We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byDerek Odle
Modified about 1 year ago
©2011 Quest Software, Inc. All rights reserved. Dmitry Kagansky Chief Technology Officer, Federal May 30, 2012 Now what? You Directory Has Been Breached!
1 ©2011 Quest Software, Inc. All rights reserved. Your Directory Has Been Breached In today's constantly hostile online environment, hacks and compromises are almost inevitable. When an attacker makes their way into your network, they can stay undetected for days and weeks. -- and the systems most threatened are the systems that are most critical; databases, email and Active Directory. However, there are preventative measures you can take to decrease the chance of compromise, or remediate your situation if a breach occurs. Join Quest Software in a presentation on both preventative measures and remediation techniques to survive a network compromise.
2 ©2011 Quest Software, Inc. All rights reserved. Credit Where Credit Is Due The next 4 slides were shamelessly taken from Scott Culp’s presentation –Managing Risk in Today’s Cyber Threat Environment –Scott Culp, Principal Security Architect, Microsoft –Originally presented at the 2012 Microsoft Public Sector CIO Summit
3 ©2011 Quest Software, Inc. All rights reserved. Begin at the beginning TargetingPhishing SQL Injection Persistence Pass The Hash How did it happen? Most likely culprits:
4 ©2011 Quest Software, Inc. All rights reserved. Persistence Common Return Vectors Valid Credentials Zombie RATsDupes Passwords obtained in cleartext, keyloggers, databases, etc. Passwords obtained by cracking hashes, especially from DCs Remote Access Tools installed on compromised machines, with instructions to reactivate and phone home later Users with a demonstrated propensity for extending unjustified trust
5 ©2011 Quest Software, Inc. All rights reserved. Pass The Hash Domain Privileged Servers Where the power is Line of Business Servers Where the assets are Workstations Where the access is
6 ©2011 Quest Software, Inc. All rights reserved. Preventative Measures If you’re confident you’re still “sterile,” here are things you can easily do on an on-going basis to stay that way: Know What Matters Focus on your key systems, users, data. Get Current, Stay Current Deploy Windows 7, Office 2010, Acrobat Reader X, Java 6; keep them patched. Start Secure, Stay Secure Configure security using SCM; maintain it & monitor it; independently test it. Isolate Key Credentials Use Standard User for Workstations. Isolate privileged credentials. Employ the SDL Employ the Security Development Lifecycle for in-house apps, especially web apps. But if you’re not confident, or you know you’ve been breached...
7 ©2011 Quest Software, Inc. All rights reserved. Steel yourself... This is not going to be pretty You have to migrate Yes, I said migrate
8 ©2011 Quest Software, Inc. All rights reserved. Why Are We Here? “Once you realized your directory was ‘owned’ the only way you will feel secure again is to migrate your data to a new directory on new servers." – Anonymous Customer, Sr. AD Architect
9 ©2011 Quest Software, Inc. All rights reserved. High Level Overview Have a destination prepared Have as much moved over as possible –Users –Groups Prepare a Services Priority List Be ready to copy what cannot be moved ahead of time –Computers –Services –Resources Have tools at the ready You WILL have an outage Do NOT grant any rights to anyone without a thorough review process
10 ©2011 Quest Software, Inc. All rights reserved. Have a Destination Prepared You can set up AD in a VM ahead of time –create a new domain –Have only the single ‘Administrator’ user with any rights –Start to actively monitor this new instance Map all users –Create an “old to new” map – MS Excel, MS Access, CSV, etc. –For convenience, add old & new SIDs to the map if you can –Secure the map –Review the map on an on-going basis Copy all distribution groups –Group Membership is suspect, and should probably not be copied Copy all security groups –Group Membership is compromised, and must not be copied
11 ©2011 Quest Software, Inc. All rights reserved. Prepare the Services Priority List Determine what is most important –Involve the business owners Document “service interactions” –SQL, IIS and what level of privileges are needed for all apps Email may not be mentioned but assume it to be first priority Mobile devices (even Blackberries) should be last –Yes, I know people want their data, but this is a potential entry point
12 ©2011 Quest Software, Inc. All rights reserved. Have Tools Prepared Many vendors have what you need however... No one (not even my employer) has a single package for this Be comfortable with PowerShell –If you don’t have any 3 rd party tools, this will be the only way to go unless you only have 20 users in your domain Everything that is necessary can be scripted Have the scripts ready
13 ©2011 Quest Software, Inc. All rights reserved. During the move Copy what cannot be moved ahead of time –Computers –Services –Resources All objects are suspect –Treat them the same as compromised user objects –Do not blindly add them to groups Look at directory sync tools –Microsoft –Quest
14 ©2011 Quest Software, Inc. All rights reserved. You WILL Have An Outage Prepare your users - let them know –They’ll need to reset their passwords –Some apps & services will not be available, especially after the initial move Size determines speed Risk determines speed A few days to a few weeks –It will take a day or two to copy everything over –It will take weeks to get everything back in place Security groups MUST go through a review process –Involve the business owners
15 ©2011 Quest Software, Inc. All rights reserved. Credit Where Credit Is Due Slides 3 - 6 taken from Scott Culp’s presentation –Managing Risk in Today’s Cyber Threat Environment –Scott Culp, Principal Security Architect, Microsoft –Originally presented at the 2012 Microsoft Public Sector CIO Summit There is a corresponding white paper out on June 4 th –Robert Bobel (email@example.com) is the original co-author of the white paper and much of this presentation is based on his original draft
16 ©2011 Quest Software, Inc. All rights reserved. Wrap-up Contact Information –Dmitry Kagansky –Email: firstname.lastname@example.org –Twitter: @dimikagi –Blog: http://www.federalcto.com/ Supporting Whitepaper (Available June 4, 2012) –http://www.federalcto.com/quest/breached-directory.docx –http://tinyurl.com/re-establishAD AD Landing page –http://www.federalcto.com/2012/05/breached/ These slides –http://www.federalcto.com/quest/breached-directory.pptx
©2011 Quest Software, Inc. All rights reserved.©2011 Quest Software, Inc. All rights reserved..
© 2010 Quest Software, Inc. ALL RIGHTS RESERVED Dmitry Kagansky, CTO - Public Sector (Federal) March 14, 2011 Quest Software – APT and the Insider Threat.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
1 BCS 4 th Semester. Step 1: Download SQL Server 2005 Express Edition Version Feature SQL Server 2005 Express Edition SP1 SQL Server 2005 Express Edition.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
Cloud, big data, and mobility Your phone today probably meets the minimum requirements to run Windows Server 2003 Transformational change up.
Complete Event Log Viewing, Monitoring and Management.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
© 2010 VMware Inc. All rights reserved VMware vCenter Server Module 4.
Productivity Architect Meet Chris Bortlik Author, Blogger, Speaker.
Microsoft Management Seminar Series SMS 2003 Change Management.
© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Executive Overview. PLEASE READ (hidden slide) To deliver this presentation effectively, you need to be familiar with Windows Server 2008 R2 management.
Microsoft Virtual Academy Module 12 Managing Services with VMM and App Controller.
Microsoft ® Official Course Module 3 Managing Active Directory Domain Services Objects.
Information Security and YOU!. Information Assurance Outreach Information Security Online Security Remote Access with Demonstration The Cloud Social.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Microsoft NDA Confidential Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and.
Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.
Debunking the Top 10 Myths of Small Business Server: Using Windows SBS in Larger Environments Abstract: This session will debunk some of the common myths.
Preparing your Fabric & Apps for Windows Server 2003 End of Support Jeff Woolsey Principal Program Manager.
SQL Server Security By Mattias Lind For PASS Security VC.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Technical Overview. PLEASE READ (hidden slide) To deliver this presentation effectively, you need to be familiar with Windows Server 2008 R2 management.
Page ADP PearsonAccess Proctor Training. Page Agenda Test Overview Testing Components Proctor Roles and Responsibilities Overview Administering the Test.
Agenda Microsoft Directory Synchronization Tool Active Directory Federation Server ADFS Proxy Hybrid Features – LAB.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
About Me Terry Brothers. About IT Take Away Office 365 Migration Challenges.
Key Considerations in Architecting Active Directory Federation Alexander Yim WSHFC NCSHA, Nashville on Sept 28 th, 2015.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Data Company Customer Interview. 2. Purpose and Quick Check The purpose of this interview is to determine whether 8020 can provide a useful service.
UNIT 9 SEMINAR – THE LAST ONE ! Unit 9 Chapter 9 in CompTIA Security + 1 Course Name – IT Introduction to Network Security Instructor – Jan McDanolds,
Capabilities of MIM vNext and the areas we are investing in for the next release New capabilities in MIM vNext improve protection from cyber- attacks.
Building web applications with the Windows Azure Platform Ido Flatow | Senior Architect | Sela | This session.
Account Reset Console Delegated and secure self password resets Joe Vachon Sales Engineer.
DataFlow Diagram – Level 0. DDF – Level 1 ► Breaks down each process ► Shows exactly what each data is and where it flows ► Six Processes, Six Different.
Managing Office 365 Identities and Requirements Question Answer
Identities and Azure AD Premium Presented By : Micah Linehan Cloud Sherpa.
Step By Step Windows Server 2003 Installation Guide Step By Step Windows Server 2003 Installation Guide.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Aloaha PDF Saver The PDF Form filling solution. Presentation Outline Introduction Top Features System Requirements Usage Options External User.
© 2017 SlidePlayer.com Inc. All rights reserved.