Basic principles of infrastracture security Impersonation, delegation and code injection

Transcription

1 Basic principles of infrastracture security Impersonation, delegation and code injection Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CHFI CEH CISA

2 Agenda Service accounts Single sign on (SSO) Impersonation Delegation

3 Motivation where most admins do critical mistakes pass-the-hash is not the problem understand and bind to correct procedures GOC172 - Kerberos troubleshooting GOC169 - Auditing ISO 2700x

4 SSO (single-sign-on) Minimize use of secure authentication information ISO/IEC Limits password/pin exposure Limits user's incentives to store passwords on local systems or write them down

5 Authentication methods in Windows Password single factor stored in AD or local SAM database as hash NTLM, Kerberos, AD LDAP simple bind, Digest Smart card multi factor PKI certificate's private key mapped to AD user account AD Kerberos only Certificate single factor if not stored in smart card PKI certificate's private key mapped to AD user account TLS/SSL client certificate authentication (SCHANNEL)

6 Network authentication against AD Basic full-text password sent over clear/encrypted channel HTTP basic, LDAP simple bind, RDP SSO, CredSSP NTLM hashed password with random challenge LM, NTLM/MS-CHAP, NTLMv2/MS-CHAPv2 Kerberos hashed password encrypted timestamp private key signature of timestamp (PKINIT) TLS/SSL client certificate authentication private key signature of server's challenge HTTPS, EAP-TLS, AD FS Digest MD5 hashed password with random challenge HTTP digest, CHAP, LDAP

7 Network authentication Client Secure Channel

8 Delegation (double-hop) Client Back-end

9 Network authentication risks Clear text password? Client Weak password hash? Impersonation

10 Network authentication risks Client Clear text password? Weak password hash? Delegation Back-end Impersonation

11 Service Accounts Services, jobs and IIS application pools run under some service identity NT AUTHORITY\System NT AUTHORITY\Network Service NT AUTHORITY\Local Service NT SERVICE\* IIS APPPOOL\* <domain>\* GOC172 - Kerberos troubleshooting GOC175 - Advanced Windows security

12 Service identities on Windows XP+ SYSTEM local Administrators uses COMPUTER$ to access network resources must use Kerberos on (cannot use NTLM) Allow Local System to use computer identity for NTLM Network Service local Users uses COMPUTER$ to access network resources Local Service local Users anonymous network access

13 NT SERVICE

14 IIS APPPOOL

15 Isolation Domain Account Network Password Groups Local Isolation Network Isolation Kerberos PAC Validation OS NT AUTHORITY SYSTEM automatic 30 days Administrators no MACHINE$ no 2000 NT AUTHORITY Network Service automatic 30 days Users no MACHINE$ no XP NT AUTHORITY Local Service no Users no anonymous no XP NT SERVICE <servicename> automatic 30 days IIS APPPOOL <apppoolname> automatic 30 days Users yes MACHINE$ no Vista 2008 Users yes MACHINE$ no Vista 2008 <domain> <username> manual Users yes yes yes 2000 <domain> <managedsvcaccount> automatic 30 days <domain> <groupsvcaccount> automatic 30 days Users yes yes no R2 Users yes yes no

16 Impersonation and Access Token local groups/sids LSASS Kerberos groups credentials Access Token Outlook IE Explorer In-band transport HTTP, SMB, OM SmbSrv WebSrv SQL Exch Client NTLM groups SChannel groups DB Registry NTFS LSASS AD

17 User right: Impersonate client after authentication (SeImpersonatePrivilege)

18 Basic delegation LSASS password Client password Kerberos Back-end

19 Kerberos unconstrained delegation (2000+) LSASS F:TGT Client F:TGT Kerberos Back-end

20 Kerberos constrained delegation (2003+) LSASS nothing Client TGS Kerberos Back-end

21 Kerberos protocol transition (2003+) LSASS nothing Client anything NTLM Kerberos Back-end retina questions

22 Děkuji za pozornost! GOC172 - Kerberos troubleshooting GOC175 - Advanced Windows security GOC172 - Kerberos troubleshooting GOC169 - Auditing ISO 2700x Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CHFI CEH CISA [email protected]