BACHELOR’S THESIS DEFENSE Protecting Windows Privileged Accounts BACHELOR’S THESIS DEFENSE Loc Phan Van -- 175353IDCR Supervisor: Ilhan Celebi – Infrastructure Engineer

Agenda Introduction Effectiveness of Implementation Windows Active Directory Security Principles Define Sensitive Groups Windows Active Directory Security Development Best Practices Conclusions

Introduction Background Problems Objectives Privileged accounts have always become a primary target It’s like a regular accounts, have a valid set of credentials -> system, network Windows privileged accounts are complicated compared to other systems Most popular Operating System, directory service Due to the complexity -> hard to manage, gets ignored. Expensive security software Give administrative principles Point out sensitive groups Develop a tool for privileged accounts information gathering Develop monitoring solution for privileged accounts

Effectiveness of implementation Time line for typical attack scenario 80% from external attacks 75% of attacks take weeks or more (Verizon Report) $1,2M over a week for recovering (IT Sec Risk Report)

Effectiveness of implementation Detect abnormal behaviors Alert to Administrators Extend the time of escalation by applying RBAC Tier Model Secondary account Tier-0 Groups Privileged Admin Workstation Naming Convention Privileged Account Cleaning-up

Windows AD Security Principles Role based access control Tier Model Dealing With Tier-0 Groups Secondary accounts Privileged Admin Workstation Naming Convention Privileged accounts cleaning-up 1 2 3 4 5 6 +

Windows AD Security Principles Privileged Account Cleaning-up Implement the data investigation on the AD objects. Have more focus on Administrative objects (accounts, groups). Have more focus on Service accounts and check if the services are still running. Promulgate the policies for those unused objects (delete them or deactivate them).

Windows AD Security Development 1 Privileged Accounts Information Gathering 2 Privileged Accounts Monitoring

Windows AD Security Development 1 Privileged Accounts Information Gathering

Windows AD Security Development 2 Privileged Accounts Monitoring +

Windows AD Security Development 2 Privileged Accounts Monitoring

Best practices Inventory and reduce the number of privileged accounts. Secondary accounts. Enforce least privileged for standard user accounts. Store password securely. Create a process for on- and off-boarding employees that have privileged accounts. Eliminate the practice of accounts that have non-expiring passwords. Password complexity and password age policy. Implement automated password verification and reconciliation. Privileged account information gathering. Proactivity detect malicious behavior.

Conclusions Very first stepping stones in Windows Security Contribute Windows administrative principles Implement privileged accounts information gathering Manipulate and develop a monitoring solution Give best practices Further work: Dealing with service account

Thank you

Reviewer’s questions

Tier 0 groups Domain Admins Active Directory group with full admin rights to the Active Directory domain and all computers (default). Enterprise Admins Active Directory group with full admin rights to all Active Directory domains in the AD forest and gains this right through automatic membership in the Administrators group in every domain in the forest. Schema Admins Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. Backup Operators Local or Active Directory group. AD group members can backup or restore Active Directory and have logon rights to Domain Controllers (default). Server Operators Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back-up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. Print Operators Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. Account Operators Active Directory group with default privileged rights on domain users and groups, plus the ability to logon to Domain Controllers. Administrators Local or Active Directory group. The AD group has full admin rights to the Active Directory domain and Domain Controllers.

Sensitive groups Pre–Windows 2000 Compatible Access Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. Remote Desktop Users The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). WinRMRemoteWMIUsers__ In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers__ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions. The WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely whereas the Remote Management Users group is generally used to allow users to manage servers by using the Server Manager console. Protected User Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts.

Windows AD Security Principles Role based access control Tier Model

Windows AD Security Principles Dealing with Tier-0 Groups Domain Admins Enterprise Admins Schema Admins Backup Operators Server Operators Print Operators Account Operators Administrators One account for normal user activities: Mail Internet Browsing Line of business applications etc. Separate account for doing administration. One admin account for each tier For example: pe889 [^pe]: for regular user accounts ad335 [^ad]: for administrative accounts Secondary accounts

Windows AD Security Principles Privileged Admin Workstation Role: Role-<Role Tier>-<Role Name> Prefix: Role Role Tier: T0/T1/2 Role Name: Job Function Role-T2-WorkstationAdmins Task: Task-<Target Object Type>-<Operation>-<Target> Prefix: Task Target Object Type: AD object type Operation: Create/Delete/Manage etc. Target: Short Name for OU/Target Task-Computer-Create-CORP Naming Convention