1 How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise An Approach Based on Real-World Expertise Friedwart Kuhn, Digital unterschrieben von Friedwart Kuhn DN: c=de, o=ernw Enno Rey Netzwerke GmbH, cn=friedwart Kuhn, givenname=friedwart Nikodemus Michael, sn=kuhn, serialnumber=dtrwm Datum: :12:04 +01'00'
4 #4 Medium-Large Enterprises Firewall Intrusion Detection Anti Spam Antivirus for Mail Web Security * virus hits Antivirus Desktop Firewall > unwanted attempts / day 3,1 Mio* spam s * virus infected s 4.500* infections Content Security Perimeter Security Provider managed environment Endpoint Security Secure Connectivity Internal Security * connections Remote Access Encryption Access control Rights Management * figures per month
5 #5 Do you think it might be possible that one of your Windows systems in Active Directory is compromised?
6 #6 Do you think you are protected against Pass-the-$ attacks? Do you know about Golden Tickets?
11 #11 Pass the Hash in 48 hours (or less) 1. Attacker targets workstations en masse 2. User running as local admin is compromised, attacker harvests credentials 3. Attacker uses credentials for lateral movement or privilege escalation 4. Attacker acquires domain admin credentials 5. Attacker exercises full control of data and systems in the environment Source: Mark Simos, Nicholas DiCola; TWC: Pass-the-Hash and Credential Theft Mitigation Architectures
12 #12 Number of breaches per threat action category over time : DBIR 2014
13 #13 : DBIR 2014
14 #14 How do you communicate this to the management?
15 #15 So, let s start ;-)
16 #16 Authentication in Windows
17 #17 Security Subsystem Architecture Ensures authentication and authorization Components run in the context of the lsass.exe Includes Kerberos v5 authentication protocol NTLM authentication protocol LSA Server service And others
18 #19 LSA Protection Mechanisms Cryptomaterial (credentials, keys, etc.) in memory is encrypted, but in a reversible fashion Encryption is symmetric, keys are also in memory in the LSASS process Of particular interest: Password hashes Encryption keys Kerberos tickets
19 #20 Local LM/NTLM Authentication Administrator: LSASS (msv1_0.dll) LM : daf637eb992bce6e63272efef04def49 NTLM : 8b763234bce9ac475f9b26ffc SAM Database User
20 #21 Kerberos Authentication protocol for mutual authentication between client/server or server/server Used to access a service on a remote system Three integral parts: Key Distribution Center (KDC) Client user Server with the desired service/resource KDC part of the Domain Controller; performs two service functions: Authentication Service (AS) Ticket-Granting Service (TGS) Three different symmetric encryption keys are relevant in the process
21 #22 Kerberos Keys KDC long-term key (Domain key) Derived from krbtgt account password Usage: Ticket-Granting Ticket (TGT) encryption Sign token information, the so called PAC Client long-term key Derived from user/computer account password Usage: AS-REQ time stamp encryption Session key encryption Server/service long-term key Derived from computer account password Usage: Service Ticket encryption Countersign PAC in Service Ticket
22 #23 Microsoft Kerberos PAC Privileged Account Certificate (PAC) Extension element of the authorization-data field in Kerberos tickets Contains authorization-related information for Windows security principles: SIDs and RIDs Group membership User profile information (home directory or logon scripts) Password credentials Security privileges Signed with the KDC long-term key and the service longterm key
23 #24 Kerberos Authentication Overview LSASS (kerberos.dll) User Administrator: * Long Term User Key List : aes256_hmac e0b61d f8de01092e f6ecf539681dc1100fd02bcaffdec aes128_hmac 137dd845f8e47bb64249a80dc98cc807 rc4_hmac_nt 8b763234bce9ac475f9b26ffc Depending on the encryption type (AES, CBC, RC4, ) used in the authentication process, different keys are needed DES-CBC-MD5 and DES- CBC-CRC deactivated by default on Windows 7/Server 2008 R2 The key for RC4-HMAC is specified by [RFC4757] as [ ] the existing Windows NT key (NT Password Hash) for compatibility reasons KDC KDC TGT Service Ticket (5) Usage
24 #29 2 Important Conclusions 1. Who is the trust anchor in Active Directory 2. Which credentials are in which way stored/accessible in Windows memory
25 #30 The Trust Anchor Remember: the KDC creates the PAC (contains information about how powerful the user is (his privileges, group memberships etc.) and signs it with the KRBTGT s NTLM hash $Domain KRBTGT $Root Domain $Domain KRBTGT s NTLM hash = central trusted token stamping authority = trust anchor of the domain Keep this in mind, we will come back to this later ;-)
26 Credentials/Credential Material in LSASS #31 Primary CredentialKeys tspkg wdigest kerberos LM NTLM SHA1 NTLM SHA1 Root DPAPI off on off on pass 1 PIN 4 tickets ekeys Local Account 2 Domain Account 2 5 Local Account Domain Account Microsoft Account Local Account Domain Account Windows XP/2003 Windows Vista/2008 & 7/2008r2 Windows 8/2012 Windows 8.1/2012r2 Microsoft Account 3 3 Local Account Domain Account 3 3 Domain Protected Users 3 3 livessp ssp dpapi credman 6 Microsoft Account Local Account Windows 8.1 vault for user's authentication not applicable 1. can need an unlock on NT5, not available with smartcard PIN Picture Fingerprint data in memory 2. tspkg is not installed by default on XP, not available on 2003 code pass gestures pass pass no data in memory 3. tspkg is off by default (but needed for SSO with remoteapps/ts), wdigest too 4. PIN code when SmartCard used for native Logon 5. PIN code is NOT encrypted in memory (XP/2003) 6. When accessed/used by owner 7. When local admin, UAC and after unlock Source: Benjamin Delpy,
27 #32 Ubuntu Kerberos Client (MIT) Client caches tickets in a file In /tmp One file per user User has full access to all his tickets In Windows users cannot export their tickets by default Root user has access to all ticket caches of all users Tickets can be easily extracted an reused in e.g. mimikatz
28 #33 Credential Theft and Reuse
29 #34 Pass-the-Hash LM/NTLM Authentication Administrator: LSASS (msv1_0.dll) LM : daf637eb992bce6e63272efef04def49 NTLM : 8b763234bce9ac475f9b26ffc User PtH: Reuse of valid password hashes as a credential equivalent to authenticate to a remote server/service LSASS (msv1_0.dll) Administrator: LM : daf637eb992bce6e63272efef04def49 NTLM : 8b763234bce9ac475f9b26ffc b763234bce9ac47 5f9b26ffc
30 #35 Pass-the-Ticket: TGT LSASS (kerberos.dll) Administrator: * Long Term User Key List : aes256_hmac e0b61d f8de01092e f6ecf539681dc1100fd02bcaffdec aes128_hmac 137dd845f8e47bb64249a80dc98cc807 rc4_hmac_nt 8b763234bce9ac475f9b26ffc TGT PtT: Reuse of valid Kerberos tickets to receive Service Tickets or access Kerberos services directly TGT Service Ticket (5) Usage KDC KDC
31 #36 Pass-the-Ticket: Service Ticket LSASS (kerberos.dll) Service Ticket Administrator: * Long Term User Key List : aes256_hmac e0b61d f8de01092e f6ecf539681dc1100fd02bcaffdec aes128_hmac 137dd845f8e47bb64249a80dc98cc807 rc4_hmac_nt 8b763234bce9ac475f9b26ffc Service Ticket (5) Usage KDC KDC
32 #37 Export Kerberos Tickets They can be used ;-) (for 10h)
33 #38 Summary Pass-the- Ticket Several ways to obtain Kerberos tickets Can be used to impersonate other users TGT and Service Ticket both have time restrictions Full impersonation of a user for up to 10 hours (default lifetime of TGTs) Access to a service for up to 10 hours (default lifetime of Service Tickets) so, why not create our own tickets?
34 #39 Self-made Kerberos Tickets
35 #40 Golden Ticket Self-made Ticket Granting Ticket (TGT) It s done with a lot of love <3 (Credit goes to Benjamin ;-)) Requires the KDC long-term key (krbtgt key/hash) from the Domain Controller _NOT_ made by the KDC Variable life time (e.g. 10 years) Not limited by security settings (e.g. Group Policy settings) PAC can have arbitrary attributes (e.g. User name, user RID, group membership) Smart card independent
36 #41 Remember ;-) The KDC long-term key (krbtgt key) is the primary trust anchor in a Kerberos environment Compromise of the krbtgt means compromise of the whole Domain KRBTGT $Root Domain $Domain $Domain Krbtgt key is generated once and does not change automatically Only changes during an upgrade of the Domain Functional Level from NT5 -> NT6 Windows Server 2000/2003 to Server 2008/2012 An upgrade from Server 2008 to 2012 does _NOT_ change the value Previous krbtgt key is also valid!
37 #42 Golden Ticket Prerequisites KDC long-term key, RC4 (NTLM hash) or AES Available through different tools/techniques: Domain SID Domain Name Online: From DC memory with mimikatz (see example) Offline: From ntds.dit dump, task manager lsass.exe dump mimikatz # lsadump::lsa /inject /name:krbtgt Domain : BSC / S RID : f6 (502) User : krbtgt * Primary LM : NTLM : 14057bb953e6252fed b3f8190 * Kerberos-Newer-Keys Default Salt : BSC.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 16f13f49a9918f0f c dba8ed2d2727efa1d946cfe9bfb53b95 aes128_hmac (4096) : f15a9b2cbb40e81a09bda8a039e83181 des_cbc_md5 (4096) : 6dd3c101292ca154
38 #43 Capabilities of Golden Tickets Create TGTs for: Existing user accounts with valid group membership Impersonate any user on the domain Existing user accounts with arbitrary group membership Impersonate any user on the domain and join any domain group (e.g. Domain Admins) Non-existing user accounts with arbitrary group membership User Eve as Domain Administrator Existing but disabled user accounts Be creative ;)
39 #44 I like this one ;-) Thx, Benjamin ::
40 #45 And now???
41 #46 Mitigations
42 #47 So what to do? To prevent/mitigate credential theft and PtH in your environment The short version The more comprehensive version
43 Mitigations --The 2-Slider ;-) (1/2) In 3 major steps : Reorganization of administrative practice /management of Active Directory and business critical services Complement reorganization of Active Directory management with some PtHspecific controls Implement appropriate Active Directory security logging & monitoring Comparably small investment in new hardware and software #48
44 #49 (2/2) This will _not_ require spending money for additional $Hardware & $Software The small print: But you will most probably need more administrative /operational resources
45 #50 That s it! You are done ;-) Management will understand this? At least, they will understand the second slide. So don t forget the small print. Remember what Haroon said about information asymmetry Easy task?
46 #51 Mitigations the More Comprehensive Version ;-)
47 #52 Mitigations Overview High level steps Precondition Design & Organizational Controls Technical Controls 1. Identify business critical systems & applications and services 2. Have processes in place (patch mgmt & so on ) 3. Design & implement administration model & tiers 4. Implement ESAE forest 5. Implement secure Domain Controllers 6. Implement secure domain members 7. Implement MARS 8. Implement technical controls to prevent a. Credential theft b. Unauthorized credential use 9. Implement Active Directory security logging & monitoring
48 #53 Design & Implement Administration Model and Tiers See 
49 #54 Design & Implement Administration Model and Tiers Considerations (might be recommendations): Implement at least 3 tiers Domain Controllers Servers with compartments between business critical services/server and other member servers Clients Each tier might have more than one compartment Separate internal Active Directory (forest) from DMZ Active Directory (forest)
50 #55 Design & Implement Administration Model and Tiers See 
51 #56 How the Model Works Each administrative resource (group, account, servers, workstation, Active Directory object, or application) has to be classified as belonging to only one tier. Personnel with responsibilities at multiple tiers must have separate administrative accounts created for each required tier. Any account that currently logs on to multiple tiers must be split into multiple accounts, each of which fits within only one tier definition. These accounts must also be required to have different passwords.
52 #57 How the Model Works Administrative accounts may not control highertier resources through administrative access. Accounts that control a higher tier may not log on to lower-tier computers. Administrative accounts may control lower-tier resources as required by their role, but only through management interfaces that are at the higher tier and that do not expose credentials. Example: domain admin accounts (tier 0) managing server admin Active Directory account objects (tier 1) through Active Directory mmc consoles on a domain controller (tier 0).
53 #58 How the Model Works Limit the number of administrative accounts, especially in tier 0. The schema admin group should have members only on demand. Limit the number of hosts on which administrative credentials are exposed. Limit administrative role privileges to the minimum required.
54 #59 How the Model Works Create a special group with the debug privilege and grant membership to this group only on demand. Administrative accounts should not be member of this group by default. Restrict and protect high privileged domain accounts, so that: Domain admins (tier 0) cannot log on to enterprise servers (tier 1) and standard user workstations (tier 2). Server administrators (tier 1) cannot log on to standard user workstations (tier 2). (users, computers) so that they can not be delegated
55 #60 How the Model Works Restrict and protect local accounts with administrative privileges from being used for PtH Enforce local account restrictions for remote access Deny network logon to all local accounts Create unique passwords for privileged local accounts or use a 3 rd -party vendor solution for local account management.
56 A Simple Proposal Define admin tiers for 1. DCs 2. Servers. With admin compartments for: 1. Business critical systems 2. Windows-based servers 3. Linux/UX servers in AD 3. Desktops /Laptops #61
57 #62 Administrative Tier Model at Your Org. Pre-condition Re-org. of AD administration Identification of business critical systems & applications Pro Best security benefit Future (Windows) administration model Challenges Requires modification in admin mindset Admins will have more accounts and hence higher operational effort Services with domain admin privileges undermine admin tiering Alternatives none
58 #63 Build it by your own. Don t buy it. (Haroon Meer, Troopers 2015)
59 #64 ESAE Forest
60 #65 ESAE Forest You might be willing to implement an ESAE forest. Service offered by Microsoft. From 
61 #66 ESAE Forest Pre-condition Re-org. of AD administration Implementation of administrative tiers Pro Cons Additional layer of security for high privileged admin accounts SCOM monitoring with special package for monitoring of changes of authentication packages on DCs in the production domain Supposes that the trust anchor of a forest are the Admins. Does not add an additional layer of security for the KRBTGT account. Adds administrative and operational complexity
62 #67 Secure DCs & Domain Members Security best practices for domain members Have OS _and_ application software up-to-date (patch & vulnerability management) I won t speak about passwords You know that one ;-) (but keep them long an complex anyway ) Have special look at service accounts Have UAC enabled at least at its default configuration Have DEP enabled & EMET deployed on as much systems as possible At least on clients and DCs and IIS (Web servers) Have a look on additional NTFS permissions Implement restricted groups for privileged local accounts Don t give admins by default the debug privilege
63 #68 Valuable Recommendations on Service Accounts. Read this ( docs/doc-2881 ).
64 #69 PtH /PtT /Golden Ticket Mitigations
65 #70 PtH /PtT /Golden Ticket Mitigations There is not so much to do extra ;-) 1. Do the stuff already mentioned Orga & technique 2. Reset KRBTGT account on a regular basis 02/11/krbtgt-account-password-resetscripts-now-available-for-customers/ 3. Do Active Directory security monitoring
66 #71 Overall Evaluation Table of Mitigations Mitigation Comment Security Benefit Operational Feasibility Mitigates Cred. Theft Mitigation Prevention Mitigates Cred. Use Mitigation Prevention Mitigates Priv. Esca. Mitigation Prevention Mitigates Lat. Movement Mitigation Prevention Effective against mimikatz Facilitates Sec. Monitoring Must Have Recommended Admin Tiering /Credential Partitioning ESAE Forest Secure Administration Hosts Periodical KRBTGT Reset Req.1: Restrict & protect high privileged domain accounts from logon to lower tiers: deny logon locally, deny logon as a batch job, deny log on as a service; account is sensitive and cannot be delegated. Req.2: Restrict & protect local accounts with admin privileges from being used for PtH: Enforce local account restrictions for remote access, Deny network logon to all local accounts, Create unique passwords for privileged local accounts. excellent low no yes yes yes (requires compartments within tier) no yes yes Makes only sense together with Admin Tiering high medium yes no yes no no yes yes Secure administration hosts are possible even without admin tiering, but full benefit requires admin tiering. high medium yes no yes no no a little bit ;-) for DC tier for server (& workstation tier) high Should be low, but little experience no yes (against existing GTs) yes (against existing GTs) yes (against existing no (but restricts GT GTs) use) yes yes (assume breach)
67 3/24/2015 #72 There s never enough time THANK YOU...for yours!
68 Disclaimer All products, company names, brand names, trademarks and logos are the property of their respective owners!
69 #74 Backup
70 #75 An Overall Evaluation of Controls For PtH/PtT/Golden Ticket-specific Attacks
71 Implement Technical Controls to prevent credential theft & unauthorized credential use To be discussed or evaluated in your Org.: Each control has to be evaluated with reference to: Security benefit Operational feasibility User acceptance Cost estimate #76
72 #77 PtH/PtT Specific Controls Short Version For a 2008 R2- /Win 7-based infrastructure with DLF 2008 R2. (Newer OS versions might be part of the domain and take advantage of some mitigations that require Server 2012 R2 /Windows 8.1) Implement Admin Tiering with Logon restrictions for high privileged domain accounts & local accounts with admin privileges & well known SIDs Implement secure admin hosts Use remote management tools that do not place reusable creds in remote computers memory Implement services hardening Reset KRBTGT account Enforce credential removal after logoff Remove LM Hashes from LSASS Remove plaintext creds from LSASS for domain accounts LSA Protection Restrict debug privilege
73 PtH/PtT Specific Controls Short Version For a relative homogeneous environment with: - Windows Server 2012 R2 & Windows DLF = Windows Server 2012 R2 Protected Users security group Authentication Policy and Authentication Policy Silos Implement additionally #78
74 #79 Conclusion on the Technical Controls to prevent credential theft & unauthorized credential use Pre-condition Pro Classic DC/server/client hardening etc. Some technical controls with security benefit (e.g. logon restrictions f. privileged accounts) Challenges Some controls require big evaluation effort (e.g. deactivation of NTLMv1) or are useless (Restricted Admin Mode for RDP)
75 #80 How You Might Communicate ALL this With a risk analysis & High level benefits summary
76 #81 Risk Assessment Current Risks Evaluated Threat Vulnerability (Description) Primary Security Concern Probability Vulnerability Impact Risk Disclosure of confidential and pii data (= personenbezogenen Daten im Sinne des BDSG) allover rated (not only a certain type of data) Disclosure of arbitrary user mails Disclosure of arbitrary Classified Person mails Disclosure of Classified Person data (PowerPoint, Excel, Word, PDF etc.) Disclosure of encrypted mails of Classified Person Identity theft and use (pretend being a Classified Person via: mail, digital signature) Disclosure of classified or stricktly confidential data (patents, strategy plans, finance etc.) No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration C C C C C I C
77 #82 Risks Before and After Admin Tier Model + AD Hardening Main Technical Threat Threat Vulnerability (Description) Risk Mitigated Risk Vertical privilege escalation Vertical privilege escalation Vertical privilege escalation Vertical privilege escalation Vertical privilege escalation Vertical privilege escalation Vertical privilege escalation Disclosure of confidential and pii data (= personenbezogenen Daten im Sinne des BDSG) allover rated (not only a certain type of data) Disclosure of arbitrary user mails Disclosure of arbitrary Classified Person mails Disclosure of Classified Person data (PowerPoint, Excel, Word, PDF etc.) Disclosure of encrypted mails of Classified Person Identity theft and use (pretend being a Classified Person via: mail, digital signature) Disclosure of classified or stricktly confidential data (patents, strategy plans, finance etc.) No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration No admininistrative boundaries between DC administration, server administration and client administration
78 #83 Benefits Robust and industry standard like organization of operation: Secure operation of Active Directory and business critical services Sustainable operation on a long-term basis Leading by example
79 #84 Questions & Answers
80 #85 Literature     Microsoft Solutions for Security and Compliance. Windows Server 2003 Security Guide, 2006,  Mitigating Service Account Credential Theft on Windows,  KRBTGT reset script & information:  Protection from Kerberos Golden Ticket: SWP_14_07_PassTheGolden_Ticket_v1_1.pdf
81 #86 Literature : 2014 Data Breach Investigations Report (DBIR),
82 #88 Recommendations from Microsoft From their PtHv2 paper, see 
83 #89 Microsoft Backpedals The default behavior for Restricted Admin mode changed in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. By default, Restricted Admin mode is now turned off, and you have to enable it again after you install update or if it is required. Previously, Restricted Admin mode was turned on by default. Source:
84 #90 Mitigation against a Golden Ticket Recovering from a Golden Ticket is very difficult, if possible at all (because rebuilding your complete AD wouldn t be an option, right?)
85 #91 Mitigation against a Golden Ticket Reset KRBTGT s password Possible implications TGTs get invalidated, so that: End-users including smart-card users will be automatically requested to authenticate to receive a new valid ticket Services and applications that require manual startup with a password and use Kerberos may stop working properly until next manual restart. Requesting new TGTs may cause some load on the DC The exact impact level will depend on the criticality of the related users, services and applications Until now, little known experience about this, but following the right procedure, it shouldn t have a great impact.
86 Mitigation against a Golden Ticket Resetting procedure Microsoft recently released a script with some additional information, see . Detailed information is provided as well by the CERT-EU, see  #92
Pass-the-Hash II: Admin s Revenge Skip Duckwall & Chris Campbell Do you know who I am? Skip Co-presented PTH talk last year at BH, Derbycon http://passing-the-hash.blogspot.com @passingthehash on twitter
Michael Mayer-Gishyan NSA IT Consulting e.u. @mike_srv02 firstname.lastname@example.org http://nsa.co.at From Zero to Hero Domain Admin in einem Tag Agenda Vita Introduction to NTLM and Kerberos Pass-the-Hash Techniques
WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING Authors: Tal Be ery, Sr. Security Research Manager, Microsoft Michael Cherny, Sr. Security Researcher, Microsoft November
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques Mitigating the risk of lateral movement and privilege escalation Mitigating Pass-the-Hash (PtH) Attacks and Other Credential
Managing Local Administrator Passwords with LAPS 2015 PENN STATE SECURITY CONFERENCE DAN BARR DRB45@PSU.EDU SYSTEMS ADMINISTRATOR, APPLIED RESEARCH LABORATORY The Shared Password Threat Shared passwords
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Topics Single Sign-on Kerberos v5 integration Active Directory security Delegation of authentication
Internal Penetration Test Agenda Time Agenda Item 10:00 10:15 Introduction 10:15 12:15 Seminar: Web Application Penetration Test 12:15 12:30 Break 12:30 13:30 Seminar: Social Engineering Test 13:30 15:00
Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection Whitepaper Author: Sean Metcalf CTO Dan Solutions, Inc. email@example.com www.dansolutions.com ADSecurity.org Contents Introduction...
Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible
Protection from Kerberos Golden Ticket Mitigating pass the ticket on Active Directory CERT-EU Security White Paper 2014-07 1 Introduction Kerberos authentication protocol is the preferred authentication
Why You Need to Detect More Than PtH Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7 Who We Are! Matt Hathaway Senior Product Manager for Rapid7 UserInsight Former
Pass-the-Hash: How Attackers Spread and How to Stop Them SESSION ID: HTA-W03 Mark Russinovich Technical Fellow Microsoft Corporation Nathan Ide Principal Development Lead Microsoft Corporation Pass-the-Hash:
Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf (@PyroTek3) CTO, DAn Solutions sean [@] dansolutions _._com DAnSolutions.com ADSecurity.org ABOUT Chief Technology Officer
Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
National Security Agency/Central Security Service Information Assurance Directorate Reducing the Effectiveness of Pass-the-Hash November 19, 2013 Revision 1 A product of the Network Components and Applications
Why alone is not enough CenterTools Software GmbH 2011 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHOR S AND DOES NOT NECESSARILY REPRESENT THE
SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE Copyright 1998-2015 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form
Five Steps to Improve Internal Network Security Chattanooga ISSA 1 Find Me AverageSecurityGuy.info @averagesecguy firstname.lastname@example.org github.com/averagesecurityguy ChattSec.org 2 Why? The methodical
Security Overview for Windows Vista Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation Agenda User and group changes Encryption changes Audit changes User rights New and modified
University of Maryland Active Directory Policies Purpose of this policy Scope AD Forest Forest Schema & Data Visibility Account and Group Synchronization Account Creation and Password Forest Security Principle
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
INTEGRATION GUIDE Check Point FDE integration with Digipass Key devices 1 VASCO Data Security Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document
Chapter 4 Configuring Authentication for Microsoft Windows In this chapter: Storing and Transmitting Credentials..............................69 Storing Secrets in Windows......................................83
Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005 Revision 1.3: Cleaned up resources and added additional detail into each auditing table. Revision 1.4:
Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses 2004 Microsoft Corporation. All rights reserved. This document is for informational purposes only.
70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Course Number: 70 299 Length: 1 Day(s) Course Overview This course is part of the MCSA training.. Prerequisites
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
Operating System Security Klaus Schütz Windows OS Security Microsoft Redmond Before I start My VP love(d) me A frustrated friend 1 Agenda Evolution of Threats Client vs. Server Security Operating System
Windows Advanced Audit Policy Configuration EventTracker v7.x Publication Date: May 6, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract This document describes auditing
Admin Report Kit for Active Directory Reporting tool for Microsoft Active Directory Enterprise Product Overview Admin Report Kit for Active Directory (ARKAD) is a powerful reporting solution for the Microsoft
Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf (@PyroTek3) CTO, DAn Solutions sean [@] dansolutions _._com http://dansolutions.com http://www.adsecurity.org ABOUT Chief
Windows Log Monitoring Best Practices for Security and Compliance Table of Contents Introduction... 3 Overview... 4 Major Security Events and Policy Changes... 6 Major Security Events and Policy Changes
Page 1 Product Bulletin What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4 This document lists the new features available in Version 6.4 of the Secure Access SSL VPN product line. This
Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers Lotus Domino is inherently secure...a Misconception!!! Security is Not Automatic!!!! Slide #2 Security Requires Planning Design
NETWRIX IDENTITY MANAGEMENT SUITE FEATURES AND REQUIREMENTS Product Version: 3.3 February 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
Kaspersky Endpoint Security 10 for Windows Deployment guide Introduction Typical Corporate Network Network servers Internet Gateway Workstations Mail servers Portable media Malware Intrusion Routes Viruses
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
IT 4823 Information Security Administration Securing Operating Systems June 18 Security Maintenance Practices Basic proactive security can prevent many problems Maintenance involves creating a strategy
Why alone is not enough CenterTools Software GmbH 2013 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
About Microsoft Windows Server 003 Windows Server 003 (WinK3) requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the Windows Server operating system
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
Windows 7 Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org 1 Overview 1. Financial Institution s Preliminary Steps 2. User Interface 3. Data Protection 4. User and Group Changes
Kerberos Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?). 1 Kerberos Kerberos is an authentication protocol and a software suite implementing this
Objectives Windows 7 Security By Al Fall 2014 CS 140M LBCC Background Windows Security Architecture Windows Vulnerabilities Means of Evaluating Metrics System Hardening Windows Defenses OS Security Capabilities
Enterprise SSO Manager (E-SSO-M) Many resources, such as internet applications, internal network applications and Operating Systems, require the end user to log in several times before they are empowered
Five Steps to Improve Internal Network Security Chattanooga Information security Professionals Who Am I? Security Analyst: Sword & Shield Blogger: averagesecurityguy.info Developer: github.com/averagesecurityguy
Security Watch Deploying EFS: Part 1 John Morello By now, everyone has heard reports about personal or sensitive data being lost because of laptop theft or misplacement. Laptops go missing on a regular
IT Advisory Windows passwords security ADVISORY WHOAMI 2 Agenda The typical windows environment Local passwords Secure storage mechanims: Syskey & SAM File Password hashing & Cracking: LM & NTLM Into the
Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user
Mary I. Hubley, MaryAnn Richardson Technology Overview 25 September 2003 Windows Server 2003 Active Directory: Perspective Summary The Windows Server 2003 Active Directory lies at the core of the Windows
Bypassing Local Windows Authentication to Defeat Full Disk Encryption Ian Haken Who Am I? Currently a security researcher at Synopsys, working on application security tools and Coverity s static analysis
RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks
Grenoble INP Ensimag _ (in)security we trust _!! SecurIMAG 2011-05-12 Windows security for n00bs part 1 Security architecture & Access Control Description: whether you are in favor or against it, the Windows
AuthAnvil User Guide Version R91 English August 25, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated from
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
Defense Security Service Office of the Designated Approving Authority Baseline Technical Security Configuration of Microsoft Windows 7 and Microsoft Server 2008 R2 Version 1.0 Title Page Document Name:
Red Teaming Agenda Red Team Difference to a Pen Test Common RT Techniques Blue Team Disclaimer Red Teaming is a contentious term with no set definition Conceptions vary and can be situated on a scale from
70-682 Microsoft Pro: Upgrading to Windows 7 MCITP Enterprise Desktop Support Technician http://www.pass4sureofficial.com Dumpspdf.com is a reputable IT certification examination guide, study guides and
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: email@example.com Website: www.pistolstar.com
Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer
Windows servers The NT security model NT networks Networked NT machines can be: Primary Domain controller Centralizes user database/authentication Backup Domain controller Domain member Non-domain member
Likewise Enterprise Likewise Security Benefits AUTHOR: Manny Vellon Chief Technology Officer Likewise Software Abstract This document describes how Likewise improves the security of Linux and UNIX computers
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
Kerberos Explained By Mark Walla Article from the May 2000 issue of Windows 2000 Advantage magazine Although this article is billed as a primer to Kerberos authentication, it is a high technical review.
Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary
NetWrix USB Blocker Version 3.6 Administrator Guide Table of Contents 1. Introduction...3 1.1. What is NetWrix USB Blocker?...3 1.2. Product Architecture...3 2. Licensing...4 3. Operation Guide...5 3.1.
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
Course 50331D: Windows 7, Enterprise Desktop Support Technician Page 1 of 11 Windows 7, Enterprise Desktop Support Technician Course 50331D: 4 days; Instructor-Led Introduction This four-day instructor-ledcourse
NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v2-1-0-2: NNTDC01 On NNTDC01 - By admin for time period 5/23/2014 8:49:51 AM to 5/23/2014 8:49:51 AM NNT CIS Microsoft Windows Server
PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft Agenda Security Development Lifecycle Initiative Using PI to Protect Critical Infrastructure Hardening Advice for the PI
HP ProtectTools User Guide Copyright 2007 Hewlett-Packard Development Company, L.P. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Intel is a trademark or registered trademark
Security Considerations for DirectAccess Deployments Whitepaper February 2015 This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift
Stealing credentials for impersonation Emmanuel Bouillon firstname.lastname@example.org October 29, 2010 Disclaimer Introduction This expresses my own views and does not involve my previous, current and future employers.
Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
Agency Pre Migration Tasks This document is to be provided to the agency and will be reviewed during the Migration Technical Kickoff meeting between the ICS Technical Team and the agency. Network: Required
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
BitLocker Drive Encryption Hardware Enhanced Data Protection Shon Eizenhoefer, Program Manager Microsoft Corporation Agenda Security Background BitLocker Drive Encryption TPM Overview Building a BitLocker
Securing Active Directory Presented by Michael Ivy Presenter: Michael Ivy Consultant, Rook Security Michael Ivy Thank you for being here today August 20, 2014 Brief Overview Securing NTDS and Replication
Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of
NETWRIX PASSWORD MANAGER ADMINISTRATOR S GUIDE Product Version: 6.1 February/2012 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment