ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Agenda 1.ONEForest Overview 2.Preventing credential theft 3.Secure Administration 4.Takeaways

ITS – Identity Services ONEForest Overview Key Benefits Security Goals Technical Design

ONEForest Key Benefits Improve Penn State security posture Consolidate local credential stores to a single point of control Replace MIT-Kerberos as central authentication store Extend domain management to off network computers Foundation for Higher Level Services Consistency of identities across services Secure login to Office 365 with PSU credentials

Improve Security Posture OUOU OUOUOUOU OUOU

Security Goals Follow best practices from Microsoft & NIST Mitigate common credential theft attacks Protect domain credentials at rest & in transit Eliminate use of weak authentication protocols

Active Directory Design Green field Single Forest, Single Domain Using TNS IPAM service OU Structure to support delegation Multiple Password Policies GPOs to apply minimum security baseline

ITS – Identity Services Preventing Credential Theft Pass the Hash Demo Technical Vulnerabilities Mitigations

Pass the Hash (Demo) Social Engineering to gain admin access 1.Spear Phishing to get user credential 2.Pose as user to lure admin to login to compromised system 3.Trick admin into running malicious code (online or local app) 4.Bingo! Access to admin’s credential Credential Replay Attack

PtH Demonstration

Vulnerable Technology Caching of user credential (hash) for SSO (LSASS.exe) Logins allowed to any client by any user RDS provides user credential to local computer Common local Administrator password Host firewalls permit lateral movement across network

Technical Mitigations Decommission Windows pre 8.1 & Windows Server pre 2012 R2 MS fixed LSASS.exe in more recent OS versions Turn off LM and NTLMv1 using GPOs Easily exploitable Use of “Protected Users” Security Group for Admin accounts No NTLM, high encryption, 4 hr. ticket lifetime Limit privileged account logins using User Rights GPOs Require multiple credentials

Technical Mitigations Use Microsoft Local Administrator Password Solution (LAPS) Unique, per computer passwords for the local administrator account Use Remote Assistance to access workstations and for client management Prevent exposure of admin credentials to clients Implement local firewall policies Prevent unnecessary client-to-client communication Limit effectiveness of phishing by using 2FA Integrate with remote applications & VPNs

Mitigate with Best Practices Assume Compromise Adjust our mindset – “not if, but when?” Follow Least Privileged Access model Eliminate granting admin privileges to standard user accounts (LAPS) Separate accounts for admin duties Use dedicated “jump” servers Provide known good environment for admins

ITS – Identity Services Secure Administration Role Separation Remote Desktop Services

Role Separation Enterprise & Domain Admin OU Admin Server Admin Workstation Admin User Auth.

Microsoft RemoteApp – Prerequisites Compatible Remote Desktop client Given access to ONEForest Remote Administration Registered for DUO 2FA Push Notifications Must have a PSU IP address Setup MS RemoteApp connection on your client

Microsoft RemoteApp – Workflow Launch the RemoteApp Authenticate with PSU account Complete 2FAAdmin credential Outcome: App running as admin on Session Host; displayed on client

ITS – Identity Services Takeaways

Things you should do now “Assume Compromise” mindset Upgrade clients & servers now! Deploy LAPS Implement jump servers for Admins Configure local firewalls Protect applications & VPNs with 2FA Use “Protected Users" security group Disable caching of AD credentials Limit debug privileges

Questions? “Assume Compromise” mindset Upgrade clients & servers now! Deploy LAPS Implement jump servers for Admins Configure local firewalls Protect applications & VPNs with 2FA Use “Protected Users" security group Disable caching of AD credentials Limit debug privileges