Une conférence proposée par Xuan Ahehehinnou, Nicolas Bonnet & Hakim Taoussi
Sur les ordinateurs et les serveurs, tout compte utilisateur/ système / de service, avec privilège d’administrateur local présente un très haut niveau de risque.
Ces risques de sécurité pouvant ouvrir la porte à des attaques pass-the-hash et autres vols d’informations d’identification, exécution de malware, mouvement latéral, désactivation des mécanismes de défense comme l’antivirus ou l’EDR, impersonation, chiffrement des données, etc.
Dans cette session, nous vous détaillerons donc les bonnes pratiques ainsi que des outils et fonctionnalités Microsoft comme : LAPS, Endpoint Privilege Management, Account protection
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windows ?
1. 24 octobre 2023 - PARIS
5ème édition
@IdentityDays
#identitydays2023
2. Pourquoi et Comment maîtriser
les privilèges d'administrateur
local sur Windows
24 octobre 2023 - PARIS
Identity Days 2023
Xuan AHEHEHINNOU
Hakim TAOUSSI
Nicolas BONNET
3. • Pourquoi ? Quels sont les Risques ?
• Comment les Maîtriser ?
• Active Directory, Entra ID
• Windows LAPS
• Intune Account protection
• Intune Endpoint Privilege Management
• Conclusion
AGENDA DE LA CONFÉRENCE
24 octobre 2023 - PARIS
Identity Days 2023
Xuan AHEHEHINNOU
Microsoft 365 Solution Architect
MCT
@Abalon
Hakim TAOUSSI
Technical Architect
MVP Security
@Insight
Nicolas BONNET
CEO & IT Architect
MVP Enterprise Mobility
@InYourCloud
4. Pourquoi ? Quels sont les Risques ?
Identity Days 2023
24 octobre 2023 - PARIS
5. The Risks Associated with Local Administrative Privileges
Why Local Admin Privileges?
Identity Days 2023
• Many companies allow their employees to make adjustments to their work computers without
the need for IT interference.
• Users generally enjoy the freedom that local admin rights provide.
• However, providing users with local admin rights will leave holes in your cybersecurity.
24 octobre 2023 - PARIS
Over 90% of the vulnerabilities
in Windows arise due to Local Admin rights
• Pass-the-hash attacks and lateral movement.
• One password to unlock any local admin account.
• Risk of malware entry.
• Bypass security settings, run exploit code.
• …
6. Why No User Should Have Local Admin Rights?
A user with local admin rights, or an attacker impersonating the user, can:
Identity Days 2023
• Change boot and hardware configurations (enable/disable devices, change CPU and memory voltage and frequencies, etc.)
• Modify or delete storage volumes
• Radically simplify malware techniques, such as code injection and DLL hijacking
• Easily gain persistence on a machine with the registry fully open for analysis and modification
• Disable journaling, alter or wipe events
• Disable backup agents or modify backup configurations … and wipe any local backup copy while they’re at it
• Modify shadow copy settings or copy shadow copy (to exfiltrate previously “deleted” data)
• Modify users, add users, add administrative users or hide administrative users from the login menu
• Access every user’s data on the machine and change file and folder owners
• Encrypt hard drive master boot record (MBR), also known as a 15-second full-disk ransomware encryption
• Disable or reconfigure existing endpoint security solutions
• Change network settings, add trust zones, set up tunnels or reroute traffic
• Change the domain name system (DNS), hijack the DNS or exfiltrate data through DNS requests
• Modify browser settings or add browser extensions
• Access every secret stored on the machine: In Windows credential providers, in the browser, in Putty, in FileZilla or any other program that stores credentials
• Access and modify certificate stores, change trust chains and decrypt any secure communication
• Live off the land luxuriously
• Access, analyze and modify memory content
• Use security services to gain code execution in local security authority server service (LSASS), which can also be used to extract password hashes and Kerberos tickets
• Install ANY non-malicious administrative tool and deploy an arsenal of benign tools (that become the “ultimate attacker toolkit” in the wrong hands) without triggering the antivirus
• Install cryptominer malware to take over the machine’s resources and use them for illicit cryptocurrency mining
• Enable built-in or third-party hardware trackers to locate devices anywhere in the world
• Bypass and/or disable user access control (UAC)
• Downgrade drivers, versions and libraries, or force the use of known vulnerable protocols and programs
• Flash firmware to connected devices (e.g., disable LED on a camera or load modified firmware on to a PLC)
• Access security tokens and encryption keys
• Jump air gaps to access critical operational technology (OT) systems
• …
24 octobre 2023 - PARIS
7. AV and EDR killers
Cybercriminals have been using anti-virus (AV) and Endpoint Detection and Response (EDR) solutions killers
as a method to propagate malware evading detection.
Identity Days 2023
24 octobre 2023 - PARIS
0xHossam/Killer: Is a AV/EDR Evasion tool created to bypass security tools for learning
Terminator antivirus killer is a vulnerable Windows driver in disguise
9. Identity Days 2023
24 octobre 2023 - PARIS
Implementing Least-Privilege Administrative Models
In Active Directory
• Securing & controlling Local Administrator Accounts & Groups
• Configuring GPOs to Restrict Administrator Accounts on Domain-Joined Systems
• Securing & controlling Built-in Administrator Accounts
• Securing Administrators, Domain Admins and Enterprise Admins Groups
• Role-Based Access Controls (RBAC)
• Privileged Identity Management
In Entra ID (formerly Azure Active Directory)
• When you connect a Windows device with Entra ID using an Entra ID join, Entra ID adds the following security principals to
the local administrator' group on the device:
• The Global Administrator role
• The Microsoft Entra Joined Device Local Administrator role
• In BYOD context, the user account performing the Entra ID join
• You can’t scope Microsoft Entra Joined Device Local Administrator role to a specific set of devices.
• Starting with Windows 10 version 20H2, you can use Entra ID groups to manage administrator privileges on Entra ID joined
devices with the Local Users and Groups MDM policy.
10. Identity Days 2023
24 octobre 2023 - PARIS
Eliminate Local Admin Rights Across the Board
12. Identity Days 2023
24 octobre 2023 - PARIS
Manage and backup the password of the
local admin on Entra ID joined device
Some benefits of using Windows LAPS
• Protects computers against pass-the-hash and
lateral-traversal attacks
• Improved security for the computer only joined
to Entra ID
• Ability to sign in to and recover devices that
are otherwise inaccessible
• Improved the management of the computer
with a modern management (Intune / Entra ID)
• Use RBAC, PIM and Conditional Access for
securing password that are stored in Entra ID
Cloud
Windows LAPS (GA)
14. Identity Days 2023
24 octobre 2023 - PARIS
Account protection policy for endpoint security in Intune
Local user group membership profile to add, remove, or replace members
of the built-in local groups on Windows devices
• For example, the Administrators local group has broad rights. You can use this policy to edit the Admin group's membership
to lock it down to a set of exclusively defined members.
16. Identity Days 2023
24 octobre 2023 - PARIS
Use Intune Endpoint Privilege Management
EPM allows your organization’s users to run as a standard user
(without administrator rights) and complete tasks that require
elevated privileges.
• Run with elevated access
• File elevation and elevation types
• Automatic elevation rules / User confirmed rules
• Managed elevations vs unmanaged elevations
18. Identity Days 2023
24 octobre 2023 - PARIS
Conclusion
• Remove local admin rights and enforce least privilege to reduce endpoint security
vulnerabilities, then elevate end-user privileges on demand, in real time, with little
or no helpdesk involvement.
• Block ransomware by tightly controlling application permissions based on fine-
grained, conditional business rules. Defend against other threats targeting and
originating on endpoints.
• Enhance the user experience by giving the right people and applications the right
access to the right resources at the right times.
• Protect Windows, Windows Server endpoints from hybrid to cloud environments.