Download presentation
Presentation is loading. Please wait.
Published byRandolf Johnson Modified over 8 years ago
1
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu
2
Agenda 1.ONEForest Overview 2.Preventing credential theft 3.Secure Administration 4.Takeaways
3
ITS – Identity Services ONEForest Overview Key Benefits Security Goals Technical Design
4
ONEForest Key Benefits Improve Penn State security posture Consolidate local credential stores to a single point of control Replace MIT-Kerberos as central authentication store Extend domain management to off network computers Foundation for Higher Level Services Consistency of identities across services Secure login to Office 365 with PSU credentials
5
Improve Security Posture OUOU OUOUOUOU OUOU
6
Security Goals Follow best practices from Microsoft & NIST Mitigate common credential theft attacks Protect domain credentials at rest & in transit Eliminate use of weak authentication protocols
7
Active Directory Design Green field Single Forest, Single Domain Using TNS IPAM service OU Structure to support delegation Multiple Password Policies GPOs to apply minimum security baseline
8
ITS – Identity Services Preventing Credential Theft Pass the Hash Demo Technical Vulnerabilities Mitigations
9
Pass the Hash (Demo) Social Engineering to gain admin access 1.Spear Phishing to get user credential 2.Pose as user to lure admin to login to compromised system 3.Trick admin into running malicious code (online or local app) 4.Bingo! Access to admin’s credential Credential Replay Attack
10
PtH Demonstration
11
Vulnerable Technology Caching of user credential (hash) for SSO (LSASS.exe) Logins allowed to any client by any user RDS provides user credential to local computer Common local Administrator password Host firewalls permit lateral movement across network
12
Technical Mitigations Decommission Windows pre 8.1 & Windows Server pre 2012 R2 MS fixed LSASS.exe in more recent OS versions Turn off LM and NTLMv1 using GPOs Easily exploitable Use of “Protected Users” Security Group for Admin accounts No NTLM, high encryption, 4 hr. ticket lifetime Limit privileged account logins using User Rights GPOs Require multiple credentials
13
Technical Mitigations Use Microsoft Local Administrator Password Solution (LAPS) Unique, per computer passwords for the local administrator account Use Remote Assistance to access workstations and for client management Prevent exposure of admin credentials to clients Implement local firewall policies Prevent unnecessary client-to-client communication Limit effectiveness of phishing by using 2FA Integrate with remote applications & VPNs
14
Mitigate with Best Practices Assume Compromise Adjust our mindset – “not if, but when?” Follow Least Privileged Access model Eliminate granting admin privileges to standard user accounts (LAPS) Separate accounts for admin duties Use dedicated “jump” servers Provide known good environment for admins
15
ITS – Identity Services Secure Administration Role Separation Remote Desktop Services
16
Role Separation Enterprise & Domain Admin OU Admin Server Admin Workstation Admin User Auth.
17
Microsoft RemoteApp – Prerequisites Compatible Remote Desktop client Given access to ONEForest Remote Administration Registered for DUO 2FA Push Notifications Must have a PSU IP address Setup MS RemoteApp connection on your client
18
Microsoft RemoteApp – Workflow Launch the RemoteApp Authenticate with PSU account Complete 2FAAdmin credential Outcome: App running as admin on Session Host; displayed on client
19
ITS – Identity Services Takeaways
20
Things you should do now “Assume Compromise” mindset Upgrade clients & servers now! Deploy LAPS Implement jump servers for Admins Configure local firewalls Protect applications & VPNs with 2FA Use “Protected Users" security group Disable caching of AD credentials Limit debug privileges
21
Questions? “Assume Compromise” mindset Upgrade clients & servers now! Deploy LAPS Implement jump servers for Admins Configure local firewalls Protect applications & VPNs with 2FA Use “Protected Users" security group Disable caching of AD credentials Limit debug privileges
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.