Presentation is loading. Please wait.

Presentation is loading. Please wait.

1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.

Similar presentations


Presentation on theme: "1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials."— Presentation transcript:

1

2

3

4

5

6

7

8 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials for lateral movement or privilege escalation 4.Attacker acquires domain admin credentials 5.Attacker exercises full control of data and systems in the environment

9 Workstation Administrator User Access Patient Zero Servers User Access Access Data Server Administrator User Credential System or Administrator Server Admin All Local Data All Workstations Domain Administrator Access All Data All Active Directory Data (Full Control) All Credentials (NT Hashes) Domain Controllers Domain Admin Pass the hash (PTH) Domain Admin PTH Domain Admin Logon PTH User Action SAM: NT Hashes Active User Credentials Malware Install Beacon, Command & Control Vulnerability & Exploit User = Administrator All Local Data Active User Credentials SAM: NT Hashes All Local Data Active User Credentials Security Accounts Manager (SAM): NT Hashes All Active Directory Data (Read) Establish Beachhead User’s Data and Keystrokes

10 DC Client Domain.Local DomainAdmin Attack Operator

11

12 1. Prevent Exposure 2. Limit Usefulness High Exposure (to Internet/Risk) High Privilege/Value

13 1.Privilege escalation Credential Theft Application Agents Service Accounts 2.Lateral traversal Credential Theft Application Agents Service Accounts Tier 0 Tier 2 Tier 1

14 Tier 2 Tier 1 Tier 0

15 Access: Users and Workstations Admin Environment Production Power: Domain Controllers Management and Monitoring Production Domain Admins IPsec Credential Partitioning Hardened Admin Environment Known Good Media Network security Hardened Workstations Accounts and smartcards Auto-Patching Security Alerting Tamper-resistant audit Offline Administration (enforces governance) Assist with mitigating risks Services and applications Lateral traversal Break Glass Account(s) Red Card Admins Data: Servers and Applications

16

17 ESAE - Managing Multiple Forests/Domains Admin Environment

18 Workstations & Users Production Domain(s) Domain & Forest Servers and Applications Domain Admins Increase Security Protections Enterprise threats Known internet threats Hardened Workstations Known Good Media 20+ security controls Network Traffic Restrictions Admin smartcards (optional) Server & App Admins

19 Privileged Account Workstation (PAW) – Cloud Security Privileged Account Workstations Increase Security Protections Enterprise threats Known internet threats Security Protections include Known Good Media 20+ security controls Smartcards (Optional) Security Alerting (Optional) Cloud Infrastructure & Services Administration Social Media, Publishing, Brand Management

20

21 MARS Server Resource(s) Managed Servers Domain Admin Schema Admin Top Secret Project 12:00 10:00 1. Request Access (10:00) 2a. Auto-Approve (10:00) 3. Access Resource (10:01) 5. Attempt Access (3:15) Candidate Account 11:00 1:00 2:00 3:00 9:00 Managed Privilege (Group Membership or Custom Actions) 2b. Notification (10:00) 4. Privilege Expires (12:00)

22

23 Enhanced Security Admin Environment (ESAE) Domain and Forest Administration Production Domain(s) Domain and Forest Security Alerting Server and System Management Hardened Hosts and Accounts Managed Access Request System (MARS) App and Data Management Privileged Account Workstation (PAW) User Assistance and Support Lateral Traversal Mitigations Application & Service Hardening Helpdesk and Workstation Management RDP w/Restricted Admin Protected Users With 8.1/2012 R2 Features Auth Policies and Silos

24 Application and Service Hardening 24 Upstream Risks (Controlling the Application) Downstream Control Important: upstream risks also includes hosts where upstream administrator credentials are exposed. Application Application agents or software Application service accounts Business critical data? Backup and storage administrators Baseboard Management Controllers (BMCs) Local operating system administrators Physical access and virtual machine administrators ACLs on Computer account, OU, GPO, GPO Content Management agents on server and scheduled tasks Application administrator roles Unpatched Software Vulnerability, Weak OS Configuration Host Installation Media/Process

25

26

27

28 Come Visit Us in the Microsoft Solutions Experience! Look for Datacenter and Infrastructure Management TechExpo Level 1 Hall CD For More Information Windows Server 2012 R2 Microsoft Azure System Center 2012 R2 Azure Pack cloud/products/windows-azure-pack

29

30

31

32


Download ppt "1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials."

Similar presentations


Ads by Google