Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tactic 2: Protect Privileged Identities

Published byThomas Owen Modified over 6 years ago

Similar presentations

Presentation on theme: "Tactic 2: Protect Privileged Identities"— Presentation transcript:

1 Tactic 2: Protect Privileged Identities
Zaid Arafeh, Josh Bryant, Clare Kearney Microsoft Services Cybersecurity

2 Agenda Part I: Keys to the kingdom Demo: Credential theft and reuse
Part II: Protecting privileged identities Demo: Get-LogonLocations Demo: Local Admin Password Solution (LAPS)

3 Part I – keys to the kingdom

4 Recap Tactic #1: Adopt Least Privilege (Reduce Privileged Identities)
AD SERVICE

5 Tactic#2 Protect Privileged Identities
AD SERVICE

6 It is Recommended that YOU Execute Tactic#1 and Tactic#2 in Parallel
7/18/ :16 PM It is Recommended that YOU Execute Tactic#1 and Tactic#2 in Parallel As you reduce privilege (tactic #1) Begin working on executing the controls described in this session for identities with a legitimate business reason to retain admin privileges (ex: trusted AD Service Admins) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 TRADITIONAL MODERN SECURITY THINKING BEHIND THE FIREWALL
7/18/ :16 PM TRADITIONAL MODERN SECURITY THINKING FIREWALL PERIMETER DEFENSE FROM WITHIN BEHIND THE FIREWALL OUTSIDE THE FIREWALL UNTRUSTED UNTRUSTED TRUSTED Key Messages: Identity is the new security “perimeter” Whether your assets are hosted on-premises or in the cloud, the security “perimeter” that separates users and data from outside threats can no longer drawn using network lines. The security “perimeter” to defend between your assets/users and threats is drawn by Identity components of authentication and authorization that span across all of your devices, services, hosts, and networks While the network perimeter retains a basic security role, it can no longer guide the security defense strategy because Adversaries have demonstrated a consistent and ongoing ability to penetrate network perimeters using phishing attacks Organization’s data, devices, and users often reside and operate outside of traditional network boundaries (whether this was sanctioned by IT or not) Port and protocol definitions and exceptions have failed to keep up with the complexity of services, applications, devices, and data This requires organizations to adopt a different security philosophy and mindsets based on rigorous management of authentication and authorization, not firewall rules and exceptions. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 IDENTITY IS THE NEW PERIMITER UNDER ATTACK
7/18/ :16 PM IDENTITY IS THE NEW PERIMITER UNDER ATTACK BEHIND THE FIREWALL OUTSIDE THE FIREWALL Privileged Identity Active Directory Azure Active Directory Active Directory IaaS Key Messages: Admins are in control and need protection Privileged administrative accounts are effectively in control of this new “security perimeter” so it's critical to protect privileged access for on-premises and cloud systems, especially identity systems like Active Directory (AD) and Azure Active Directory (AAD). These administrators have access to all of the data hosted on the systems and should be protected, monitored, and restricted commensurate with that high level of responsibility. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Typical Attack Timeline
Microsoft Ignite 2015 7/18/ :16 PM Typical Attack Timeline First Host Compromised Domain Admin Compromised Attack Discovered Research & Preparation Attacker Undetected (Data Exfiltration) 24-48 Hours More than 200 days (varies by industry) Research and preparation Using social media, open source intelligence sources, data from previous attacks Initial Foothold and Elevation of Privilege Typically using credential theft, but also abuse of administrative/management tools and configuration weaknesses Exfiltration and persistence Attackers typically exfiltrate data for illicit purposes and go undetected for 200+ days Key Message: Microsoft Understands these attacks from firsthand experience helping customers with them Timeline Targeted Attacks usually follow a timeline similar to this slide with Research on Company (Using social media, open source intelligence sources, data from previous attacks) and Preparing for the attack Elevation of privilege attack (typically using credential theft, but also abuse of administrative/management tools and configuration weaknesses) Attackers typically exfiltrate data for illicit purposes and go undetected for 200+ days. This is a general observation based on our incident response team’s experience (which is similar to what is reported by others in industry). Precise numbers are difficult to produce because evidence of the initial “Patient 0” host is frequently lost after such a long period of time. Because most attacks are discovered by external parties, the variance in time to discover attacker presence usually depends on the organization’s industry (retail will be quick as credit cards are put onto market whereas the loss of other IP like technical designs takes longer to be apparent) Observations (1) Attack Sophistication Attackers are usually after your organizations data to make money (though we have also seen destructive attacks), they will go after any device or server or service to get it. Attackers will research you and exploit any seam or inconsistency or weakness (slow patching process, weak configurations, sophisticated attacks, old/weak passwords, etc.) (2) Target AD and Identities In the attacks we have seen, attackers that get a “beachhead” on one of your network hosts will seek and steal active directory administrator credentials within hours of gaining a beachhead (often quicker) This gives them the ability to steal almost any information on any computer. (3) Attacks Not Detected Most of these attacks go undetected for around a year (on average), leaving organizations vulnerable to ongoing loss and damage (4) Response and Recovery Investigating and cleaning up from these attacks is typically very complex, technically challenging, and requires a lot of expertise. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Escalation of Privilege (EoP) Using Credential Theft
Microsoft Ignite 2015 7/18/ :16 PM Escalation of Privilege (EoP) Using Credential Theft Compromises administrative control 24-48 Hours AD Forest Beachhead (Phishing Attack, etc.) Lateral Movement Privilege Escalation AD Service AD Service & Dependencies Tier-0 Execute Attacker Mission Global Access Control Tier-1 AD Data Key Message: Credential theft attacks can happen on just about conventionally secured environment and requires new types of defenses This is a view of a typical attack on a typical environment. The resources are broken out by the Microsoft Tiered administration model Tier 0 – Full control of identities and all assets Tier 1 – Full control of Enterprise Servers, Applications, and Cloud Services Tier 2 – Full control of Enterprise Devices typically used by individual *CLICK 1* Attacks start by gaining control of a beachhead in your network, sometimes called “Patient Zero”. [Attacker] This is usually a phishing attack, but can also be done by compromising a website frequently visited by your users, by delivering malware through advertising, or other techniques. Most attackers target domain controllers to gain access to all identities *CLICK 2* The next step for attackers is typically to gather credentials available on the compromised machines (including local administrator password hashes) They then move laterally within that Tier to compromise other computers and harvest more credentials This requires the attack to be an administrator on the local machine. This can happen when A user running as a local admin clicks “allow” on a security warning dialog in a browser or other application Attacker exploits an unpatched vulnerability on a computer (whether the user is running locally as local admin or only with standard user privileges) *CLICK 3* The attackers can directly attempt to escalate their access to the environment by directly attacking servers *CLICK 4* More commonly, we see privilege escalation by stealing higher tier credentials (e.g. domain admins) where they are exposed on lower tier devices (e.g. standard workstations) This leads to an attacker gaining full control of the environment This is a shared state of control, so it doesn’t “kick out” the real admins This attack is very difficult to detect with conventional means because attackers are using real legitimate credentials (and can then move to creating fake accounts, insall malware on any computer, etc.) Determined Human Adversary Enterprise Data & Services Tier-2 Devices and Users © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Credential Theft and Reuse
7/18/ :16 PM Credential Theft and Reuse Josh Bryant This demonstration shows how these attacks work and how quickly attackers are able to evade conventional security defenses using credential theft. This video does not cover all possible attack techniques that are mitigated by the roadmap in the slide, just the most commonly seen techniques. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Part II – Protecting privileged identities

13 SEPARATE WORKSTATIONS RANDOMIZE LOCAL ADMIN PASSWORD
Microsoft Ignite 2015 7/18/ :16 PM SEPARATE IDENTITIES SECURING PRIVILEGED ACCESS Brining up the fact that protecting privileged identities is a mean of Securing Privileged Access 1. Separate Admin account for admin tasks Why: Separate internet risks (phishing attacks, web browsing) from AD administrative privileges What: Create a dedicated account for all personnel with privileges (starting with domain administration, then server/app admins, then workstation/helpdesk admins) How: Create new admin account, move all privilege assignments to admin account, use admin account for only privileged tasks 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins Why: Separate internet risks (phishing attacks, web browsing) from domain administrative privileges What: Create a dedicated workstation for all personnel with AD administrative privileges (starting with domain administration, then server/app admins, then workstation/helpdesk admins) How: Follow guidance published at Microsoft Services solutions: Privileged Access Workstation (PAW) Enhanced Security Administrative Environment (ESAE) 3. Unique Local Admin Passwords for Workstations 4. Unique Local Admin Passwords for Servers Why: Adversaries can steal and re-use password hashes for local admin accounts to take control of machines with the same local account passwords What: Configure unique (random) passwords on each workstation and register them in Active Directory How: Install the Local Administrator Password Solution on workstation and servers from Microsoft Services solution: Proactive Operations Program - Securing Lateral Account Movement (POP SLAM) ****** SEPARATE WORKSTATIONS RANDOMIZE LOCAL ADMIN PASSWORD © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 PRIVILEGED USER ACCOUNT
STANDARD USER ACCOUNT YOU NEED TWO PERSONAS PRIVILEGED: FOR HIGH IMPACT & LOW EXPOSURE STANDARD: FOR LOW IMPACT & HIGH EXPOSURE THEN YOU SHOULD NOT CARRY SENSITIVE PRIVILEGES ON YOU EVERYWHERE ON THE NETWORK :) YOU DO NOT CARRY LARGE SUMS OF MONEY ON YOU EVERYWHERE YOU GO... RIGHT?

15 Account Usage Standard user account: Privileged user account(s):*
7/18/ :16 PM Account Usage Standard user account: Productivity Internet access Collaboration Privileged user account(s):* Machine management Application management Online services management *Keep tier separation in mind and consider creating multiple privileged accounts if necessary To help separate internet risks (phishing attacks, web browsing) from administrative privileges, create a dedicated account for all personnel with administrative privileges. Additional guidance on this is included in the PAW instructions published here. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Get-LogonLocations Josh Bryant

17 Separate Machines USER MACHINE ADMIN MACHINE U A Internet access
7/18/ :16 PM Separate Machines USER MACHINE ADMIN MACHINE U A Internet access Tailored for productivity Moderately restricted High exposure Low impact activities No internet access Tailored for management Highly restricted Low exposure High impact activities © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Platform Options U A A U U A SEPARATE MACHINES USER VIRTUAL MACHINE
7/18/ :16 PM Platform Options SEPARATE MACHINES USER VIRTUAL MACHINE EXTERNAL ADMIN DRIVE U A A U U A Highest assurance Higher cost Additional weight Requires more desk space Cost effective Reasonable assurance Best usability Inadvertent errors in resource sharing Cost effective Reasonable assurance Can be disruptive (reboot) Fully encrypted SecureBoot / write filter Option 1: Using two physical HW devices for the productivity machine and PAW. This is generally considered the most secure as it provides the highest degree of separation between machines in different tiers. The disadvantage of this model is the inconvenience of carrying and maintaining two HW machines and the cost associated with the extra hardware. Option 2: Using the same HW for both the PAW and the productivity machine. In such a setup, the PAW machine is configured as a virtualization host (or a primary partition on top of the hypervisor) and the corporate machine is configured as a Hyper-V guest. In order to further leverage virtualization, an optional machine used for risky browsing can be added. This options is cost-effective and relatively secure. Caution needs to be taken by making the virtual machine a version-1 to disallow information transfer. It is also crucial that the PAW machine is made the host and not the guest. Option 3: Making PAW a Windows-to-go machine on a removable media. Despite the high-portability of this option provides, and the relatively low cost, it is very inconvenient to administrators having to reboot their productivity machine and loading the Windows-to-go PAW. In addition, removable thumb drives tend to be easily lost, which can have security consequences. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Randomize Local Admin Password
Local Admin Password Solution (LAPS) FREE! Schema Extension ms-MCS-AdmPwd – Stores the password in clear text Ms-MCS-AdmPwdExpirationTime – Stores the time to reset the password GPO Enabled Servers and Workstations

20 Local Admin Password Solution (LAPS)
Josh Bryant

21 Additional Controls Multi-Factor Authentication
Make it mandatory for privileged accounts Highly recommended for all other accounts Just In Time (JIT) / Just Enough Admin (JEA) Accounts are only privileged when they need to be Only the privileges required to complete a task are granted Admin Forest for Active Directory Administrators Enhanced Security Administration Environment

22 Coming up next Tactic 3: Defend your Directory

23 Resources Securing Privileged Access (SPA) by Microsoft: Privileged Access Workstations (PAW) by Microsoft: Get-LogonLocations by Josh M. Bryant (Microsoft): Local Admin Password Solution by Microsoft: Credential Theft Demo by Microsoft: Need help from Microsoft Services Cybersecurity?

24

Download ppt "Tactic 2: Protect Privileged Identities"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Russell Rice Senior Director, Product Management Skyport Systems

Russell Rice Senior Director, Product Management Skyport Systems
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Proactive Incident Response

Proactive Incident Response
Stopping Attacks Before They Stop Business

Stopping Attacks Before They Stop Business
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
Chapter 6: Securing the Cloud

Chapter 6: Securing the Cloud
Deployment Planning Services

Deployment Planning Services
Office 365 is cloud-based productivity, hosted by Microsoft.

Office 365 is cloud-based productivity, hosted by Microsoft.
Tactic 1: Adopt Least Privilege

Tactic 1: Adopt Least Privilege
Secure Modern Enterprise

Secure Modern Enterprise
Critical Security Controls

Critical Security Controls

Similar presentations

Ads by Google