Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE

Transcription

1 Managing Local Administrator Passwords with LAPS 2015 PENN STATE SECURITY CONFERENCE DAN BARR SYSTEMS ADMINISTRATOR, APPLIED RESEARCH LABORATORY

2 The Shared Password Threat Shared passwords are one vector used in Pass-the-Hash attacks It only takes one compromised client to effectively compromise every system using the same local Administrator password Makes lateral movement within a trusted network trivial Even if the clear text password isn t compromised, you re still in big trouble So, how do we manage passwords on a large # of systems? And rotate them often? And control who can access them? Without spending a small fortune on additional complex infrastructure or products?

3 What is Pass-the-Hash (PtH)? (The short, short version) Credential replay attack Attacker does not need the cleartext password! Hashes can be harvested from: Memory (lsass.exe process) Local SAM database (local accounts and cached AD credentials) NTLM traffic sniffing (but requires brute-force since hash is encrypted over the wire) NTLM and Kerberos (via ticket replay/forwarding) are both vulnerable Compromised Client Admin Client Clients Servers Databases Attacker

4 More on PtH For more in-depth information and a demo of Pass-the-Hash: Security Features of OneForest Active Directory Deployment Keith Brautigam & Jake DeSantis Thursday at 2:50pm

5 What is LAPS? Local Administrator Password Solution Free tool made public by Microsoft in May 2015 Formerly only available to MS Premier Support agreement holders Securely manages unique, random local Administrator passwords on managed systems Completely implemented using AD & Group Policy, no additional infrastructure needed Developed due to frequency of shared admin passwords used as a primary attack vector in customer security incidents handled by Microsoft Does NOT eliminate PtH, just reduces the impact

6 How does it work? Schema extension adds two attributes to Computer objects: ms-mcs-admpwd: Confidential, RODC Filtered ms-mcs-admpwdexpirationtime Client-side GPO extension (DLL) installed via MSI Managed via simple GUI, PowerShell, or native AD management tools LAPS UI PowerShell Group Policy Editor AD Computer Account ms-mcs-admpwd ms-mcs-admpwdexpirationtime Group Policy Framework AdmPwd.dll Active Directory

7 LAPS Features & Requirements FEATURES Passwords stored centrally in AD Optional audit/debug logging to client s Security Event Log Define password parameters: length, complexity, age Force a password reset GUI, PowerShell, or native AD tools for management REQUIREMENTS AD: At least Server 2003 SP1 Officially-supported clients: Vista with current SP & above Server 2003 SP2 & above Unofficially works on XP

8 LAPS Process GP Refresh Check expiration timestamp in AD attribute If expired, generate new password based on configured rules Store new password in AD attribute and update expiration timestamp If successful, update local account PW

9 LAPS Security Considerations Kerberos encryption used in transit Use AD object access auditing to track password retrievals Currently only handles one account per client Does not have to be built-in Administrator Password is stored in clear text Encryption at rest would require key exchange (symmetric) or PKI (assymetric) ACLs adequately protect Maintains the solution s simplicity Compromised AD means game over anyway AD attribute is marked confidential, need one of the following permissions to read it: Full Control on computer object, OR All Extended Rights on computer object, OR Control Access on ms-mcs-admpwd attribute Not replicated to RODCs Not exposed in audit logging

10 Group Policy Settings

11 LAPS UI

12 PowerShell Module AdmPwd.PS Cmdlets: Find-AdmPwdExtendedRights Get-AdmPwdPassword Reset-AdmPwdPassword Set-AdmPwdAuditing Set-AdmPwdComputerSelfPermission Set-AdmPwdReadPasswordPermission Set-AdmPwdResetPasswordPermission Update-AdmPwdADSchema

13 Typical Deployment Workflow Extend AD Schema Review/Revoke Extended Rights Add Machine Rights (SELF) Add User Rights and Auditing Apply Group Policy Settings Deploy Client Side Extension

14 Deployment Workflow - PowerShell Extend AD Schema Update-AdmPwdADSchema Audit/remove undesired extended rights Find-AdmPwdExtendedRights -Identity <OU Name> Format-Table Add Machine rights (SELF permission to update new attributes) Set-AdmPwdComputerSelfPermission -OrgUnit <OU Name> Add User rights to read PW or force reset Set-AdmPwdReadPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals <users/groups> Set-AdmPwdResetPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals <users/groups> Enable access auditing Set-AdmPwdAuditing -OrgUnit <OU Name> -AuditedPrincipals <users/groups/everyone>

15 Other PtH Mitigations Upgrade clients lots of kernel-level hardening in newer (Win8+) versions. Limit client-to-client communications Disable caching of AD credentials where possible Limit use/scope of privileged accounts least user access Use hardened administrative stations & jump servers Offers fewer chances to harvest a privileged hash Limit debug privileges (often used to access memory of protected processes)

16 THANK YOU! Reminder: Security of OneForest AD Deployment, 2:30pm tomorrow Keith Brautigam & Jake DeSantis, ITS Identity Services Dan Barr