Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE



Similar documents
Step by Step Guide to Deploy Microsoft LAPS

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Information Assurance Directorate

Pass-the-Hash. Solution Brief

MySQL Security: Best Practices

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

6425C - Windows Server 2008 R2 Active Directory Domain Services

Exam : Administrating Windows Server 2012 R2. Course Overview

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Managing and Maintaining Windows Server 2008 Active Directory Servers

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Updating your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008

Table of Contents. Table of Contents Installation overview Create a Group Policy Object and Deploy SmartAgentSetup MSI package...

Getting a handle on SharePoint security complexity

Optimization in a Secure Windows Environment

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Microsoft. Jump Start. M11: Implementing Active Directory Domain Services

Active Directory Compatibility with ExtremeZ-IP

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Likewise Security Benefits

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

Secret Server Qualys Integration Guide

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Top 10 Security Hardening Settings for Windows Servers and Active Directory

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques. Mitigating the risk of lateral movement and privilege escalation

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Pass-the-Hash: How Attackers Spread and How to Stop Them

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Microsoft Corporation. Status: Preliminary documentation

Preliminary Course Syllabus

Microsoft Windows PowerShell v2 For Administrators

MaaS360 Mobile Enterprise Gateway

This module explains how to configure and troubleshoot DNS, including DNS replication and caching.

MaaS360 Mobile Enterprise Gateway

Table of Contents. Introduction. Audience. At Course Completion

Hosts HARDENING WINDOWS NETWORKS TRAINING

Course 6425C: Five days

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

411-Administering Windows Server 2012

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

NetWrix Password Manager. Quick Start Guide

Managing Windows Environments with Group Policy

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Using Logon Agent for Transparent User Identification

R4: Configuring Windows Server 2008 Active Directory

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

5nine Virtual Firewall 2.1 for Microsoft Hyper-V

Exploiting Transparent User Identification Systems

Mod 2: User Management

Updating your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008 (MS6416)

Admin Report Kit for Active Directory

Configuring Windows Server 2008 Active Directory

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Windows security for n00bs part 1 Security architecture & Access Control

Penetration Test Report

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Quality Management Consultancy

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

User-ID Best Practices

Thick Client Application Security

Web. Security Options Comparison

Computer Security: Principles and Practice

Course Syllabus. Deploying Microsoft Windows Server Key Data. Audience. At Course Completion

Five Steps to Improve Internal Network Security. Chattanooga ISSA

70-417: Upgrading Your Skills to MCSA Windows Server 2012

Securing Active Directory Presented by Michael Ivy

Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero. Domain Admin in einem Tag

SNARE Agent for Windows v Release Notes

MS-55096: Securing Data on Microsoft SQL Server 2012

Stealing credentials for impersonation

Administering Windows Server 2012

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Windows passwords security

IDENTIKEY Server Windows Installation Guide 3.2

Active Directory network protocols and traffic

Dell InTrust 11.0 Best Practices Report Pack

How To Secure An Rsa Authentication Agent

50255: Managing Windows Environments with Group Policy

Updating Your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Deploy Auto Shutdown Manager via Windows Group Policy

Transcription:

Managing Local Administrator Passwords with LAPS 2015 PENN STATE SECURITY CONFERENCE DAN BARR DRB45@PSU.EDU SYSTEMS ADMINISTRATOR, APPLIED RESEARCH LABORATORY

The Shared Password Threat Shared passwords are one vector used in Pass-the-Hash attacks It only takes one compromised client to effectively compromise every system using the same local Administrator password Makes lateral movement within a trusted network trivial Even if the clear text password isn t compromised, you re still in big trouble So, how do we manage passwords on a large # of systems? And rotate them often? And control who can access them? Without spending a small fortune on additional complex infrastructure or products?

What is Pass-the-Hash (PtH)? (The short, short version) Credential replay attack Attacker does not need the cleartext password! Hashes can be harvested from: Memory (lsass.exe process) Local SAM database (local accounts and cached AD credentials) NTLM traffic sniffing (but requires brute-force since hash is encrypted over the wire) NTLM and Kerberos (via ticket replay/forwarding) are both vulnerable Compromised Client Admin Client Clients Servers Databases Attacker

More on PtH For more in-depth information and a demo of Pass-the-Hash: Security Features of OneForest Active Directory Deployment Keith Brautigam & Jake DeSantis Thursday at 2:50pm

What is LAPS? Local Administrator Password Solution Free tool made public by Microsoft in May 2015 Formerly only available to MS Premier Support agreement holders Securely manages unique, random local Administrator passwords on managed systems Completely implemented using AD & Group Policy, no additional infrastructure needed Developed due to frequency of shared admin passwords used as a primary attack vector in customer security incidents handled by Microsoft Does NOT eliminate PtH, just reduces the impact

How does it work? Schema extension adds two attributes to Computer objects: ms-mcs-admpwd: Confidential, RODC Filtered ms-mcs-admpwdexpirationtime Client-side GPO extension (DLL) installed via MSI Managed via simple GUI, PowerShell, or native AD management tools LAPS UI PowerShell Group Policy Editor AD Computer Account ms-mcs-admpwd ms-mcs-admpwdexpirationtime Group Policy Framework AdmPwd.dll Active Directory

LAPS Features & Requirements FEATURES Passwords stored centrally in AD Optional audit/debug logging to client s Security Event Log Define password parameters: length, complexity, age Force a password reset GUI, PowerShell, or native AD tools for management REQUIREMENTS AD: At least Server 2003 SP1 Officially-supported clients: Vista with current SP & above Server 2003 SP2 & above Unofficially works on XP

LAPS Process GP Refresh Check expiration timestamp in AD attribute If expired, generate new password based on configured rules Store new password in AD attribute and update expiration timestamp If successful, update local account PW

LAPS Security Considerations Kerberos encryption used in transit Use AD object access auditing to track password retrievals Currently only handles one account per client Does not have to be built-in Administrator Password is stored in clear text Encryption at rest would require key exchange (symmetric) or PKI (assymetric) ACLs adequately protect Maintains the solution s simplicity Compromised AD means game over anyway AD attribute is marked confidential, need one of the following permissions to read it: Full Control on computer object, OR All Extended Rights on computer object, OR Control Access on ms-mcs-admpwd attribute Not replicated to RODCs Not exposed in audit logging

Group Policy Settings

LAPS UI

PowerShell Module AdmPwd.PS Cmdlets: Find-AdmPwdExtendedRights Get-AdmPwdPassword Reset-AdmPwdPassword Set-AdmPwdAuditing Set-AdmPwdComputerSelfPermission Set-AdmPwdReadPasswordPermission Set-AdmPwdResetPasswordPermission Update-AdmPwdADSchema

Typical Deployment Workflow Extend AD Schema Review/Revoke Extended Rights Add Machine Rights (SELF) Add User Rights and Auditing Apply Group Policy Settings Deploy Client Side Extension

Deployment Workflow - PowerShell Extend AD Schema Update-AdmPwdADSchema Audit/remove undesired extended rights Find-AdmPwdExtendedRights -Identity <OU Name> Format-Table Add Machine rights (SELF permission to update new attributes) Set-AdmPwdComputerSelfPermission -OrgUnit <OU Name> Add User rights to read PW or force reset Set-AdmPwdReadPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals <users/groups> Set-AdmPwdResetPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals <users/groups> Enable access auditing Set-AdmPwdAuditing -OrgUnit <OU Name> -AuditedPrincipals <users/groups/everyone>

Other PtH Mitigations Upgrade clients lots of kernel-level hardening in newer (Win8+) versions. Limit client-to-client communications Disable caching of AD credentials where possible Limit use/scope of privileged accounts least user access Use hardened administrative stations & jump servers Offers fewer chances to harvest a privileged hash Limit debug privileges (often used to access memory of protected processes)

THANK YOU! Reminder: Security of OneForest AD Deployment, 2:30pm tomorrow Keith Brautigam & Jake DeSantis, ITS Identity Services Dan Barr drb45@psu.edu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information