Spark the future.

May 4 8, 2015
Chicago, IL
Barbarians Inside the Gates:
Protecting against Credential Theft and Pass the Hash Today

Mark Simos
Architect - Cyber, Security + Identity

Aaron Margosis
Principal Consultant, Microsoft
Agenda
Threat Environment and attack demo
Key Guidance and New Technology
Strategies and Immediate priorities
Local Administrator Password Solution (LAPS)
Final Thoughts
PREVENT BREACH
+
ASSUME BREACH
Cybersecurity used to mean building
a bigger moat and a bigger wall
Todays computing environment extends
far beyond our four walls
 Typical Attack Timeline &
Observations
First Host Domain Admin Attack Discovered
Compromised Compromised

Research & Preparation Data Exfiltration (Attacker Undetected)

11-14 months
24-48 Hours

Attack Sophistication Target AD & Identities

Attack operators exploit any weakness Active Directory controls access to business assets
Target information on any device or service Attackers commonly target AD and IT Admins

Attacks not detected Response and Recovery

Current detection tools miss most attacks Response requires advanced expertise and tools
You may be under attack (or compromised) Expensive and challenging to successfully recover
Privilege Escalation with Credential Theft (Typical)
Modern Attack

24-48 Hours

1. Get in with Phishing Attack (or other)

2. Steal Credentials
3. Compromise more hosts & credentials
(searching for Domain Admin)
4. Get Domain Admin credentials
5. Execute Attacker Mission (steal
data, destroy systems, etc.)
Demo

Pass the Hash

exploit same local account password
Key Guidance and
New Technologies
Key Guidance Resources

Determined Adversaries and

Targeted Attacks
http://www.microsoft.com/en-us/download/details.aspx?id=34793

Security Intelligence Report (SIR)

http://www.microsoft.com/SIR

Credential Theft Portal

www.microsoft.com/PTH
Credential Theft Whitepapers and Resources
Key New Technologies
Microsoft Passport
New Authentication Protocol based on Hardware Bound Keys

Windows Hello
Easy to Use Biometrics to unlock credential access

Privileged Access Management

Just in Time (JIT) privileges

Advanced Threat Analytics

Detect attacks through anomalous authentication patterns

Device Guard
Isolated User Mode (IUM)
Move LSASS secrets into Virtual Secure Mode (VSM) OS Instance
Isolated User Mode (IUM)

Move LSASS function to VSM

Limited function OS
Strict signing - doesnt host device drivers Isolated User High Level OS
Mode (IUM) (HLOS)
Provides strong isolation boundary
Building block for all security promises LSAIso LSASS

Hypervisor
High Level Architecture
Move clear secrets to IUM oracle
Answers questions, but does not divulge secrets

Isolated User Mode (IUM) High Level OS (HLOS)

LSAIso LSASS
NTLM support Clear NTLM IUM secrets
Clear
secrets secrets
Kerberos support Kerberos

Device
Boot Persistent
Drivers

Hypervisor

Note: MS-CHAPv2 and NTLMv1 are blocked

Key Aspects of IUM
Benefits
Breaks current credential toolsets and methods
Uses current protocols (avoids most application compatibility / support issues)

Possible Attacks
Credential theft /abuse still possible
Keystroke logging for passwords/PINS
Same credentials stored in DC database (symmetric key protocols)
Impersonation attacks possible (malware installed on box)
Firmware/UEFI, IUM, hardware
Any (unpatched) vulnerabilities in these components can break security promises
Susceptible to sidechannel and brute force attacks
Strategies and
Immediate priorities
Privilege Escalation Tier 0

Mitigation Strategy
1. Privilege escalation Tier 1
Credential Theft
Application Agents
Service Accounts

2. Lateral traversal
Tier 2
Credential Theft
Application Agents
Service Accounts
NIST Cybersecurity Framework

1. Identify high-value assets

2. Protect against known and unknown threats
3. Detect PtH and other related attacks
4. Respond to suspicious activity
5. Recover from breach
Key Preventive Controls Do these NOW!
1. Admin Workstations & Logon Restrictions
Domain Admins
Server, Application, and Cloud Infrastructure Admins
Workstation Admins

2. Random Local Account Passwords

Workstations
Servers
Specialized Devices (Cash Registers, ATMs, etc.)

3. RDP /RestrictedAdmin Mode

Server and Application Admins
Workstation and Specialized Device Admins
1. Admin Workstations & Logon Restrictions
Why bother?
Mitigate escalation of privilege attacks reliably, sustainably, and a usable way (including credential
theft, impersonation attacks, and other account/privilege abuse)

What does it do?

Ensures admin credentials and privileged sessions arent available on lower trust machines
Establish known good admin workstations (that work well)
Restrict Admin accounts to log onto only those workstations (and managed resources)

How do I do it?
Pass the hash v1 www.microsoft.com/pth
Azure management - http://go.microsoft.com/fwlink/?linkid=518999&clcid=0x409
2. Random Local Account Passwords
Why bother?
Mitigate lateral traversal with identical local admin passwords
local account NT hashes always available to steal by local admins

What does it do?

Generate random password regularly for each account, store it in AD

How do I do it?
LAPS tool (details later in presentation)
3. RDP /RestrictedAdmin Mode
Why bother?
Mitigate lateral traversal with domain based accounts (server admin, helpdesk admin)

What does it do?

Allow computer management using full RDP session safely
Authenticates with network logon type (that doesnt cache credentials)

How do I do it?
Configure GPO on admin workstations (or MSTSC /RestrictedAdmin)
Available on Windows 7 and later

http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
 Integrate People, Process, and
Technology Administrative Forest
Domain and Forest Administration

Production Domain(s) Security Alerting

Domain and Forest
Hardened Hosts
Domain and DC Hardening and Accounts
OS, App, & Service Hardening
Servers, Apps, and Cloud Services
IT Service Management Privileged
Account
Management
(PAM)
Admin
Workstations
Admin Roles & Delegation User, Workstations, and Devices
Protected
Admin Forest Maintenance Users
PAM Maintenance
Lateral Traversal Mitigations Auth Policies and Silos
(Admin Process, Technology) RDP w/Restricted Admin
Tier 0 Administration Security
Domain/Enterprise Admins and Equivalent

Administrative Forest (for AD admin roles in current releases)

Isolated User Mode (IUM)
Best Microsoft Passport and Windows Hello

Detection - Advanced Threat Analytics

Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
Just in Time (JIT) Privileges - Privileged Access Management
Better Extensive overhaul of IT Process and Privilege Delegation

Separate Admin Desktops

and associated IT Admin process changes
Separate Admin Accounts
Remove accounts from Tier 0
Service Accounts
Good/Minimu Personnel - Only DC Maintenance, Delegation, and Forest Maintenance
Tier 1 Administration Security
Human admins of Servers, Cloud Services, Virtualization, Management Tools, etc. (that arent Tier 0)

Isolated User Mode (IUM)

Microsoft Passport and Windows Hello
Best
Detection - Advanced Threat Analytics
Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
Just in Time (JIT) Privileges - Privileged Access Management
Better Extensive overhaul of IT Process and Privilege Delegation

Separate Admin Accounts

Separate Admin Desktops
Associated IT Admin process changes
Enforce use of RDP RestrictedAdmin Mode
Local Administrator Password Solution (LAPS)
Good/Minimu Or alternate from PTHv1
Tier 2 Administration Security
Human admins of User Workstations, User Devices, Printers, etc. (Typically helpdesk and PC support)

Isolated User Mode (IUM)

Microsoft Passport and Windows Hello
Best
Detection - Advanced Threat Analytics
Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
Just in Time (JIT) Privileges - Privileged Access Management
Better Extensive overhaul of IT Process and Privilege Delegation

Separate Admin Accounts

Separate Admin Desktops
Associated IT Admin process changes
Enforce use of RDP RestrictedAdmin Mode
Local Administrator Password Solution (LAPS)
Good/Minimu Or alternate from PTHv1
Announcing

Local Administrator
Password Solution (LAPS)
Local Administrator Password Solution (LAPS)
Different random password on each computer
Each computer manages its own account password
No central password generator

Secure storage in Active Directory

Confidential attribute for password
No central database or file server

Group Policy control

Name of local account to manage
How often to change
Length and complexity

Free!
Distribution and support like EMET
Updating password
Group Policy Client Side Extension (CSE)
Runs whenever Group Policy refreshes
Determines whether time to change password

Stores to corresponding Computer AD object

Confidential attribute
Computer account allowed to write to it
Domain Admins can read it
Domain Admins grant access to authorized user(s)/group(s)
Reset command: set expiration time to current
Installation
Client Management

LAPS.x64.msi or LAPS.x86.msi
Configure
Group Policy
Retrieving a password
WinForms client
Retrieving a password
PowerShell cmdlet
LAPS links
Security advisory
https://technet.microsoft.com/en-us/library/security/3062591

KB:
https://support.microsoft.com/en-us/kb/3062591

Download
http://www.microsoft.com/en-us/download/details.aspx?id=46899

Blog
http://blogs.msdn.com/b/laps/
Demo: LAPS
Before you log in with domain admin again
1 Implement Mitigations Now!
A. Admin Workstations & Logon Restrictions
B. LAPS for Random Local Account Passwords
C. RDP /RestrictedAdmin Mode

2 Revamp your culture and support processes

3 Plan to adopt Windows 10 Features
Protect credentials using LSASS in Virtual Secure Mode (VSM)
Authentication Policies and Silos
Microsoft Passport
Windows Hello
37
 2015 Microsoft Corporation. All rights reserved.
References
Credential Theft Portal
http://www.microsoft.com/PTH

NIST Framework
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Credential Theft Mitigation (CTM) Solutions

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213

Update to Improve Credentials Protection and

Management
https://technet.microsoft.com/en-us/library/security/2871997.aspx
References 2
Microsoft Security Compliance Manager
http://www.microsoft.com/en-us/download/details.aspx?id=16776

Offline Assessment for Active Directory Security (OAADS)

Contact your Microsoft Premier Technical Account Manager (TAM)

Microsoft Cloud Architecture Sway

http://aka.ms/cloudarchitecture

Microsoft Cloud Security for Enterprise Architects

Visio, pdf
Security in a Cloud Enabled World
Security challenges increasing at all layers
Attacks ultimately target data
Everything else required to secure the data

Security responsibilities shift

Per workload

Cloud service provider responsibility

Tenant responsibility

Microsoft Cloud Architecture Sway - http://aka.ms/cloudarchitecture

Microsoft Cloud Security for Enterprise Architects - Visio, pdf
Modern Active Directory Identity: Big Picture
3rd party
apps & clouds

Single Identity
Infrastructure as a Service
Microsofts
Cloud
VMs in
Azure

Apps in
Federation and Azure

Synchronization Active Directory AAD App

Proxy

Identity
Active Directory Management
Private Cloud
On Premises Infrastructure Fabric Identity
Key Lesson Learned on Tier 0 assurance
Good Recommended Practices + Cleanup
Admin desktops/forest, PAM with dynamic/tracked privileges
Remediate and harden current Tier 0 host OSes, GPOs, and AD Data to security standards

Better Recommended Practices + Partial rebuild

Admin desktops/forest, PAM with dynamic/tracked privileges
New known good Tier 0 host OSes and GPOs, starting at security standards
Remediate and harden current AD Data to security standards

Best- Recommended Practices + Full Greenfield AD

Admin desktops/forest, PAM with dynamic/tracked privileges
New known good Tier 0 host OSes, GPOs, and AD Data, starting at security standards