Académique Documents
Professionnel Documents
Culture Documents
May 4 8, 2015
Chicago, IL
Barbarians Inside the Gates:
Protecting against Credential Theft and Pass the Hash Today
Mark Simos
Architect - Cyber, Security + Identity
Aaron Margosis
Principal Consultant, Microsoft
Agenda
Threat Environment and attack demo
Key Guidance and New Technology
Strategies and Immediate priorities
Local Administrator Password Solution (LAPS)
Final Thoughts
PREVENT BREACH
+
ASSUME BREACH
Cybersecurity used to mean building
a bigger moat and a bigger wall
Todays computing environment extends
far beyond our four walls
Typical Attack Timeline &
Observations
First Host Domain Admin Attack Discovered
Compromised Compromised
24-48 Hours
Windows Hello
Easy to Use Biometrics to unlock credential access
Device Guard
Isolated User Mode (IUM)
Move LSASS secrets into Virtual Secure Mode (VSM) OS Instance
Isolated User Mode (IUM)
Hypervisor
High Level Architecture
Move clear secrets to IUM oracle
Answers questions, but does not divulge secrets
LSAIso LSASS
NTLM support Clear NTLM IUM secrets
Clear
secrets secrets
Kerberos support Kerberos
Device
Boot Persistent
Drivers
Hypervisor
Possible Attacks
Credential theft /abuse still possible
Keystroke logging for passwords/PINS
Same credentials stored in DC database (symmetric key protocols)
Impersonation attacks possible (malware installed on box)
Firmware/UEFI, IUM, hardware
Any (unpatched) vulnerabilities in these components can break security promises
Susceptible to sidechannel and brute force attacks
Strategies and
Immediate priorities
Privilege Escalation Tier 0
Mitigation Strategy
1. Privilege escalation Tier 1
Credential Theft
Application Agents
Service Accounts
2. Lateral traversal
Tier 2
Credential Theft
Application Agents
Service Accounts
NIST Cybersecurity Framework
How do I do it?
Pass the hash v1 www.microsoft.com/pth
Azure management - http://go.microsoft.com/fwlink/?linkid=518999&clcid=0x409
2. Random Local Account Passwords
Why bother?
Mitigate lateral traversal with identical local admin passwords
local account NT hashes always available to steal by local admins
How do I do it?
LAPS tool (details later in presentation)
3. RDP /RestrictedAdmin Mode
Why bother?
Mitigate lateral traversal with domain based accounts (server admin, helpdesk admin)
How do I do it?
Configure GPO on admin workstations (or MSTSC /RestrictedAdmin)
Available on Windows 7 and later
http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
Integrate People, Process, and
Technology Administrative Forest
Domain and Forest Administration
Local Administrator
Password Solution (LAPS)
Local Administrator Password Solution (LAPS)
Different random password on each computer
Each computer manages its own account password
No central password generator
Free!
Distribution and support like EMET
Updating password
Group Policy Client Side Extension (CSE)
Runs whenever Group Policy refreshes
Determines whether time to change password
LAPS.x64.msi or LAPS.x86.msi
Configure
Group Policy
Retrieving a password
WinForms client
Retrieving a password
PowerShell cmdlet
LAPS links
Security advisory
https://technet.microsoft.com/en-us/library/security/3062591
KB:
https://support.microsoft.com/en-us/kb/3062591
Download
http://www.microsoft.com/en-us/download/details.aspx?id=46899
Blog
http://blogs.msdn.com/b/laps/
Demo: LAPS
Before you log in with domain admin again
1 Implement Mitigations Now!
A. Admin Workstations & Logon Restrictions
B. LAPS for Random Local Account Passwords
C. RDP /RestrictedAdmin Mode
NIST Framework
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
Tenant responsibility
Single Identity
Infrastructure as a Service
Microsofts
Cloud
VMs in
Azure
Apps in
Federation and Azure
Identity
Active Directory Management
Private Cloud
On Premises Infrastructure Fabric Identity
Key Lesson Learned on Tier 0 assurance
Good Recommended Practices + Cleanup
Admin desktops/forest, PAM with dynamic/tracked privileges
Remediate and harden current Tier 0 host OSes, GPOs, and AD Data to security standards