerShellModule “AdmPwd.PS”

Cmdlets:◦ Find-AdmPwdExtendedRights

◦ Get-AdmPwdPassword

◦ Reset-AdmPwdPassword

◦ Set-AdmPwdAuditing

◦ Set-AdmPwdComputerSelfPermission

◦ Set-AdmPwdReadPasswordPermission

◦ Set-AdmPwdResetPasswordPermission

◦ Update-AdmPwdADSchema


Typical Deployment Workflow

Extend AD Schema

Review/Revoke Extended

Rights

Add Machine Rights (SELF)

Add User Rights and Auditing

Apply Group Policy Settings

Deploy Client Side Extension


Deployment Workflow - PowerShellExtend AD Schema

◦ Update-AdmPwdADSchema

Audit/remove undesired extended rights◦ Find-AdmPwdExtendedRights -Identity <OU Name> | Format-Table

Add Machine rights (SELF permission to update new attributes)◦ Set-AdmPwdComputerSelfPermission -OrgUnit <OU Name>

Add User rights to read PW or force reset◦ Set-AdmPwdReadPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals<users/groups>

◦ Set-AdmPwdResetPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals<users/groups>

Enable access auditing◦ Set-AdmPwdAuditing -OrgUnit <OU Name> -AuditedPrincipals <users/groups/Everyone>


Other PtH MitigationsUpgrade clients – lots of kernel-level hardening in newer (Win8+) versions.

Limit client-to-client communications

Disable caching of AD credentials where possible

Limit use/scope of privileged accounts – least user access◦ Use hardened administrative stations & “jump” servers

◦ Offers fewer chances to harvest a privileged hash

Limit debug privileges (often used to access memory of protected processes)


THANK YOU!

Dan Barr – [email protected]

Reminder: Security of OneForest AD Deployment, 2:30pm tomorrowKeith Brautigam & Jake DeSantis, ITS Identity Services


Documents

PSU Security Conference 2015 - LAPS Presentation