Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Published byRandolf Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam"— Presentation transcript:

1 ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu

2 Agenda 1.ONEForest Overview 2.Preventing credential theft 3.Secure Administration 4.Takeaways

3 ITS – Identity Services ONEForest Overview Key Benefits Security Goals Technical Design

4 ONEForest Key Benefits Improve Penn State security posture Consolidate local credential stores to a single point of control Replace MIT-Kerberos as central authentication store Extend domain management to off network computers Foundation for Higher Level Services Consistency of identities across services Secure login to Office 365 with PSU credentials

5 Improve Security Posture OUOU OUOUOUOU OUOU

6 Security Goals Follow best practices from Microsoft & NIST Mitigate common credential theft attacks Protect domain credentials at rest & in transit Eliminate use of weak authentication protocols

7 Active Directory Design Green field Single Forest, Single Domain Using TNS IPAM service OU Structure to support delegation Multiple Password Policies GPOs to apply minimum security baseline

8 ITS – Identity Services Preventing Credential Theft Pass the Hash Demo Technical Vulnerabilities Mitigations

9 Pass the Hash (Demo) Social Engineering to gain admin access 1.Spear Phishing to get user credential 2.Pose as user to lure admin to login to compromised system 3.Trick admin into running malicious code (online or local app) 4.Bingo! Access to admin’s credential Credential Replay Attack

10 PtH Demonstration

11 Vulnerable Technology Caching of user credential (hash) for SSO (LSASS.exe) Logins allowed to any client by any user RDS provides user credential to local computer Common local Administrator password Host firewalls permit lateral movement across network

12 Technical Mitigations Decommission Windows pre 8.1 & Windows Server pre 2012 R2 MS fixed LSASS.exe in more recent OS versions Turn off LM and NTLMv1 using GPOs Easily exploitable Use of “Protected Users” Security Group for Admin accounts No NTLM, high encryption, 4 hr. ticket lifetime Limit privileged account logins using User Rights GPOs Require multiple credentials

13 Technical Mitigations Use Microsoft Local Administrator Password Solution (LAPS) Unique, per computer passwords for the local administrator account Use Remote Assistance to access workstations and for client management Prevent exposure of admin credentials to clients Implement local firewall policies Prevent unnecessary client-to-client communication Limit effectiveness of phishing by using 2FA Integrate with remote applications & VPNs

14 Mitigate with Best Practices Assume Compromise Adjust our mindset – “not if, but when?” Follow Least Privileged Access model Eliminate granting admin privileges to standard user accounts (LAPS) Separate accounts for admin duties Use dedicated “jump” servers Provide known good environment for admins

15 ITS – Identity Services Secure Administration Role Separation Remote Desktop Services

16 Role Separation Enterprise & Domain Admin OU Admin Server Admin Workstation Admin User Auth.

17 Microsoft RemoteApp – Prerequisites Compatible Remote Desktop client Given access to ONEForest Remote Administration Registered for DUO 2FA Push Notifications Must have a PSU IP address Setup MS RemoteApp connection on your client

18 Microsoft RemoteApp – Workflow Launch the RemoteApp Authenticate with PSU account Complete 2FAAdmin credential Outcome: App running as admin on Session Host; displayed on client

19 ITS – Identity Services Takeaways

20 Things you should do now “Assume Compromise” mindset Upgrade clients & servers now! Deploy LAPS Implement jump servers for Admins Configure local firewalls Protect applications & VPNs with 2FA Use “Protected Users" security group Disable caching of AD credentials Limit debug privileges

21 Questions? “Assume Compromise” mindset Upgrade clients & servers now! Deploy LAPS Implement jump servers for Admins Configure local firewalls Protect applications & VPNs with 2FA Use “Protected Users" security group Disable caching of AD credentials Limit debug privileges

Download ppt "ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam"

Similar presentations

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Understanding Active Directory

Understanding Active Directory
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.

Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.

Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
GROUP POLICY An overview of Microsoft Windows Group Policy.

GROUP POLICY An overview of Microsoft Windows Group Policy.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.

Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
PCIT304. 1. numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&

PCIT numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&

Similar presentations

Ads by Google