Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Download as PPTX, PDF1 like910 views
The document discusses various strategies for protecting Windows passwords against malicious attacks such as phishing, brute force, and pass-the-hash techniques. It emphasizes the importance of strong password policies, restricting administrative privileges, and implementing robust security practices. Additionally, it outlines specific mitigations to reduce risks associated with credential harvesting and unauthorized access to network resources.
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
- 1. Click to edit Master title style Protecting Windows Passwords
- 2. 2 • Derek Melber, MCSE & MVP (Group Policy and AD) • derek@manageengine.com • www.auditingwindowsexpert.com • Online Resources • ManageEngine Active Directory Blog • Group Policy Resource Kit – MSPress • Windows Security Audit Package Consulting • Active Directory/Windows Audit Program • Training for efficient auditing • Administration Consultant • Active Directory and Server Design/Security • Active Directory and Group Policy Design About Your Speaker
- 3. 3 • Malicious applications • Viruses • Worms • Malware • Phishing attacks • Ransomware attacks • Password attacks • Brute Force • Rainbow Tables • Pass the Hash Windows Computer Attacks
- 4. 4 • Deleting SAM • Dual Boot Scenarios • Social Engineering • Impersonate another person or company • Barter • Guessing • Cracking • Captured challenge-response pairs • Locally-stored hashes Password Attacks
- 5. 5 Access: Users and Workstations Power: Domain Controllers Data: Servers and Applications Pass The Hash (PtH) Attack 1. Bad guy targets workstations en masse 2. User running as local admin compromised, Bad guy harvests credentials. 3. Bad guy starts “credentials crabwalk” 4. Bad guy finds host with domain privileged credentials, steals, and elevates privileges 5. Bad guy owns network, can harvest what he wants.
- 6. 6 • Attacker must gain local admin privileges • Attacker must have a connection to the computer • The attack can’t be 100% prohibited! PtH Attack
- 7. 7 • Restrict and protect high privileged domain accounts • Configure with long, strong, complex password • Use dual accounts • Restrict User Rights • Restrict where these accounts can logon • Configure “Sensitive and cannot be delegated” • Do not use as service accounts or scheduled tasks Mitigation #1
- 8. 8 • Remove standard users from the local Administrators group • Ensure all applications run as standard user • Deploy new software and updates without administrative rights • Obtain software to allow apps/features to run, even though user is standard user (Viewfinity) Mitigation #2
- 9. 9 • Restrict and protect local accounts with administrative privileges • Disable the local Administrator account • Do not use the same password on multiple computers • Configure User Rights • Restrict from remote administration • Restrict from network access Mitigation #3
- 10. 10 • Don’t use the same password on workstations, servers, domain • Don’t allow every workstation to use the same local admin password • Reset passwords often (even Admins) • Don’t use the same password for workstations and servers • Use password vault and change passwords often for domain admin behavior Mitigation #4
- 11. 11 • Restrict inbound traffic using the Windows Firewall • Restrict all inbound connections to all workstations except for those with expected traffic • Configure trusted sources • Help desk • Workstations • Scanners • Management servers Mitigation #5
- 12. 12 • Do not allow browsing the Internet with highly privileged accounts • Configure User Account Control at highest level • Configure outbound proxies to deny Internet access to privileged accounts • Ensure administrative accounts do not have email accounts or mailboxes associated with them Mitigation #6
- 13. 13 • Update applications and operating systems • Use Microsoft WSUS • Use Microsoft SCCM • Obtain software to verify current vulnerabilities Mitigation #7
- 14. 14 • Limit the number of privileged domain accounts • Restrict access to default groups with elevated privileges • Enterprise Admins • Schema Admins • Domain Admins • Administrators • DNS Admins • DHCP Admins • Group Policy Creator Owners • Backup Operators • Account Operators Mitigation #8
- 15. 15 • Secure Domain Controllers • Reduce number of applications installed • Physical security • Ensure User Rights are configured properly • Restrict Anonymous access Mitigation #9
- 16. 16 • Remove LM Hashes • Will not store LM hash with user account • Local SAM • Active Directory • If user DB is compromised, LM hash is not there Mitigation #10
- 17. 17 • Disabled LM and NTLM • Will deny these authentication protocols from being used • Will deny interception of the LM and NTLM hashes Mitigation #11
- 18. 18 • Workstations Setting Configured for Service Accounts • Limits which computers user can logon to • Restricts from logging on to any other computer • Set in user account properties Mitigation #12
- 19. 19 • Don’t Allow Service Accounts to Reset Own Password • Only an administrator can reset the password • Denies the user (or attacker) from resetting password • Set in user account properties Mitigation #13
- 20. 20 • Reset Passwords for ALL User Accounts • Normal users should change password every 60 to 180 days • Depends on compliance regulations • Depends on password structure • Administrators should change password every 60 to 180 days • Service Accounts should have password changed every 180 to 360 days Mitigation #14
- 21. Click to edit Master title style Questions? Thank you!