Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering the lions PAW: How to build a privileged access workstation

Published byLoreen Parsons Modified over 5 years ago

Similar presentations

Presentation on theme: "Mastering the lions PAW: How to build a privileged access workstation"— Presentation transcript:

1 Mastering the lions PAW: How to build a privileged access workstation
7/18/ :16 PM BRK3286 Mastering the lions PAW: How to build a privileged access workstation Sami Laiho, MVP – Windows OS Senior Technical Fellow – Adminize Senior Advisor – Intility / Applixure Member of Names.fi © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Sami Laiho Senior Technical Fellow adminize.com Twitter: @samilaiho
IT Admin since 1996 MCT since 2001 MVP in Windows OS since 2011 Specializes in and trains: Troubleshooting Security Hacking Penetration testing Social Engineering Trophies: NIC 2016, Best Speaker Ignite 2015 – Best male presenter ;) (#2 out of 1000 speakers) TechEd Europe 2014 – Best session TechEd North America Best session, Best speaker TechEd Australia Best session, Best speaker

3 2,6 pounds of them

4 “JÄRJESTELMÄNVALVOJA” SWAG

5 A few things to learn about Finnish
7/18/ :16 PM A few things to learn about Finnish © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Why?

7 Why? Management tools just were not meant to work on servers
RDP is an emergency console with two licenses No GUI High privileged user accounts can’t be used “where ever”

8 RSAT Sami Laiho

9 Privilege Hijacking Sami Laiho

10 TIP You can detect RDP session hijacking by Sysmon watching tscon.exe for process create and SYSTEM integrity level

11 How?

12 Platforms? Platform Level 1 Platform Level 2 Platform Level 3
A workstation is either a normal or a privileged one Platform Level 2 Admins have a VM Running the admin stuff on the VM Running the admin stuff on the Host Platform Level 3 Admins have separate computers for normal and privileged use

13 Owning a nested VM Sami Laiho

14 What about Jump Servers?

15 7/18/ :16 PM Jump Servers This approach is frequently proposed to mitigate risk to administration and does provide some security assurances, but the jump server approach by itself is vulnerable to certain attacks because it violates the "clean source" principle. The clean source principle requires all security dependencies to be as trustworthy as the object being secured. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Jump Servers The administrative session on the jump server relies on the integrity of the local computer accessing it. If this computer is a user workstation subject to phishing attacks and other internet-based attack vectors, then the administrative session is also subject to those risks.

17 Security Baselines

18 Microsoft PAW The actual PAW-document Security Baselines:
Security Baselines: Military grade – A bit too tough for me Oh… And their incomplete…

19 iPAW

20 Configuration Needs OS/Hardware choice Additional Features
Active Directory Security Settings LAPS Principle of Least Privilege Whitelisting/BlackListing Firewall & IPsec Exploit Guard / EMET

21 OS/Hardware Choice Windows 10 Enterprise 1703
7/18/ :16 PM OS/Hardware Choice Windows 10 Enterprise 1703 Fixes the Shift+F10 problem x64 CPU with SLAT/IO-MMU support BitLocker enabled with TPM No Firewire/PCCard slots Well even better if no DMA © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. This Photo by Unknown Author is licensed under CC BY

22 Additional Features Credential Guard enabled
Read this: Windows Defender Application Guard recommended if Internet access is allowed RSAT and Sysinternals Suite + your needed admin tools Telnet client, SSH, SAN admin tools, Exchange consoles… Honolulu:

23 Honolulu Sami Laiho

24 Data (Servers and Apps)
7/18/ :16 PM Active Directory Split your environment into three layers Never allow higher layer admins to logon to lower layers Power (DCs) Data (Servers and Apps) Access (Endpoints) Domain Admins Server Admins Workstation Admins © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 PAW’s need to be separated
7/18/ :16 PM PAW’s need to be separated © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Normal Workstation 7/18/2018 11:16 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 7/18/ :16 PM Servers © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 7/18/ :16 PM iPAW © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Extra Security Settings
Block DMA Block RDP Block Fast User Switching Force BitLocker recovery when password lockout Block UAC-virtualization Block higher tier admins Allow only IT-personnel to logon

30 LAPS Deploy Local Admin Password Solution
Kills local Pass-The-Hash problems In general remember to use 15 character passwords for your privileged accounts and those who have access to PAW’s

31 Principle of Least Privilege
Use tools like Avecto Use your Biometrics If you need a local admin account Block interactive logon Block PowerShell from limited users Cheat Explorer RunAs: You might not be able to run it ;)

32 Least Privilege Tips&Tricks
Sami Laiho

33 Whitelisting / Blacklisting
7/18/ :16 PM Whitelisting / Blacklisting Deploy AppLocker (or SRPv1) sc config appidsvc start= auto Audit with ACCESSCHK.exe Remember AppLocker needs help from the Firewall © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Firewall Firewall helps AppLocker and blocks PowerShell
7/18/ :16 PM Firewall Firewall helps AppLocker and blocks PowerShell © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Whitelisting Sami Laiho

36 IPsec Used more than before in my experience
7/18/ :16 PM IPsec Used more than before in my experience Start with Preshared key if you think it’s hard DC needs to allow DNS usually If you use Kerberos/certs it might be easier to just Exempt the DC – That’s what most seem to do and just protect it with a firewall Require for INBOUND, request for OUTBOUND Only Integrity, not Encryption AH, not ESP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 IPsec Sami Laiho

38 7/18/ :16 PM EMET  Exploit Guard © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 iPAW 2

40 Second Level Protections?
Add a PIN or other Pre-boot Authenticator Check the TPM-document from my materials Internet Access ON/OFF IPsec ESP ON, not just AH Device Guard? ESAE Administrative Forest Protected Accounts:

41 https://is.gd/theipaw

42 Want more? Check out my videos at PluralSight!
Check out my personal video library at Follow me on Blog, Slack: Consulting? me at

43 Please evaluate this session
Tech Ready 15 7/18/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 7/18/ :16 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Mastering the lions PAW: How to build a privileged access workstation"

Similar presentations

Learn about Windows 10 Secure Kernel

Learn about Windows 10 Secure Kernel
Secure Hyperconnectivity with TeamViewer and Windows technologies

Secure Hyperconnectivity with TeamViewer and Windows technologies
Enterprise Security in Practice

Enterprise Security in Practice
Nested Virtualization: A game changer in Hyper-V and Azure

Nested Virtualization: A game changer in Hyper-V and Azure
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Azure on Steroids: Full Automation with PowerShell

Azure on Steroids: Full Automation with PowerShell
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
Troubleshooting processes with Process Explorer and Process Monitor

Troubleshooting processes with Process Explorer and Process Monitor
6/23/2018 8:31 PM THR1071 So you want to start a User Group? Notes from the field to make it a success Chris Rhodes MCT & MVP Windows User Group © Microsoft.

6/23/2018 8:31 PM THR1071 So you want to start a User Group? Notes from the field to make it a success Chris Rhodes MCT & MVP Windows User Group © Microsoft.
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect,

6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect,
Do more with Microsoft Word and Office 365

Do more with Microsoft Word and Office 365
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise
Performing a Seamless Migration in Azure SQL DB

Performing a Seamless Migration in Azure SQL DB
What a Real, Functioning DevOps Team Looks Like

What a Real, Functioning DevOps Team Looks Like
Virtual Machine Diagnostics in Microsoft Azure

Virtual Machine Diagnostics in Microsoft Azure
A Fast Track into Device Guard

A Fast Track into Device Guard
SQL Server on Linux on All-Flash Arrays

SQL Server on Linux on All-Flash Arrays

Similar presentations

Ads by Google