Date post: | 21-Dec-2015 |
Category: |
Documents |
Upload: | ernest-stanley-walsh |
View: | 219 times |
Download: | 2 times |
Pass the Hash Whitepaper v2CDP-B241
Patrick Jungles, TwC
Mark Simos, MCS
Takeaways
Apply Mitigations 1-31
Upgrade hosts and domain2
3 Build full defenses (IPDRR)
4
• Credential theft attacks
• Review previous mitigations
• Strategies: Identify, Protect, Detect, Respond, Recover
• New features and platform updates
• Scenarios
Agenda
“There are two types of companies today, those that have been hacked and those that don’t know they’ve been hacked.” 1
Assumption of breach represents a maturing of defenses to meet this reality and shifts the focus from “if” to “when” an attacker gets inside an organization’s network.
Assume breach
1. http://bits.blogs.nytimes.com/2013/04/22/the-year-in-hacking-by-the-numbers
Problem Get Credentials• Social engineering and phishing schemes
are used to trick personnel and obtain credentials.
• Most organizations do not recognize when attackers are already within the network and have access to information such as emails, confidential documents and other intellectual property.
Get Data• The attack doesn’t stop there. Attackers
look for the next set of credentials with elevated permissions to access servers.
• Once elevated credentials are obtained and servers are compromised, organizations risk losing revenue, brand reputation and business continuity.
Get Control• The ultimate goal of the attacker may
be to gain access to the domain controllers, the central clearing hub for all credentials and identities.
• Once compromised, an attacker has complete control over an entire organization. All assets, intellectual property, physical property and personal information are in jeopardy.
Mitigation 1 - Restrict and protect high privileged domain accounts
This mitigation reduces the risk of administrators from inadvertently exposing privileged credentials to higher risk computers.
• Restrict DA/EA accounts from authenticating to lower trust computers
• Provide admins with accounts to perform administrative duties
• Assign dedicated workstations for administrative tasks.
• Mark privileged accounts as “sensitive and cannot be delegated”
• Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers
Objective How
An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer.
Outcome
Addition of authentication policies
Mitigation 2 - Restrict and protect local accounts with administrative privileges
This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.
• Enforce the restrictions available in Windows Vista and later versions, preventing local accounts from being used for remote administration.
• Explicitly deny network and Remote Desktop logon rights for all administrative local accounts.
• Create unique passwords for local accounts with administrative privileges.
An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network.
Objective How Outcome
Built-in SIDs for local accounts and local administrators
Mitigation 3 - Restrict inbound traffic using the Windows Firewall
This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections.
• Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers.
An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations.
Objective How Outcome
No technical changes
1. Identify high-value assets2. Protect against known and unknown threats 3. Detect PtH and other related attacks4. Respond to suspicious activity5. Recover from breach
Strategies
Current environment
Identify
Identify high-value assets
Consider attacker mindset
Baseline normal behavior
Against known and unknown threats
Protect
Architect a complete credential theft defense
AdminPassword!
External storage Sign-on Use/cache
on clientIn transit
on networkAuthoritative
store
Consider usability a security feature
Protect Production Forest
Forest/Domain Admins and
Groups
Server Admins and Groups
Workstation Admins
Tier 0
Tier 1
Tier 2
Resources
Workstations
Admin Workstations
Admin Workstations
Domain Controllers
All Logons Blocked
Admin Workstations
Tier Logon
Higher Tier Logon
Lower Tier LogonOnly as required by role
Create hardened and restricted administrative
hosts
Develop a containment strategy
PtH and related attacks
Detect
Focus onhigh-valueassets
Monitor Event IDs
of interest
Collect and
correlate events
To suspicious activity
Respond
Regularly update protection and detection mechanisms
Follow up on lessons learned
Closely observe affected hosts
Ensure attack vectors are properly addressed
Account compromise
Recover
Regain control over accounts
Change compromised account passwords orDisable an account and remove group memberships
Considerations:• Only effective against future authentication• Offline attackers can still use cached logon pv• Attacker may be able to re-obtain password• Attacker may persist using malware in user context
Domain compromise
Recover
Consider professional incident response services
Tactical Recovery
A short-term operation designed to disrupt a known adversary operation
• Useful intelligence on the adversary presence
• Stealth operation that the adversary is unaware of
• Properly scoped defender operation
Strategic Recovery
A long-term plan that consists of multiple operations focused on recovering integrity at a high assurance level
• Risk of migration• Risk of coexistence • Planned end state
Core platform changes (automatically on)
Platform updates
Features Description AVAILABLE ONWindows 7 / Windows Server 2008 R2
AVAILABLE ON Windows 8 / Windows Server 2012
AVAILABLE ON Windows 8.1 /Server 2012 R2
REQUIRES DOMAIN UPGRADEWindows Server 2012 R2Domain Functional Level
Remove LAN
Manager (LM)
hashes and
plaintext
credentials from
LSASS
LAN Manager legacy hashes and (reversibly
encrypted) plaintext passwords are no longer
stored in LSASS
Enforce credential
removal after
logoff
New mechanisms have been implemented to
eliminate session leaks in LSASS, thereby preventing
credentials from remaining in memory
Logon restrictions
with new well-
known security
identifiers (SIDs)
Use the new SIDs to block network logon for local
users and groups by account type, regardless of what
the local accounts
are named
Platform updates
Features Description AVAILABLE ONWindows 7 /Windows Server 2008 R2
AVAILABLE ON
Windows 8 / Windows Server 2012
AVAILABLE ON Windows 8.1 /Server 2012 R2
REQUIRES DOMAIN UPGRADEWindows Server 2012 R2Domain Functional Level
Restricted
Admin mode for
Remote Desktop
Connection
The Remote Desktop application and service have been
updated to support authentication without providing
credentials to the remote host
Protected Users
security group
The new Protected Users security group enables
administrators to restrict authentication to the Kerberos
protocol only for group members within a domain
Authentication
Policy and
Authentication
Policy Silos
New Authentication policies provide the ability to restrict
account authentication to specific hosts
and resources
Configurable Features
Credentials in memory
Adapted from: Benjamin Delpy LSASS security improvements #windows8.1https://twitter.com/gentilkiwi/status/352557093640892416/photo/1
~ Only if installed** Off by default on Windows 8.1 and Windows Server 2012 R2* Off by default
Sample scenarios
RecommendationsHelpdeskDomain administrationOperations and service managementService accountsBusiness group isolationBring your own device (BYOD)
• Separate administrative accounts from user accounts
• Use hardened and restricted hosts• Limit exposure of administrative credentials
• RDP /RestrictedAdmin• Tools that only use network logon (Type 3)
• Add accounts to Protected Users security group(if Kerberos only is feasible)
• Create authentication policies and silos (if protected users is feasible)
Sample scenarios
RecommendationsHelpdesk
Domain administrationOperations and service managementService accountsBusiness group isolationBring your own device (BYOD)
• Reduce privileges and privilege use• Only use DA/EA for DC Maintenance and
Delegation• Separate administrative accounts from user
accounts • Use hardened and restricted hosts• Strengthen authentication assurance• Implement security monitoring• Add accounts to Protected Users security group
(if Kerberos only is feasible)• Create authentication policies and silos
(if protected users is feasible)
Sample scenarios
RecommendationsHelpdeskDomain administrationOperations and service management
Service accountsBusiness group isolationBring your own device (BYOD)
• Grant the least privilege• Never add to Domain Admins or Enterprise
Admins• Use managed service accounts• Change passwords regularly• Strengthen authentication assurance• Monitor service account activity• Contain credential exposure
Sample scenarios
ConsiderationsHelpdeskDomain administrationOperations and service managementService accounts
Business group isolationBring your own device (BYOD) • Define Use Cases
• Use hardened and restricted hosts• Restrict account logons• Consider blocking Internet access• Do not share accounts or passwords• Ensure unique local administrative passwords on
workstations and servers
Sample scenarios
ConsiderationsHelpdeskDomain administrationOperations and service managementService accountsBusiness group isolation
Bring your own device (BYOD)
• Define use cases and policies• Ensure risks are understood and accepted• Do not use BYOD devices for administration• Ensure that high business impact (HBI) data is not
being stored on these devices• No shared password for corporate and personal
accounts• No use of privileged service accounts on BYOD
devices• Deploy available security policies• Isolate network access• Create response/recovery strategies
26
Implement mitigations 1,2 and 3.1) Restrict DA/EA and other privileged accounts2) Deny network logon to local accounts and groups3) Restrict inbound access using the Windows Firewall
Manage with RDP /RestrictedAdminRemove service account privileges (e.g. Domain Admins)Adopt Protected Users and Auth Policies
Next stepsImplement strategies1Apply scenario guidance 2
3 Identify and implement quick wins
27
http://www.microsoft.com/PtH
References
Credential Theft Portalhttp://www.microsoft.com/PTH
NIST Framework http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
Credential Theft Mitigation (CTM) Solutions - http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213
Update to Improve Credentials Protection and Managementhttps://technet.microsoft.com/en-us/library/security/2871997.aspx
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Developer Network
http://developer.microsoft.com
Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7
For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx
Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Azure
Implementing Microsoft Azure Infrastructure Solutions
Classroomtraining
Exams
+
(Coming soon)Microsoft Azure Fundamentals
Developing Microsoft Azure Solutions
MOC
10979
Implementing Microsoft Azure Infrastructure Solutions
Onlinetraining
(Coming soon)Architecting Microsoft Azure Solutions
(Coming soon)Architecting Microsoft Azure Solutions
Developing Microsoft Azure Solutions
(Coming soon)Microsoft Azure Fundamentals
http://bit.ly/Azure-Cert
http://bit.ly/Azure-MVA
http://bit.ly/Azure-Train
Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal
2 5 5MOC
20532
MOC
20533
EXAM
532EXAM
533EXAM
534
MVA MVA
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.