Basic principles of infrastracture security Impersonation, delegation and code injection Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CHFI CEH CISA ondrej@sevecek.com www.sevecek.com
Agenda Service accounts Single sign on (SSO) Impersonation Delegation
Motivation where most admins do critical mistakes pass-the-hash is not the problem understand and bind to correct procedures GOC172 - Kerberos troubleshooting GOC169 - Auditing ISO 2700x
SSO (single-sign-on) Minimize use of secure authentication information ISO/IEC 27001 Limits password/pin exposure Limits user's incentives to store passwords on local systems or write them down
Authentication methods in Windows Password single factor stored in AD or local SAM database as hash NTLM, Kerberos, AD LDAP simple bind, Digest Smart card multi factor PKI certificate's private key mapped to AD user account AD Kerberos only Certificate single factor if not stored in smart card PKI certificate's private key mapped to AD user account TLS/SSL client certificate authentication (SCHANNEL)
Network authentication against AD Basic full-text password sent over clear/encrypted channel HTTP basic, LDAP simple bind, RDP SSO, CredSSP NTLM hashed password with random challenge LM, NTLM/MS-CHAP, NTLMv2/MS-CHAPv2 Kerberos hashed password encrypted timestamp private key signature of timestamp (PKINIT) TLS/SSL client certificate authentication private key signature of server's challenge HTTPS, EAP-TLS, AD FS Digest MD5 hashed password with random challenge HTTP digest, CHAP, LDAP
Network authentication Client Secure Channel
Delegation (double-hop) Client Back-end
Network authentication risks Clear text password? Client Weak password hash? Impersonation
Network authentication risks Client Clear text password? Weak password hash? Delegation Back-end Impersonation
Service Accounts Services, jobs and IIS application pools run under some service identity NT AUTHORITY\System NT AUTHORITY\Network Service NT AUTHORITY\Local Service NT SERVICE\* IIS APPPOOL\* <domain>\* GOC172 - Kerberos troubleshooting GOC175 - Advanced Windows security
Service identities on Windows XP+ SYSTEM local Administrators uses COMPUTER$ to access network resources must use Kerberos on 2003- (cannot use NTLM) 2008+ Allow Local System to use computer identity for NTLM Network Service local Users uses COMPUTER$ to access network resources Local Service local Users anonymous network access
NT SERVICE
IIS APPPOOL
Isolation Domain Account Network Password Groups Local Isolation Network Isolation Kerberos PAC Validation OS NT AUTHORITY SYSTEM automatic 30 days Administrators no MACHINE$ no 2000 NT AUTHORITY Network Service automatic 30 days Users no MACHINE$ no XP NT AUTHORITY Local Service no Users no anonymous no XP NT SERVICE <servicename> automatic 30 days IIS APPPOOL <apppoolname> automatic 30 days Users yes MACHINE$ no Vista 2008 Users yes MACHINE$ no Vista 2008 <domain> <username> manual Users yes yes yes 2000 <domain> <managedsvcaccount> automatic 30 days <domain> <groupsvcaccount> automatic 30 days Users yes yes no 7 2008 R2 Users yes yes no 8 2012
Impersonation and Access Token local groups/sids LSASS Kerberos groups credentials Access Token Outlook IE Explorer In-band transport HTTP, SMB, OM SmbSrv WebSrv SQL Exch Client NTLM groups SChannel groups DB Registry NTFS LSASS AD
User right: Impersonate client after authentication (SeImpersonatePrivilege)
Basic delegation LSASS password Client password Kerberos Back-end
Kerberos unconstrained delegation (2000+) LSASS F:TGT Client F:TGT Kerberos Back-end
Kerberos constrained delegation (2003+) LSASS nothing Client TGS Kerberos Back-end
Kerberos protocol transition (2003+) LSASS nothing Client anything NTLM Kerberos Back-end retina questions
Děkuji za pozornost! GOC172 - Kerberos troubleshooting GOC175 - Advanced Windows security GOC172 - Kerberos troubleshooting GOC169 - Auditing ISO 2700x Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CHFI CEH CISA ondrej@sevecek.com www.sevecek.com