SlideShare a Scribd company logo

Is the door to your active directory wide open and unsecure

D
David Rowe

The document discusses the security risks associated with idle permissions and forgotten accounts within Active Directory, highlighting how privilege creep can lead to unauthorized access. It emphasizes the need to implement Microsoft's Enhanced Security Administrative Environment (ESAE) to safeguard administrative credentials and limit exposure to cyber-attacks. The author provides a five-step installation guide for handling these security measures effectively.

Technology
1 of 68
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
Idle Permissions and Forgotten Accounts AREAS RIPE FOR COMPROMISE I s t h e D o o r t o Yo u r A c t i v e D i r e c t o r y W i d e O p e n a n d U n s e c u r e ? © 2 0 1 9 : : D a v i d Ro w e : : S e c f ra m e . c o m
A Cached Story How many stored passwords is too many? How long are they stored? 1 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
David Rowe, CISSP  Owner of Secframe.com  Cloud Security Lead at Boston Children’s  Info today from: Security research @ Harvard  Incident response on multiple nation state attacks  Custom vulnerability assessments for A.D.  520,000+ objects audited, 1300+ Group Policies © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
David Rowe, CISSP Secframe.com /in/davidprowe @customes davidprowe david@secframe.com © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Today:  What is Active Directory?  Why is Access Important?  Microsoft ESAE  5 Step Install - $0.00 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
What is Active Directory? 2 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Object Information Store A.D. stores information about OBJECTS on a computer network © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Object Information Store Hierarchy: Parent/Child Common Object Types: Users Computers Groups © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Security Defined Through: Via ACLs; Ownership, & Membership Objects authorized to perform actions © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Hierarchy: So urce: https://www.secframe.com/blog/account-operators-what-can-they-control © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Ex: Account Operators
Why is Access Important? 3 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
-Margaret Rouse Techta rget. co m Privilege creep is the gradual accumulation of access rights beyond what an individual needs to do his or her job “
Privilege Creep As users shift and rotate roles, the administrators create different role groups with different access across the domain(s). Those groups keep getting added to users with no checks in place. © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Over time accounts gain more access to objects The rights are often overlooked Often user permissions are unknown to the owners of AD © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Privilege Creep
Privilege Creep 1:  Helpdesk  Starts with reset password  Over time:  Log into servers / workstations  Change file share permissions © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Privilege Creep 2:  Server Team  Starts with 2 or 3 standard users  Over time:  Added to domain admin – God-mode  Can edit anything across entire network © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Group Creep  User starts in Help Desk  Stays in role 2 years, gets promoted  Gets access to more systems  Help desk roles and permissions never removed © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Excessive Group Creep So urce: Audit I performed for a client © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Green Circle = User Yellow Circles = Groups
Forgotten Accounts Users on a domain continue to acquire privileges User rights sit idle and can be used by anyone with access to that account, group, or computer © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Idle Permissions + Privilege Creep With users gaining more and more access to objects; computers, groups, and other users, ATTACKERS HAVE MORE TARGETS TO EXPLOIT © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
What can we do? Click here to learn more!
Microsoft ESAE 4 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Microsoft’s Solution ESAE Enhanced Security Administrative Environment © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Microsoft’s Solution ESAE © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Where to start:
• An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • The attacker dumped the cached credentials on the server • Finds a local administrator password identical across machines • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Microsoft’s Solution ESAE Helps prevent compromise of administrative credentials from cyber-attacks Thwart attacks by limiting exposure of admin credentials (Cached Credentials) Microsoft’s recommended baseline to remediate pass the hash © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
5 Step Install 5 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
$0.00 Solution: In an hour you can implement 100% of Stage 1 50% of Stage 2 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
#1 Separate Admin Accounts i. Separate admin accounts for tiers ii. Block login access across tiers iii. Move Admin users and groups to Admin OU © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
What are tiers? © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Accounts which have the ability to manage identity and permissions enterprise-wide. Objects: Domain Controllers and systems that manage DCs Tier 0 Domain Admins Tier 1 Server Admins Accounts with control over resources or that manage critical data and applications. Objects: Servers Tier 2 Workstation Admins Accounts with administrative privileges over standard user accounts and standard-user devices. Objects: Workstations
Tiers: Further Reading Secframe.com Blog Posts What are tiers and who holds the keys to the kingdom? What is Microsoft ESAE and Red Forest © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Block logins across tiers  Start by blocking Domain Admins (DAs) logins  They should not be able to log into workstations or servers © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Block DAs: The GPO © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Block logins across tiers  6+ months: Continue with Tier 1 and Tier 2  Stage 3, step 1: Modernize roles and delegation © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
Centralize Admins Blog post: Why aren't your administrators in one place?  https ://gallery. technet.micros oft. com/Privileged - Acces s -3d072563 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
#2 Limit Admins Boot people out of admin groups Boot Service Accounts out of groups Boot groups out of groups © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
What are the admin groups? Built-in Groups  B lo g Po s ts :  T he Da ngers o f B uilt-In Gro ups  Fo rget- me - not lis t: privileged gro ups to a udit to day Shadow Admins © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Built-In Groups: Permissions Overview  Acco unt Opera to rs : Rea d LAPS a ttribute, a dminis ter do ma in us er a nd gro up a cco unts  Adminis tra to rs : Go d - mo de  B a ckup Opera to rs : Override s ecurity res trictio ns . Allo w lo go n Lo ca lly, lo g o n a s ba tch jo b, s hut do wn the s ys tem  Do ma in Admins : member o f every do ma in - jo ined co mputer ’s lo ca l Admin gro up  E nterpris e Admins : Member o f every do ma in’s Adminis tra to r gro up  Gro up Po licy Crea to r Owners : Ca n crea te a nd mo dify GPOs o n the do ma in  Server Opera to rs : ca n a dminis ter do ma in s ervers  Remo te Des kto p U s ers : Remo tely lo g o n to do ma in co ntro llers in the do ma in.  E xcha nge Gro ups : writeDACL o n ro o t o f do ma in © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
What is a Shadow Admin A shadow admin is an account in your network that has sensitive privileges. Typically overlooked because the account is not in a privileged group, permissions for this account were granted directly using ACLs on AD objects. These accounts are highly desirable because they provide admin privileges needed to advance an attack. They are less likely to be watched by audit and logging systems © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Shadow Admins on a Domain * D O M A I N I T U S E R S * D O M A I N H R U S E R M A N A G E M E N T * D O M A I N I T - H E L P D E S K * D O M A I N A C C O U N T M A N A G E M E N T * D O M A I N I T E x c h a n g e * D O M A I N I T U s e r P a s s w o r d R e s e t s * D O M A I N I T S E R V E R A D M I N S * D O M A I N E n t e r p r i s e S e r v i c e s * D O M A I N O f f i c e d e p t A d m i n s * D O M A I N B a s e A d m i n s * D O M A I N C o m p M a n a g e m e n t * D O M A I N E M A I L A D M I N S * D O M A I N C O N TA C T C R E A T O R * D O M A I N C o n t a c t M a n a g e m e n t * D O M A I N C r e d i t _ S U P P O R T * D O M A I N W e b A d m i n i s t r a t i o n * D O M A I N M A I L B O X M G M T * D O M A I N S e r v i c e D e s k * D O M A I N O A D M I N S * D O M A I N V P N A d m i n i s t r a t o r s * D O M A I N A D U s e r C l e a n u p * D O M A I N R & D A D M I N S * D O M A I N E p s i l o n A d m i n s * D O M A I N Z o n e A D M I N S * D O M A I N A D W R I T E R S A d m i n s * D O M A I N F i l e S h a r e A D M I N S * D O M A I N R d r i v e A D M I N S * D O M A I N O d r i v e A D M I N S * D O M A I N S A N A d m i n s * D O M A I N C l o u d a p p s A D M I N S * D O M A I N S E R V I C E N O W A D M I N S * D O M A I N S E R V I C E N O W O U A D M I N S * D O M A I N S E R V I C E N O W G r o u p A D M I N S * D O M A I N I T O U A D M I N S * D O M A I N N e t w o r k Te a m * D O M A I N C l u s t e r 2 A d m i n s * D O M A I N D a t a b a s e D i s k A d m i n s * D O M A I N C l u s t e r A d m i n s © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Finding Shadow Admins © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m https://github.com/davidprowe/AD_Sec_Tools
Why Find and Limit # of Admins? Click here to learn more!
Forgotten Accounts + Privilege Creep The accounts the attackers are targeting The credentials they want Credentials laying dormant on systems © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
#3 Cached Creds GPO Create GPOs to remove the cached credentials from computers …then reboot © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Cached Credentials?  Computer level setting  Interactive logon: Number of previous logons to cache [store in memory] (in case domain controller is not available) © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Cached Credentials Defaults  Value indicates stored users credentials on device – (10)  Default stored as RC4 hash on system © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Vulnerabilities  Targeted Pass-the-hash -If you can’t crack it, encapsulate and pass it  RC4 Nomore – one type of RC4 Exploit – 52 Hrs to crack  One incident I observed evidence a plaintext password 9 minutes after the hash was compromised © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Playground: Exploit Tools Mimikatz, Impacket, JtR, Hashcat, Ophcrack, Taskmanager… + lsass.exe, Pwdumpx + passwordPro Google for more! © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
No Cached Creds: The GPO © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Reporting on Cached Creds © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m  Find machines on the domain that have cached creds enabled  AD_Computer_CachedCredsFind Computers without Cached Cred GPO.ps1
Reporting on Cached Creds © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
#4 LAPS Local Admin Password Solution – ms-mcs-admpwd Unique passwords for all workstations and servers Prevents lateral movement between machines © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
4 Steps to LAPS Extend schema to support LAPS * Allow computers to write to LAPS attribute Software must be installed on workstations/servers GPO to deploy password settings © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
LAPS Steps 1 & 2 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
LAPS Steps 3 & 4 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
#5 Audit & Alert Domain Admin logon Alert of vssadmin create shadow Install Security Tools © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Audit MS Audit Policy Recs: https://goo.gl/uGUL4a Sample: © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Alert Domain Admin logons Vssadmin create shadow on domain controllers *Protect the NTDS.dit *Move the NTDS.dit Domain dumps often start with the vss copy © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Install Security Tools Endpoint Protection Microsoft Advanced Threat Analytics (ATA) Gartner link https://goo.gl/NgWuGK Crowdstrike, CarbonBlack, Cylance, Sophos, Fireeye © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
Now what do I do? D e p l o y t h e 5 f r e e s t e p s G u i d a n c e o n F ra m e w o r k s a n d To o l s S e c u r i t y A u d i t s & Ro a d m a p s Secframe.com/about
Special Thanks M a r i e D i R u z z a L i s a D i M a u r o N e r c o m p : A m y, A n a n d a , A n d r e a Secframe.com/about
Slides available for download at: Secframe.com/presentations

More Related Content

PPTX
Escalation defenses ad guardrails every company should deploy
David Rowe
 
PPTX
Creating a fortress in your active directory environment
David Rowe
 
PPTX
Secure Active Directory in one Day Without Spending a Single Dollar
David Rowe
 
PDF
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
BeyondTrust
 
PDF
Ddos- distributed denial of service
laxmi chandolia
 
PDF
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
PDF
3. APTs Presentation
isc2-hellenic
 
PDF
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
Escalation defenses ad guardrails every company should deploy
David Rowe
 
Creating a fortress in your active directory environment
David Rowe
 
Secure Active Directory in one Day Without Spending a Single Dollar
David Rowe
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
BeyondTrust
 
Ddos- distributed denial of service
laxmi chandolia
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
3. APTs Presentation
isc2-hellenic
 
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 

What's hot (16)

PPT
DDoS Attacks
Jignesh Patel
 
PDF
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
PDF
2016 state of the internet threat advisory dnssec ddos amplification attacks
Andrey Apuhtin
 
PDF
How to measure your security response readiness?
Tomasz Jakubowski
 
PDF
Addios!
Chong-Kuan Chen
 
PDF
Windows server hardening 1
Frank Avila Zapata
 
PPTX
Implementing Active Directory and Information Security Audit also VAPT in Fin...
KajolPatel17
 
PPT
hacking and crecjing
parth jasani
 
PPTX
System hacking
CAS
 
PDF
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
Asaf Hecht
 
PDF
Unearth Active Directory Threats Before They Bury Your Enterprise
BeyondTrust
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
PPTX
Power of logs: practices for network security
Information Technology Society Nepal
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PPTX
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Time-based DDoS Detection and Mitigation for SDN Controller
Lippo Group Digital
 
DDoS Attacks
Jignesh Patel
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
2016 state of the internet threat advisory dnssec ddos amplification attacks
Andrey Apuhtin
 
How to measure your security response readiness?
Tomasz Jakubowski
 
Addios!
Chong-Kuan Chen
 
Windows server hardening 1
Frank Avila Zapata
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
KajolPatel17
 
hacking and crecjing
parth jasani
 
System hacking
CAS
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
Asaf Hecht
 
Unearth Active Directory Threats Before They Bury Your Enterprise
BeyondTrust
 
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Power of logs: practices for network security
Information Technology Society Nepal
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Time-based DDoS Detection and Mitigation for SDN Controller
Lippo Group Digital
 
Ad

Similar to Is the door to your active directory wide open and unsecure (20)

PPTX
Derbycon - Passing the Torch
Will Schroeder
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PPTX
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
PPTX
The presentation on my "Shadow Admins" research
Asaf Hecht
 
PDF
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
PPTX
Bridging the Gap
Will Schroeder
 
PDF
Ransomware Resistance
Florian Roth
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
PPTX
dude wheres my domain admins v1.pptx
Joel Leo
 
PDF
CertsOut Checkpoint-156-587 exam dumps pdf
Dumpcollection
 
PPTX
Shadow admins
Lavi Lazarovitz
 
PPTX
Network Security - Real and Present Dangers
Peter Wood
 
PPTX
Secure active directory in one day without spending a single dollar
David Rowe
 
PPTX
Bsides final
Collyn Hartley
 
PDF
Reducing Your Attack Surface
Alert Logic
 
PPTX
Risk management of privileged users 2
Ken Willén
 
PDF
Ceh v8 labs module 05 system hacking
Mehrdad Jingoism
 
PDF
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
PDF
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Quest
 
Derbycon - Passing the Torch
Will Schroeder
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
The presentation on my "Shadow Admins" research
Asaf Hecht
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
Bridging the Gap
Will Schroeder
 
Ransomware Resistance
Florian Roth
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
dude wheres my domain admins v1.pptx
Joel Leo
 
CertsOut Checkpoint-156-587 exam dumps pdf
Dumpcollection
 
Shadow admins
Lavi Lazarovitz
 
Network Security - Real and Present Dangers
Peter Wood
 
Secure active directory in one day without spending a single dollar
David Rowe
 
Bsides final
Collyn Hartley
 
Reducing Your Attack Surface
Alert Logic
 
Risk management of privileged users 2
Ken Willén
 
Ceh v8 labs module 05 system hacking
Mehrdad Jingoism
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Quest
 
Ad

Recently uploaded (20)

PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 

Is the door to your active directory wide open and unsecure

  • 1. Idle Permissions and Forgotten Accounts AREAS RIPE FOR COMPROMISE I s t h e D o o r t o Yo u r A c t i v e D i r e c t o r y W i d e O p e n a n d U n s e c u r e ? © 2 0 1 9 : : D a v i d Ro w e : : S e c f ra m e . c o m
  • 2. A Cached Story How many stored passwords is too many? How long are they stored? 1 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 3. David Rowe, CISSP  Owner of Secframe.com  Cloud Security Lead at Boston Children’s  Info today from: Security research @ Harvard  Incident response on multiple nation state attacks  Custom vulnerability assessments for A.D.  520,000+ objects audited, 1300+ Group Policies © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 4. David Rowe, CISSP Secframe.com /in/davidprowe @customes davidprowe david@secframe.com © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 5. Today:  What is Active Directory?  Why is Access Important?  Microsoft ESAE  5 Step Install - $0.00 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 6. What is Active Directory? 2 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 7. Object Information Store A.D. stores information about OBJECTS on a computer network © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 8. Object Information Store Hierarchy: Parent/Child Common Object Types: Users Computers Groups © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 9. Security Defined Through: Via ACLs; Ownership, & Membership Objects authorized to perform actions © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 10. Hierarchy: So urce: https://www.secframe.com/blog/account-operators-what-can-they-control © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Ex: Account Operators
  • 11. Why is Access Important? 3 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 12. -Margaret Rouse Techta rget. co m Privilege creep is the gradual accumulation of access rights beyond what an individual needs to do his or her job “
  • 13. Privilege Creep As users shift and rotate roles, the administrators create different role groups with different access across the domain(s). Those groups keep getting added to users with no checks in place. © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 14. Over time accounts gain more access to objects The rights are often overlooked Often user permissions are unknown to the owners of AD © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Privilege Creep
  • 15. Privilege Creep 1:  Helpdesk  Starts with reset password  Over time:  Log into servers / workstations  Change file share permissions © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 16. Privilege Creep 2:  Server Team  Starts with 2 or 3 standard users  Over time:  Added to domain admin – God-mode  Can edit anything across entire network © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 17. Group Creep  User starts in Help Desk  Stays in role 2 years, gets promoted  Gets access to more systems  Help desk roles and permissions never removed © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 18. Excessive Group Creep So urce: Audit I performed for a client © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Green Circle = User Yellow Circles = Groups
  • 19. Forgotten Accounts Users on a domain continue to acquire privileges User rights sit idle and can be used by anyone with access to that account, group, or computer © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 20. Idle Permissions + Privilege Creep With users gaining more and more access to objects; computers, groups, and other users, ATTACKERS HAVE MORE TARGETS TO EXPLOIT © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 21. What can we do? Click here to learn more!
  • 22. Microsoft ESAE 4 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 23. Microsoft’s Solution ESAE Enhanced Security Administrative Environment © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 24. Microsoft’s Solution ESAE © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Where to start:
  • 25. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • The attacker dumped the cached credentials on the server • Finds a local administrator password identical across machines • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 26. Microsoft’s Solution ESAE Helps prevent compromise of administrative credentials from cyber-attacks Thwart attacks by limiting exposure of admin credentials (Cached Credentials) Microsoft’s recommended baseline to remediate pass the hash © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 27. ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 28. 5 Step Install 5 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 29. $0.00 Solution: In an hour you can implement 100% of Stage 1 50% of Stage 2 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 30. ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
  • 31. #1 Separate Admin Accounts i. Separate admin accounts for tiers ii. Block login access across tiers iii. Move Admin users and groups to Admin OU © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 32. What are tiers? © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m Accounts which have the ability to manage identity and permissions enterprise-wide. Objects: Domain Controllers and systems that manage DCs Tier 0 Domain Admins Tier 1 Server Admins Accounts with control over resources or that manage critical data and applications. Objects: Servers Tier 2 Workstation Admins Accounts with administrative privileges over standard user accounts and standard-user devices. Objects: Workstations
  • 33. Tiers: Further Reading Secframe.com Blog Posts What are tiers and who holds the keys to the kingdom? What is Microsoft ESAE and Red Forest © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 34. Block logins across tiers  Start by blocking Domain Admins (DAs) logins  They should not be able to log into workstations or servers © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 35. Block DAs: The GPO © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 36. Block logins across tiers  6+ months: Continue with Tier 1 and Tier 2  Stage 3, step 1: Modernize roles and delegation © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
  • 37. Centralize Admins Blog post: Why aren't your administrators in one place?  https ://gallery. technet.micros oft. com/Privileged - Acces s -3d072563 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 38. ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
  • 39. #2 Limit Admins Boot people out of admin groups Boot Service Accounts out of groups Boot groups out of groups © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 40. What are the admin groups? Built-in Groups  B lo g Po s ts :  T he Da ngers o f B uilt-In Gro ups  Fo rget- me - not lis t: privileged gro ups to a udit to day Shadow Admins © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 41. Built-In Groups: Permissions Overview  Acco unt Opera to rs : Rea d LAPS a ttribute, a dminis ter do ma in us er a nd gro up a cco unts  Adminis tra to rs : Go d - mo de  B a ckup Opera to rs : Override s ecurity res trictio ns . Allo w lo go n Lo ca lly, lo g o n a s ba tch jo b, s hut do wn the s ys tem  Do ma in Admins : member o f every do ma in - jo ined co mputer ’s lo ca l Admin gro up  E nterpris e Admins : Member o f every do ma in’s Adminis tra to r gro up  Gro up Po licy Crea to r Owners : Ca n crea te a nd mo dify GPOs o n the do ma in  Server Opera to rs : ca n a dminis ter do ma in s ervers  Remo te Des kto p U s ers : Remo tely lo g o n to do ma in co ntro llers in the do ma in.  E xcha nge Gro ups : writeDACL o n ro o t o f do ma in © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 42. What is a Shadow Admin A shadow admin is an account in your network that has sensitive privileges. Typically overlooked because the account is not in a privileged group, permissions for this account were granted directly using ACLs on AD objects. These accounts are highly desirable because they provide admin privileges needed to advance an attack. They are less likely to be watched by audit and logging systems © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 43. Shadow Admins on a Domain * D O M A I N I T U S E R S * D O M A I N H R U S E R M A N A G E M E N T * D O M A I N I T - H E L P D E S K * D O M A I N A C C O U N T M A N A G E M E N T * D O M A I N I T E x c h a n g e * D O M A I N I T U s e r P a s s w o r d R e s e t s * D O M A I N I T S E R V E R A D M I N S * D O M A I N E n t e r p r i s e S e r v i c e s * D O M A I N O f f i c e d e p t A d m i n s * D O M A I N B a s e A d m i n s * D O M A I N C o m p M a n a g e m e n t * D O M A I N E M A I L A D M I N S * D O M A I N C O N TA C T C R E A T O R * D O M A I N C o n t a c t M a n a g e m e n t * D O M A I N C r e d i t _ S U P P O R T * D O M A I N W e b A d m i n i s t r a t i o n * D O M A I N M A I L B O X M G M T * D O M A I N S e r v i c e D e s k * D O M A I N O A D M I N S * D O M A I N V P N A d m i n i s t r a t o r s * D O M A I N A D U s e r C l e a n u p * D O M A I N R & D A D M I N S * D O M A I N E p s i l o n A d m i n s * D O M A I N Z o n e A D M I N S * D O M A I N A D W R I T E R S A d m i n s * D O M A I N F i l e S h a r e A D M I N S * D O M A I N R d r i v e A D M I N S * D O M A I N O d r i v e A D M I N S * D O M A I N S A N A d m i n s * D O M A I N C l o u d a p p s A D M I N S * D O M A I N S E R V I C E N O W A D M I N S * D O M A I N S E R V I C E N O W O U A D M I N S * D O M A I N S E R V I C E N O W G r o u p A D M I N S * D O M A I N I T O U A D M I N S * D O M A I N N e t w o r k Te a m * D O M A I N C l u s t e r 2 A d m i n s * D O M A I N D a t a b a s e D i s k A d m i n s * D O M A I N C l u s t e r A d m i n s © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 44. Finding Shadow Admins © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m https://github.com/davidprowe/AD_Sec_Tools
  • 45. Why Find and Limit # of Admins? Click here to learn more!
  • 46. Forgotten Accounts + Privilege Creep The accounts the attackers are targeting The credentials they want Credentials laying dormant on systems © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 47. ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
  • 48. #3 Cached Creds GPO Create GPOs to remove the cached credentials from computers …then reboot © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 49. Cached Credentials?  Computer level setting  Interactive logon: Number of previous logons to cache [store in memory] (in case domain controller is not available) © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 50. Cached Credentials Defaults  Value indicates stored users credentials on device – (10)  Default stored as RC4 hash on system © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 51. Vulnerabilities  Targeted Pass-the-hash -If you can’t crack it, encapsulate and pass it  RC4 Nomore – one type of RC4 Exploit – 52 Hrs to crack  One incident I observed evidence a plaintext password 9 minutes after the hash was compromised © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 52. Playground: Exploit Tools Mimikatz, Impacket, JtR, Hashcat, Ophcrack, Taskmanager… + lsass.exe, Pwdumpx + passwordPro Google for more! © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 53. No Cached Creds: The GPO © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 54. Reporting on Cached Creds © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m  Find machines on the domain that have cached creds enabled  AD_Computer_CachedCredsFind Computers without Cached Cred GPO.ps1
  • 55. Reporting on Cached Creds © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 56. #4 LAPS Local Admin Password Solution – ms-mcs-admpwd Unique passwords for all workstations and servers Prevents lateral movement between machines © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 57. 4 Steps to LAPS Extend schema to support LAPS * Allow computers to write to LAPS attribute Software must be installed on workstations/servers GPO to deploy password settings © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 58. LAPS Steps 1 & 2 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 59. LAPS Steps 3 & 4 © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 60. ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
  • 61. #5 Audit & Alert Domain Admin logon Alert of vssadmin create shadow Install Security Tools © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 62. Audit MS Audit Policy Recs: https://goo.gl/uGUL4a Sample: © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 63. Alert Domain Admin logons Vssadmin create shadow on domain controllers *Protect the NTDS.dit *Move the NTDS.dit Domain dumps often start with the vss copy © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 64. Install Security Tools Endpoint Protection Microsoft Advanced Threat Analytics (ATA) Gartner link https://goo.gl/NgWuGK Crowdstrike, CarbonBlack, Cylance, Sophos, Fireeye © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 65. ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _ To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s
  • 66. Now what do I do? D e p l o y t h e 5 f r e e s t e p s G u i d a n c e o n F ra m e w o r k s a n d To o l s S e c u r i t y A u d i t s & Ro a d m a p s Secframe.com/about
  • 67. Special Thanks M a r i e D i R u z z a L i s a D i M a u r o N e r c o m p : A m y, A n a n d a , A n d r e a Secframe.com/about
  • 68. Slides available for download at: Secframe.com/presentations

Editor's Notes

  • #26: Add three and label with correct stuff