Download presentation
Presentation is loading. Please wait.
Published byLoreen Parsons Modified over 7 years ago
1
Mastering the lions PAW: How to build a privileged access workstation
7/18/ :16 PM BRK3286 Mastering the lions PAW: How to build a privileged access workstation Sami Laiho, MVP – Windows OS Senior Technical Fellow – Adminize Senior Advisor – Intility / Applixure Member of Names.fi © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Sami Laiho Senior Technical Fellow adminize.com Twitter: @samilaiho
IT Admin since 1996 MCT since 2001 MVP in Windows OS since 2011 Specializes in and trains: Troubleshooting Security Hacking Penetration testing Social Engineering Trophies: NIC 2016, Best Speaker Ignite 2015 – Best male presenter ;) (#2 out of 1000 speakers) TechEd Europe 2014 – Best session TechEd North America Best session, Best speaker TechEd Australia Best session, Best speaker
3
2,6 pounds of them
4
“JÄRJESTELMÄNVALVOJA” SWAG
5
A few things to learn about Finnish
7/18/ :16 PM A few things to learn about Finnish © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6
Why?
7
Why? Management tools just were not meant to work on servers
RDP is an emergency console with two licenses No GUI High privileged user accounts can’t be used “where ever”
8
RSAT Sami Laiho
9
Privilege Hijacking Sami Laiho
10
TIP You can detect RDP session hijacking by Sysmon watching tscon.exe for process create and SYSTEM integrity level
11
How?
12
Platforms? Platform Level 1 Platform Level 2 Platform Level 3
A workstation is either a normal or a privileged one Platform Level 2 Admins have a VM Running the admin stuff on the VM Running the admin stuff on the Host Platform Level 3 Admins have separate computers for normal and privileged use
13
Owning a nested VM Sami Laiho
14
What about Jump Servers?
15
7/18/ :16 PM Jump Servers This approach is frequently proposed to mitigate risk to administration and does provide some security assurances, but the jump server approach by itself is vulnerable to certain attacks because it violates the "clean source" principle. The clean source principle requires all security dependencies to be as trustworthy as the object being secured. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
16
Jump Servers The administrative session on the jump server relies on the integrity of the local computer accessing it. If this computer is a user workstation subject to phishing attacks and other internet-based attack vectors, then the administrative session is also subject to those risks.
17
Security Baselines
18
Microsoft PAW The actual PAW-document Security Baselines:
Security Baselines: Military grade – A bit too tough for me Oh… And their incomplete…
19
iPAW
20
Configuration Needs OS/Hardware choice Additional Features
Active Directory Security Settings LAPS Principle of Least Privilege Whitelisting/BlackListing Firewall & IPsec Exploit Guard / EMET
21
OS/Hardware Choice Windows 10 Enterprise 1703
7/18/ :16 PM OS/Hardware Choice Windows 10 Enterprise 1703 Fixes the Shift+F10 problem x64 CPU with SLAT/IO-MMU support BitLocker enabled with TPM No Firewire/PCCard slots Well even better if no DMA © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. This Photo by Unknown Author is licensed under CC BY
22
Additional Features Credential Guard enabled
Read this: Windows Defender Application Guard recommended if Internet access is allowed RSAT and Sysinternals Suite + your needed admin tools Telnet client, SSH, SAN admin tools, Exchange consoles… Honolulu:
23
Honolulu Sami Laiho
24
Data (Servers and Apps)
7/18/ :16 PM Active Directory Split your environment into three layers Never allow higher layer admins to logon to lower layers Power (DCs) Data (Servers and Apps) Access (Endpoints) Domain Admins Server Admins Workstation Admins © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
25
PAW’s need to be separated
7/18/ :16 PM PAW’s need to be separated © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
26
Normal Workstation 7/18/2018 11:16 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
27
7/18/ :16 PM Servers © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
28
7/18/ :16 PM iPAW © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
29
Extra Security Settings
Block DMA Block RDP Block Fast User Switching Force BitLocker recovery when password lockout Block UAC-virtualization Block higher tier admins Allow only IT-personnel to logon
30
LAPS Deploy Local Admin Password Solution
Kills local Pass-The-Hash problems In general remember to use 15 character passwords for your privileged accounts and those who have access to PAW’s
31
Principle of Least Privilege
Use tools like Avecto Use your Biometrics If you need a local admin account Block interactive logon Block PowerShell from limited users Cheat Explorer RunAs: You might not be able to run it ;)
32
Least Privilege Tips&Tricks
Sami Laiho
33
Whitelisting / Blacklisting
7/18/ :16 PM Whitelisting / Blacklisting Deploy AppLocker (or SRPv1) sc config appidsvc start= auto Audit with ACCESSCHK.exe Remember AppLocker needs help from the Firewall © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
34
Firewall Firewall helps AppLocker and blocks PowerShell
7/18/ :16 PM Firewall Firewall helps AppLocker and blocks PowerShell © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
35
Whitelisting Sami Laiho
36
IPsec Used more than before in my experience
7/18/ :16 PM IPsec Used more than before in my experience Start with Preshared key if you think it’s hard DC needs to allow DNS usually If you use Kerberos/certs it might be easier to just Exempt the DC – That’s what most seem to do and just protect it with a firewall Require for INBOUND, request for OUTBOUND Only Integrity, not Encryption AH, not ESP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
37
IPsec Sami Laiho
38
7/18/ :16 PM EMET Exploit Guard © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
39
iPAW 2
40
Second Level Protections?
Add a PIN or other Pre-boot Authenticator Check the TPM-document from my materials Internet Access ON/OFF IPsec ESP ON, not just AH Device Guard? ESAE Administrative Forest Protected Accounts:
41
https://is.gd/theipaw
42
Want more? Check out my videos at PluralSight!
Check out my personal video library at Follow me on Blog, Slack: Consulting? me at
43
Please evaluate this session
Tech Ready 15 7/18/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
44
7/18/ :16 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.