2 Agenda Service accounts Single sign on (SSO) Impersonation Delegation
3 Motivation where most admins do critical mistakes pass-the-hash is not the problem understand and bind to correct procedures GOC172 - Kerberos troubleshooting GOC169 - Auditing ISO 2700x
4 SSO (single-sign-on) Minimize use of secure authentication information ISO/IEC Limits password/pin exposure Limits user's incentives to store passwords on local systems or write them down
5 Authentication methods in Windows Password single factor stored in AD or local SAM database as hash NTLM, Kerberos, AD LDAP simple bind, Digest Smart card multi factor PKI certificate's private key mapped to AD user account AD Kerberos only Certificate single factor if not stored in smart card PKI certificate's private key mapped to AD user account TLS/SSL client certificate authentication (SCHANNEL)
6 Network authentication against AD Basic full-text password sent over clear/encrypted channel HTTP basic, LDAP simple bind, RDP SSO, CredSSP NTLM hashed password with random challenge LM, NTLM/MS-CHAP, NTLMv2/MS-CHAPv2 Kerberos hashed password encrypted timestamp private key signature of timestamp (PKINIT) TLS/SSL client certificate authentication private key signature of server's challenge HTTPS, EAP-TLS, AD FS Digest MD5 hashed password with random challenge HTTP digest, CHAP, LDAP
11 Service Accounts Services, jobs and IIS application pools run under some service identity NT AUTHORITY\System NT AUTHORITY\Network Service NT AUTHORITY\Local Service NT SERVICE\* IIS APPPOOL\* <domain>\* GOC172 - Kerberos troubleshooting GOC175 - Advanced Windows security
12 Service identities on Windows XP+ SYSTEM local Administrators uses COMPUTER$ to access network resources must use Kerberos on (cannot use NTLM) Allow Local System to use computer identity for NTLM Network Service local Users uses COMPUTER$ to access network resources Local Service local Users anonymous network access
13 NT SERVICE
14 IIS APPPOOL
15 Isolation Domain Account Network Password Groups Local Isolation Network Isolation Kerberos PAC Validation OS NT AUTHORITY SYSTEM automatic 30 days Administrators no MACHINE$ no 2000 NT AUTHORITY Network Service automatic 30 days Users no MACHINE$ no XP NT AUTHORITY Local Service no Users no anonymous no XP NT SERVICE <servicename> automatic 30 days IIS APPPOOL <apppoolname> automatic 30 days Users yes MACHINE$ no Vista 2008 Users yes MACHINE$ no Vista 2008 <domain> <username> manual Users yes yes yes 2000 <domain> <managedsvcaccount> automatic 30 days <domain> <groupsvcaccount> automatic 30 days Users yes yes no R2 Users yes yes no
16 Impersonation and Access Token local groups/sids LSASS Kerberos groups credentials Access Token Outlook IE Explorer In-band transport HTTP, SMB, OM SmbSrv WebSrv SQL Exch Client NTLM groups SChannel groups DB Registry NTFS LSASS AD
17 User right: Impersonate client after authentication (SeImpersonatePrivilege)
This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.
Pass-the-Hash: How Attackers Spread and How to Stop Them SESSION ID: HTA-W03 Mark Russinovich Technical Fellow Microsoft Corporation Nathan Ide Principal Development Lead Microsoft Corporation Pass-the-Hash:
National Security Agency/Central Security Service Information Assurance Directorate Spotting the Adversary with Windows Event Log Monitoring December 16 th, 2013 Revision 2 A product of the Network Components
CAC/PIV PKI Solution Installation Survey & Checklist Konica Minolta CAC/PIV Solution Revision: 1.3 Date: 10/19/09 1 Document Overview This document must be completed and used as a checklist or questionnaire
Administrator SAP Mobile Platform 3.0 SP02 DOCUMENT ID: DC01994-01-0302-01 LAST REVISED: February 2014 Copyright 2014 by SAP AG or an SAP affiliate company. All rights reserved. No part of this publication
Enabling Integrated Windows Authentication For CitectSCADA Web Client Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.xx Summary: What is the difference between Basic Authentication and Windows
Hosted by Introductions Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP firstname.lastname@example.org CRMUG Chairperson Miami & Tampa Co Chair 250+ Dynamics CRM
Barracuda Web Application Firewall Best Practices Guide US 1.0 Copyright 2011 Barracuda Networks Inc. 3175 S. Winchester Blvd., Campbell, CA 95008 1-888-268-4772 www.barracuda.com Table of Contents Introduction.................................................................................................................
Best Practices for Integrating Kerberos into Your Application This paper describes best practices for application developers who wish to add support for the Kerberos Network Authentication System to their
Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 Thin Clients and HP Blade PCs Introduction............................................................ 2 Prerequisites............................................................
Fundamental Principles of Network Security By Christopher Leidigh White Paper #101 Executive Summary Security incidents are rising at an alarming rate every year. As the complexity of the threats increases,
Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation
CPR BROKER Installation and setup Copyright 2013 Last Updated: 9 July 2013 TABLE OF CONTENTS Introduction...4 Requirements...5 System requirements...5 Data requirements...5 Preparing the system...6 Installing
Version 1.2 September 23, 2013 Secure Installation and Operation of Your ColorQube 8700 / 8900 Xerox ConnectKey Controller Secure Installation and Operation of Your ColorQube 8700 / 8900 Xerox ConnectKey
Troubleshooting smart card logon authentication on active directory Version 1.0 Prepared by: "Vincent Le Toux" Date: 2014-06-11 1 Table of Contents Table of Contents Revision History Error messages The
WS_FTP Server Installation and Configuration Guide WS_FTP Server Contents CHAPTER 1 Introduction What is WS_FTP Server?... 1 WS_FTP Server product family... 1 New in WS_FTP Server 7.5.1... 3 For more assistance...
Hardening Windows 2000 Philip Cox Phil.Cox@SystemExperts.com 4 Steps to Practical Win2K Security Locate Windows system Insert *nix CD Reboot Follow installation prompts But if that is not an option Hardening
Configuring Citrix XenDesktop 7.6 and NetScaler Gateway 10.5 with PIV Smart Card Authentication This guide is intended for those who are deploying smart cards with Citrix products. It provides stepby-step
Installation and Upgrade Guide Copyright Statement Copyright Acronis International GmbH, 2002-2014. All rights reserved. Acronis and Acronis Secure Zone are registered trademarks of Acronis International
PassTest Bessere Qualität, bessere Dienstleistungen! Q&A Exam : 70-640 Title : Windows Server 2008 Active Directory. Configuring Version : Demo 1 / 28 1.You have a single Active Directory domain. All domain
Cloud Authentication Getting Started Guide Version 2.1.0.06 ii Copyright 2011 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.