Technical Writing - A Guide to Kerberos and NTLM

Transcription

1 Et Sikrere Windows Miljø Olav Tvedt Deployment Ranger

2 Agenda LM,NTLM,NTLMv2 og Kerberos Raske Tips For Økt Sikkerhet Network Acces Protection

3 LM, NTLM, NTLMv2, Kerberos LM NTLM NTLM v2 Kerberose

4 An Example LM/NTLM Attack I d like to log on as Mark I d like to log on as Mark challenge=39181 challenge=39181 response=t9$wn You congrats, you re logged in Bad guy response=t9$wn congrats, you re logged in

5 NTLMv2 Forbedrer NTLM/LM svakheten Mer unik hash som er sessjons basert Tids stempel for å forhindre replay

6 Når blir LM, NTLM og NTLM v2 brukt Ved IP kommunikasjon istedet for navn Når Tiden er skjeiv Når klienten ikke er kerberos autentisert - Ikke domene medlem o.l. (rare os;-) - Nettverksenheter (Print server o.l.)

7 Unngå LM og NTLM Group Policies / Computer Configuration / Windows Settings / Security Settings / Local Settings / Security Options Send LM & NTLM responses Send LM & NTLM NTLMv2 if negotiated Send NTLM response only Send NTLMv2 response only Send NTLMv2 response only\refuse LM Send NTLMv2 response only\refuse LM & NTLM

8 Kerberos Active Directory bruker Kerberos hvis mulig Helt anderledes enn LM/NTLM/NTLMv2, basert på RFC 1510 og andre Slide 8

9 Kerberos In Pictures Meet our players TOMSPC KDC Tom wants his DC to log him onto his PC and PS his print server

10 Kerberos In Pictures To accomplish that KDC Tom needs something that gives him the right to talk to those servers Tom s DCs create both kinds of tickets That something is called a ticket; there are two kinds ADMIT ONE Service tickets get Tom access to services, like the workstation service on TOMSPC, or the print server service on PS ADMIT ONE ADMIT ONE ST- TWS ST-PS Ticket Granting Tickets give Tom the right to ask the DC to issue him service tickets ADMIT ONE TGT

11 Kerberos Two tickets, two services First you introduce yourself to the KDC by logging on; you only want to have to do this once a day and so you ask the KDC for a ticket to the KDC that s the Ticket-Granting Ticket That is granted by a piece of the KDC called the Authentication Service or AS Once you ve got a TGT, then you can show the TGT to the KDC and say remember me? Now I need a Service Ticket to such-and-such service Service tickets are issued by a different part of the KDC called the Ticket Granting Service or TGS

12 Kerberos Why not just one type of ticket? A Ticket Granting Ticket is like a Service Ticket in that both are tickets that authenticate you to some service But you usually end up with just one TGT and a bunch of STs The reason for two kinds of tickets: under the hood, Kerberos secures every ticket by encrypting some of its data with a password or key

13 Kerberos The fundamental reason why Kerberos is better Lots of tickets would mean lots of data encrypted with your password and that d mean that attackers would have more data they could use to try to figure out your password So and here s the important part what Kerberos gives you in the TGT is essentially just a password for the day Service ticket-related information is encrypted with the password for the day; only TGT-related information is encrypted with your actual password one transaction per day!

14 Sample klist Output C:\>klist tickets Cached Tickets: (2) Server: KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 2/6/2006 4:10:08 Renew Time: 2/12/ :10:08 Server: KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 2/6/2006 4:10:08 Renew Time: 2/12/ :10:08 C:\> 14

15 So is Kerberos secure? Kerberos depends on a few things A good encryption algorithm The longer the key the better Keys that can t be guessed lousy passwords bad random number generator A secure password store i.e. a physically secure DC

16 Weaknesses? Overall, MS s Kerberos seems quite good RC4 isn t great as a crypto algorithm (DES is also an option for those who want it) but neither is it as weak as some would say, except if bad guys get a lot of crypto messages encrypted with the same key; KDC session keys keep this down. Go to 2008 domain functional level, however, and you'll go to 256-bit AES. I have never heard a complaint about the random number generator

17 Vista/2008 Side-Note If you look at a network trace when Vista or 2008 try to do a Kerberos logon, you'll see that the request to the AS for a TGT always fails the first time Vista/2008 deliberately sends a bad packet to find out whether the DC they're talking to can use AES rather than RC4-HMAC for encryption the "you failed" return message from a 2008 DC includes its available encryption abilities by default

18 Troubleshooting Kerb Events You can set Kerberos to log its activity to the System log Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Add new REG_DWORD value LogLevel, set to 1 Reboot for it to take effect Remember klist and kerbtray as well

19 Creating Kerberos Logs In Parameters, REG_DWORD LogToFile =1 to create an ASCII log file KerbDebugLevel (REG_DWORD) sets the verbosity of the log; Google Kerberos Authentication Tools and Settings for a nifty white paper on all the setting values

20 Raske Tips For Økt Sikkerhet Group Policy settings

21 Group Policy Settings Slå Av Autorun Windows Server 2003 / XP - Computer Policy / Computer Configuration / Administrative Templates / System - Turn off Autoplay Windows Server 2008 / Vista - Computer Policy / Computer Configuration / Administrative Templates / Windows Components / AutoPlay Policies - Turn off Autoplay UAC tuning - Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options - User Acces Control:* NTLM tuning -Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options - Network Security: LAN Manager Authentication Level - Network Security: Do Not Store LAN Manager Hash Values On Next Password Change

22 Group Policy Settings Bruker tilgang -Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / User Right Assignment - Access this computer from the network Endre lokale grupper Windows Server Computer Policy / Preferences / Control Panel Settings / Local Users and Groups

23 Network Access Protection

24 Hva er NAP Hjelper med å opprettholde health policiene for nettverkstilgang Health policy godkjenning Health policy oppdatering Begrensett tilgang

25 Når bruke NAP Verifisere statusen på bærbare pc er (Roaming) Verifisere statusen på stasjonære pc er Verifisere statusen på gjeste pc er Verifisere statusen på unmanaged hjemme pc er Virker kun for Windows Server 2008, Windows Vista og Windows XP med Service Pack 3

26 Komponenter i NAP Enforcement Servere og Clienter (ES og EC) SHA og SHV (System Health Agents / System Health Validators) Enforcement komponenter og metoder - HRA (Health Registration Authority) - IPSec - IEEE 802.1x - VPN - DHCP NPS (Network Policy Servers) Remediation Servers Begrenset nettverk (Restricted Network)

27 Enforcement Servere og Clienter NAP Kompatible Klinter og Servere: - Microsoft Windows Server Microsoft Windows Vista - Microsoft Windows XP Service Pack 3

28 SHA og SHV Windows Security Health Agents/Validators Firewall Virus Protection Spyware Protection Automatic Updating Security Update Protection SMSSHA (SCCM2007/SMSv4) Tredjeparts SHA f.esk TCASHA (CA, Inc./eTrust) Egne SHA/SHV Bitlocker Strong Password Registry Settings

29 System Health Agents WSHA Firewall Virus Protection Spyware Protection Automatic Updating Security Update Protection SMSSHA (SCCM2007/SMSv4) CASHA (CA, Inc./eTrust) Custom SHA/SHV? Bitlocker Strong Password Registry Settings

30 IPSec IPSec isolering av nettet Bruker HRA health sertifikat for autentisering Sikreste NAP funksjonen Health Registration Authority Windows Server 2008 IIS Klient sertifikater fra CA

31 IEEE 802.1x Authenticating Ethernet Switch IEEE 802.1x Wireless Access Point

32 VPN Ekstra lag i tillegg til vanlig VPN regler Ikke det samme som Network Access Quarantine Control

33 DHCP Minimum 2 serier med addresser - Begrenset nett - Ubegrenset nett Lease og Renewal

34 NPS NAP Policy server Erstatter RADIUS Server AAA - Authentication - Authorization - Accounting

35 Remediation Servers Tilgjengelig i det begrensede nettverket Medisin server Info Til Klienter Typiske Roler: - Dns - Antivirus Server - Wsus

36 Begrenset nettverk Seperat logisk eller fysisk nettverk Innholder: - Remediation Servers - Klienter som ikke oppfylt policy

37 Hvordan virker NAP 3 Policy Servers such as: Patch, AV 1 2 Windows Client 1 DHCP, VPN Switch/Router Client requests access to network and presents current health state DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 2 MSFT NPS Not policy compliant Policy compliant Restricted Network 3 Network Policy Server (NPS) validates against IT-defined health policy If not policy compliant, client is put in a restricted VLAN and given access to fix up 4 resources to download patches, configurations, signatures (Repeat 1-4) 5 If policy compliant, client is granted full access to corporate network 5 4 Corporate Network Fix Up Servers Example: Patch

38 Hvordan virker NAP

39 Hvordan virker NAP

40 Brukerens opplevelse Forståelige meldinger

41 Brukerens opplevelse Forståelige meldinger

42 Remediation Website