SlideShare a Scribd company logo

Developing a Secure Active Directory

N
Nathan Buuck

This document provides tips and best practices for securing an Active Directory environment, including mitigating pass-the-hash attacks, restricting privileged user access, enabling Kerberos authentication, running an enterprise CA, disabling anonymous access, implementing security monitoring, using read-only domain controllers, backing up data, auditing the environment, and staying informed of the latest threats. It discusses technical approaches for hardening Active Directory against common attacks while maintaining usability.

1 of 23
Download to read offline
Securing Your Data in an Open World Developing a Secure Active Directory
INTRODUCTION
Agenda Risks Mitigations ValidationandAuditing TipsfromtheField
PASS THE HASH Convenienceof SSOat cost of additional risk. What makesa“hash” inthiscontext? h= 𝑓(𝑥) PredatesWindowsNT3.1but still verymuchapplicabletoday. Astolenhashcreatesthepotential for impersonation. Astolenhashinheritsanyauthorizationsgrantedtotheaccount.
PASS THE HASH BASIC SCENARIO BoblogsontoCORPBOB-E550. WindowsSAMstoreshishashinkernel memory. AlicelogsonremotelytoBOB-E550. Aliceisamember of BUILTINAdministrators. Aliceperformsamemorydumpof BOB-E550fromanelevatedprocess. Aliceexfiltratesthememorydumptoher workstationusingSMB. AliceextractsBob’shashfromthememorydumpoffline.
PASS THE HASH BASIC LESSONS Limitingopportunitiesfor untrustedprocessestoelevateisimportant. User AccessControl (UAC) isafirst lineof defense. What if BobwasaDomainAdmin? If Alicehaslocal admin, doyoutrust AliceenoughtoseeeverythinginRAMonthat system. If wecan’t protect auser’sidentity, theconcept of identityor authenticationonour networkisweakened.
PASS THE HASH CROSS-SYSTEM PC-AandPC-Bbothhavealocal user named“helpdeskadmin” Theplaintext passwordfor .helpdeskadminisTr1viAl&triNg. Theequivalent hashfor theaccount isthesameonbothmachines. Acompromiseof thehashbyaprocessonPC-Acanbeusedtoattackanyother Windowshost that hasthat sameusernameandpasswordcombination, evenwithout knowledgeof theplaintext password.
PASS THE HASH CROSS-SYSTEM LESSONS Again, processelevationcreatestheopportunity. Diversificationof local user passwordsacrossmachinesisimportant. SeeMSKB3062591: Local Administrator PasswordSolution(LAPS) Bewareprevioussolutions; not all similar solutionsusesecurecommunicationsfor storingthelocal adminpassword. Restrict remotelogonof local accountswhereit isn’t needed.
PASS THE HASH RECENT DEVELOPMENTS Windows10/Server 2016introducesIsolatedUser Mode. StoreNTLMhashesinavirtualizedmicro-kernel. Hypervisor executingthemicro-kernel actsasagatekeeper. Limitedimplementationdetailsavailable. Concernsof howmuchprotectionthisreallyprovides. Ultimately, will needtobeauditedandtestedbeforeweknow.
LANMAN and NTLM For compatibility, ADcanstill communicateusingLMor NTLM. Bothhaveknownandeasytoexploit weaknesses. Allowingolder protocolscreatesopportunityfor downgradeattacks. Similar toSSL/TLSdowngradeattackspopular in2014. GroupPolicycanbeusedtorestrict or eliminateuseof NTLM.
LMv1 and NTLMv1 Source: SANS Digital Forensics http://bit.ly/1JXjuuG
PRIVILEGED GROUPS AND USERS BEST PRACTICES DisableBUILTINAdministrator. Disablenetworklogonfor thelocal administrator account . Donot performday-to-dayactivities aswithyour adminaccount. Donot keepusersinEnterpriseor SchemaAdmins. Donot logontoclient systemswithprivilegednetworkaccounts. Don’t disablepasswordexpirationonprivilegedaccounts. Don’t useDomainAdminasashortcut for domain-wideneeds.
KERBEROS Providesenhancedauthenticationarchitectureandcryptography. Not aPass-the-Hashmitigation; seePass-the-Ticket. Keepingyour entireWindowsenvironment patchediskeytomaintainingasecure Kerberosenvironment. Vectorsexist whereKerberostickets areforged; SeeMS14-068. Kerberos, likeanymanyprotocols, requiresiterationtoimproveitssecurityandso wemustpatch.
Source: SANS Digital Forensics http://bit.ly/1JXjuuG
ENTERPRISE CA WhyrunanEnterpriseCA? For existingWindowsCAs, implicationsof SHA-1deprecation. http://bit.ly/mscasha1to2 AWindowsCAisnot fire-and-forget; it needsmaintenance, too.
ANONYMOUS BINDS & ENUM EnabledonmanydomainsupgradedfromNT/Server 2000. Anonymousbindoff bydefault inServer 2003andlater for newdomains. Easyintelligencesourcefor hostileactors. For binds, modifydsHeuristicsobject inaneditor likeADSI. For enumeration, aGroupPolicysettingexists. Canimpact pre-2000clientsanddomaintrust functionality. Needtounderstandwhat reliesonanonymousaccesstoday. Maynot befeasibletodisable; part of thehardeningprocess.
MONITORING Whenactivedefensefails, apassiveapproachcanhelp. Changestoprivilegedgroups(integritymonitoring). InvalidattributesinKerberosrequests. Presenceof NTLMautheventsSecuritylog. Statistical anomalies(Fail Audit volume, request volume, lockouts). SecurityInformationandEvent Management productsexist for this. AD/ NTFSAuditingisextremelyvaluableif configuredwell.
READ-ONLY DCs ManyassociateRODCs withbranchofficesor poor connectivity. Anoptionfor providingLDAPdatainpotentiallyhostileor untrustedenvironments: Lowphysical security. Multi-tenant environments. Canrestrict thereplicationof passwordhashestoRODCs. Why?Offlineattacksafter physical loss. Bythesametoken, must physicallysecurewriteableDCs’ disksandtheirbackups.
DATA PROTECTION Not anactiveprotection, but likeanydata, abackupisequallycritical. Whilenot exactlyasecuritytopic, it isoftenoverlooked. It’snot enoughtosnapshot your virtual DCs. Infact, it’sdangerousif theDCisanythingolder than2012R2. AWindowsSystemStatebackupof anyDCwill backuptheADdatabase. Several agent-basedbackupproductscancapturethesystemstate.
AUDIT AND VALIDATION All of thesemeasuresarehelpful, but lessmeaningful without validation. Thirdpartyfirms. Microsoft Consultingopportunities. SaaSvulnerabilityscanningservices. In-housetesting(MBSA).
OTHER TIPS EnforceCTRL+ALT+DELasthesecurekeystrokeonclients. Avoidusingwebbrowsersonservers. Inspect softwarethoroughlybeforeexecutingonaserver. Don’t disabletheWindowsFirewall. Don’t disableUAConanyWindowssystemsif it canbeavoided.
STAY INFORMED Attendsecuritysessionsat conferences(MSIgnite, VMworld, etc). EngagewithanITsecurityprovider whereit makessensefor you. Monitor consistent, well-maintainedsources: US-CERT(us-cert.gov) SANSISC(isc.sans.edu) andThreat Level status. Microsoft Technical SecurityNotifications(http://bit.ly/mssecnot) Talkabout securitywithinyour organizations.
Thank You

Recommended

Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
Claudio Criscione
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
Positive Hack Days
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
wremes
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 

Recommended

Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
Claudio Criscione
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
Positive Hack Days
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
wremes
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Random numbers
Random numbersRandom numbers
Random numbersPositive Hack Days
 
Wordpress security
Wordpress securityWordpress security
Wordpress security
Mehmet Ince
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
DataStax
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate
 
How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an auditConcentrated Technology
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Peter Souter
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
Server hardening
Server hardeningServer hardening
Server hardening
Teja Babu
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
今Serverlessが面白いわけ
今Serverlessが面白いわけ今Serverlessが面白いわけ
今Serverlessが面白いわけ
Yoichi Kawasaki
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 

More Related Content

What's hot

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Wordpress security
Wordpress securityWordpress security
Wordpress security
Mehmet Ince
 

What's hot (6)

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
Random numbers
Random numbersRandom numbers
Random numbers
 
Wordpress security
Wordpress securityWordpress security
Wordpress security
 

Similar to Developing a Secure Active Directory

Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
DataStax
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Peter Souter
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
Server hardening
Server hardeningServer hardening
Server hardening
Teja Babu
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
今Serverlessが面白いわけ
今Serverlessが面白いわけ今Serverlessが面白いわけ
今Serverlessが面白いわけ
Yoichi Kawasaki
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
Cloud Native Day Tel Aviv
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
How the antiviruses work
How the antiviruses workHow the antiviruses work
How the antiviruses work
Dawid Golak
 

Similar to Developing a Secure Active Directory (20)

Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an audit
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
今Serverlessが面白いわけ
今Serverlessが面白いわけ今Serverlessが面白いわけ
今Serverlessが面白いわけ
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
How the antiviruses work
How the antiviruses workHow the antiviruses work
How the antiviruses work
 

Developing a Secure Active Directory

  • 1. Securing Your Data in an Open World Developing a Secure Active Directory
  • 4. PASS THE HASH Convenienceof SSOat cost of additional risk. What makesa“hash” inthiscontext? h= 𝑓(𝑥) PredatesWindowsNT3.1but still verymuchapplicabletoday. Astolenhashcreatesthepotential for impersonation. Astolenhashinheritsanyauthorizationsgrantedtotheaccount.
  • 5. PASS THE HASH BASIC SCENARIO BoblogsontoCORPBOB-E550. WindowsSAMstoreshishashinkernel memory. AlicelogsonremotelytoBOB-E550. Aliceisamember of BUILTINAdministrators. Aliceperformsamemorydumpof BOB-E550fromanelevatedprocess. Aliceexfiltratesthememorydumptoher workstationusingSMB. AliceextractsBob’shashfromthememorydumpoffline.
  • 6. PASS THE HASH BASIC LESSONS Limitingopportunitiesfor untrustedprocessestoelevateisimportant. User AccessControl (UAC) isafirst lineof defense. What if BobwasaDomainAdmin? If Alicehaslocal admin, doyoutrust AliceenoughtoseeeverythinginRAMonthat system. If wecan’t protect auser’sidentity, theconcept of identityor authenticationonour networkisweakened.
  • 7. PASS THE HASH CROSS-SYSTEM PC-AandPC-Bbothhavealocal user named“helpdeskadmin” Theplaintext passwordfor .helpdeskadminisTr1viAl&triNg. Theequivalent hashfor theaccount isthesameonbothmachines. Acompromiseof thehashbyaprocessonPC-Acanbeusedtoattackanyother Windowshost that hasthat sameusernameandpasswordcombination, evenwithout knowledgeof theplaintext password.
  • 8. PASS THE HASH CROSS-SYSTEM LESSONS Again, processelevationcreatestheopportunity. Diversificationof local user passwordsacrossmachinesisimportant. SeeMSKB3062591: Local Administrator PasswordSolution(LAPS) Bewareprevioussolutions; not all similar solutionsusesecurecommunicationsfor storingthelocal adminpassword. Restrict remotelogonof local accountswhereit isn’t needed.
  • 9. PASS THE HASH RECENT DEVELOPMENTS Windows10/Server 2016introducesIsolatedUser Mode. StoreNTLMhashesinavirtualizedmicro-kernel. Hypervisor executingthemicro-kernel actsasagatekeeper. Limitedimplementationdetailsavailable. Concernsof howmuchprotectionthisreallyprovides. Ultimately, will needtobeauditedandtestedbeforeweknow.
  • 10. LANMAN and NTLM For compatibility, ADcanstill communicateusingLMor NTLM. Bothhaveknownandeasytoexploit weaknesses. Allowingolder protocolscreatesopportunityfor downgradeattacks. Similar toSSL/TLSdowngradeattackspopular in2014. GroupPolicycanbeusedtorestrict or eliminateuseof NTLM.
  • 11. LMv1 and NTLMv1 Source: SANS Digital Forensics http://bit.ly/1JXjuuG
  • 12. PRIVILEGED GROUPS AND USERS BEST PRACTICES DisableBUILTINAdministrator. Disablenetworklogonfor thelocal administrator account . Donot performday-to-dayactivities aswithyour adminaccount. Donot keepusersinEnterpriseor SchemaAdmins. Donot logontoclient systemswithprivilegednetworkaccounts. Don’t disablepasswordexpirationonprivilegedaccounts. Don’t useDomainAdminasashortcut for domain-wideneeds.
  • 13. KERBEROS Providesenhancedauthenticationarchitectureandcryptography. Not aPass-the-Hashmitigation; seePass-the-Ticket. Keepingyour entireWindowsenvironment patchediskeytomaintainingasecure Kerberosenvironment. Vectorsexist whereKerberostickets areforged; SeeMS14-068. Kerberos, likeanymanyprotocols, requiresiterationtoimproveitssecurityandso wemustpatch.
  • 14. Source: SANS Digital Forensics http://bit.ly/1JXjuuG
  • 15. ENTERPRISE CA WhyrunanEnterpriseCA? For existingWindowsCAs, implicationsof SHA-1deprecation. http://bit.ly/mscasha1to2 AWindowsCAisnot fire-and-forget; it needsmaintenance, too.
  • 16. ANONYMOUS BINDS & ENUM EnabledonmanydomainsupgradedfromNT/Server 2000. Anonymousbindoff bydefault inServer 2003andlater for newdomains. Easyintelligencesourcefor hostileactors. For binds, modifydsHeuristicsobject inaneditor likeADSI. For enumeration, aGroupPolicysettingexists. Canimpact pre-2000clientsanddomaintrust functionality. Needtounderstandwhat reliesonanonymousaccesstoday. Maynot befeasibletodisable; part of thehardeningprocess.
  • 17. MONITORING Whenactivedefensefails, apassiveapproachcanhelp. Changestoprivilegedgroups(integritymonitoring). InvalidattributesinKerberosrequests. Presenceof NTLMautheventsSecuritylog. Statistical anomalies(Fail Audit volume, request volume, lockouts). SecurityInformationandEvent Management productsexist for this. AD/ NTFSAuditingisextremelyvaluableif configuredwell.
  • 18. READ-ONLY DCs ManyassociateRODCs withbranchofficesor poor connectivity. Anoptionfor providingLDAPdatainpotentiallyhostileor untrustedenvironments: Lowphysical security. Multi-tenant environments. Canrestrict thereplicationof passwordhashestoRODCs. Why?Offlineattacksafter physical loss. Bythesametoken, must physicallysecurewriteableDCs’ disksandtheirbackups.
  • 19. DATA PROTECTION Not anactiveprotection, but likeanydata, abackupisequallycritical. Whilenot exactlyasecuritytopic, it isoftenoverlooked. It’snot enoughtosnapshot your virtual DCs. Infact, it’sdangerousif theDCisanythingolder than2012R2. AWindowsSystemStatebackupof anyDCwill backuptheADdatabase. Several agent-basedbackupproductscancapturethesystemstate.
  • 20. AUDIT AND VALIDATION All of thesemeasuresarehelpful, but lessmeaningful without validation. Thirdpartyfirms. Microsoft Consultingopportunities. SaaSvulnerabilityscanningservices. In-housetesting(MBSA).
  • 22. STAY INFORMED Attendsecuritysessionsat conferences(MSIgnite, VMworld, etc). EngagewithanITsecurityprovider whereit makessensefor you. Monitor consistent, well-maintainedsources: US-CERT(us-cert.gov) SANSISC(isc.sans.edu) andThreat Level status. Microsoft Technical SecurityNotifications(http://bit.ly/mssecnot) Talkabout securitywithinyour organizations.