Presentation is loading. Please wait.

Presentation is loading. Please wait.

BACHELOR’S THESIS DEFENSE

Published byHertha Schuler Modified over 5 years ago

Similar presentations

Presentation on theme: "BACHELOR’S THESIS DEFENSE"— Presentation transcript:

1 BACHELOR’S THESIS DEFENSE
Protecting Windows Privileged Accounts BACHELOR’S THESIS DEFENSE Loc Phan Van IDCR Supervisor: Ilhan Celebi – Infrastructure Engineer

2 Agenda Introduction Effectiveness of Implementation
Windows Active Directory Security Principles Windows Active Directory Security Development Best Practices Conclusions

3 Introduction Background Problems Objectives
Privileged accounts have always become a primary target It’s like a regular accounts, have a valid set of credentials -> system, network Windows privileged accounts are complicated compared to other systems Most popular Operating System, directory service Due to the complexity -> hard to manage, gets ignored. Expensive security software Give administrative principles Point out sensitive groups Develop a tool for privileged accounts information gathering Develop monitoring solution for privileged accounts

4 Effectiveness of implementation
Time line for typical attack scenario 80% from external attacks 75% of attacks take weeks or more (Verizon Report) $1,2M over a week for recovering (IT Sec Risk Report)

5 Effectiveness of implementation
Detect abnormal behaviors Alert to Administrators Extend the time of escalation by applying RBAC Tier Model Secondary account Tier-0 Groups Privileged Admin Workstation Naming Convention Privileged Account Cleaning-up

6 Windows AD Security Principles
Role based access control Tier Model Dealing With Tier-0 Groups Secondary accounts Privileged Admin Workstation Naming Convention Privileged accounts cleaning-up 1 2 3 4 5 6 +

7 Windows AD Security Principles
Privileged Account Cleaning-up Implement the data investigation on the AD objects. Have more focus on Administrative objects (accounts, groups). Find out if they are still being used. Promulgate the policies for those unused objects (delete them or deactivate them).

8 Windows AD Security Development
1 Privileged Accounts Information Gathering 2 Privileged Accounts Monitoring Development process

9 Windows AD Security Development
1 Privileged Accounts Information Gathering

10 Windows AD Security Development
2 Privileged Accounts Monitoring +

11 Windows AD Security Development
2 Privileged Accounts Monitoring

12 Best practices Inventory and reduce the number of privileged accounts.
Secondary accounts. Enforce least privileged for standard user accounts. Store password securely. Create a process for on- and off-boarding employees that have privileged accounts. Eliminate the practice of accounts that have non-expiring passwords. Password complexity and password age policy. Implement automated password verification and reconciliation. Privileged account information gathering. Proactivity detect malicious behavior.

13 Conclusions Very first stepping stones in Windows Security
Contribute Windows administrative principles Implement privileged accounts information gathering Manipulate and develop a monitoring solution Give best practices Further work: Dealing with service account

14 Thank you

15 Reviewer’s questions What was the reason why author did not research more deeply those 3rd party solutions for this problem? Author refers that Microsoft ATA (Advanced Threat Analytics) may solve most of problems but for some reason does not use that in solution. What was the reason for that? I much as I know ATA can be integrated with other monitoring systems as well. How author can ensure that solution will be properly maintained and sustainable? (Who will develop that, how organization need to monitor and change the solution in the future?) Who are those best practices listed in Section 5 related with and used in current theses/work?

16 Tier 0 groups Domain Admins
Active Directory group with full admin rights to the Active Directory domain and all computers (default). Enterprise Admins Active Directory group with full admin rights to all Active Directory domains in the AD forest and gains this right through automatic membership in the Administrators group in every domain in the forest. Schema Admins Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. Backup Operators Local or Active Directory group. AD group members can backup or restore Active Directory and have logon rights to Domain Controllers (default). Server Operators Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back-up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. Print Operators Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. Account Operators Active Directory group with default privileged rights on domain users and groups, plus the ability to logon to Domain Controllers. Administrators Local or Active Directory group. The AD group has full admin rights to the Active Directory domain and Domain Controllers.

17 Sensitive groups Pre–Windows 2000 Compatible Access
Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. Remote Desktop Users The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). WinRMRemoteWMIUsers__ In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers__ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions. The WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely whereas the Remote Management Users group is generally used to allow users to manage servers by using the Server Manager console. Protected User Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts.

18 Windows AD Security Principles
Role based access control Tier Model

19 Windows AD Security Principles
Dealing with Tier-0 Groups Domain Admins Enterprise Admins Schema Admins Backup Operators Server Operators Print Operators Account Operators Administrators One account for normal user activities: Mail Internet Browsing Line of business applications etc. Separate account for doing administration. One admin account for each tier For example: pe889 [^pe]: for regular user accounts ad335 [^ad]: for administrative accounts Secondary accounts

20 Windows AD Security Principles
Privileged Admin Workstation Role: Role-<Role Tier>-<Role Name> Prefix: Role Role Tier: T0/T1/2 Role Name: Job Function Role-T2-WorkstationAdmins Task: Task-<Target Object Type>-<Operation>-<Target> Prefix: Task Target Object Type: AD object type Operation: Create/Delete/Manage etc. Target: Short Name for OU/Target Task-Computer-Create-CORP Naming Convention

Download ppt "BACHELOR’S THESIS DEFENSE"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.

Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.

Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

Similar presentations

Ads by Google