Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Published byJade Pamela Lester Modified over 9 years ago

Similar presentations

Presentation on theme: "Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |"— Presentation transcript:

1 Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com

2 AN INTRODUCTION Kerberos Underworld

3 The topics The hell of windows authentication mechanisms Basic, NTLM, Kerberos Certificates and smart cards or tokens How they work differently What is better or worse Weird and weirder things that you may not know

4 And the environment Windows 2000 and newer Active Directory domains Maybe some trusts or multidomain forests Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers

5 NETWORK INTERACTIONS Kerberos Underworld

6 Local Logon DC 2000+ Client 2000+ Kerberos LDAP SMB TGT: User GPO List GPO Download TGS: LDAP, CIFS

7 CTRL-ALT-DEL Password Password is stored in memory only LSASS process In the form of MD4 hash never given out

8 Authentication Interactions in General DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic DC 2000+ SMB D/COM TGT: User In-band TGS: Server NTLM Occasional PAC Validation TGS: Server D/COM Dynamic TCP NTLM Pass-through

9 The three authentication methods Basic plain-text password results in Kerberos authentication NTLM hashed password (MD4) method from the past LM (DES), NTLM (DES), NTLMv2 (MD5) Kerberos hashed password (MD4) plus RC4/DES or AES mutual authentication and delegation can use certificates instead of passwords

10 Basic and RDP Network Logon DC 2000+ Client 2000+ Server 2000+ App Traffic DC 2000+ In-band clear text Kerberos TGT: User

11 NTLM Network Logon DC 2000+ Client 2000+ Server 2000+ App Traffic DC 2000+ SMB D/COM In-band NTLM hash Pass-through NTLM hash D/COM Dynamic TCP

12 Kerberos Network Logon (basic principle) DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic TGT: User In-band TGS: Server

13 Kerberos Network Logon (complete) DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic DC 2000+ SMB D/COM TGT: User In-band TGS: Server Occasional PAC Validation TGS: Server D/COM Dynamic TCP

14 PERFORMANCE COMPARISON Kerberos Underworld

15 NTLM Network Logon DC 2000+ Client 2000+ Server 2000+ DC 2000+ 60 % CPU 55 % CPU

16 Kerberos Network Logon, no PAC Validation DC 2000+ Client 2000+ Server 2000+ DC 2000+ 60 % CPU 0 % CPU

17 Kerberos Network Logon with PAC Validation DC 2000+ Client 2000+ Server 2000+ DC 2000+ 60 % CPU 0 % CPU14 % CPU

18 Basic Authentication DC 2000+ Client 2000+ Server 2000+ DC 2000+ 5 % CPU 0 % CPU

19 NTLM Performance Issues DC ClientServer 7 concurrent Client 40 sec.

20 NTLM Trusts DC B D\UserA\Server DC A DC CDC D

21 Kerberos Trusts DC B D\UserA\Server DC A DC CDC D

22 WE WANT KERBEROS, SO WHAT? Kerberos Underworld

23 Basic Facts Do not use IP addresses Configure SPN (service principal name) Have time in sync Use trusted identities to run services on Windows 2008 and newer instead of AD user accounts no PAC validation Enable AES with Windows 2008 DFL

24 Trusted Identities – Network Service

25 Trusted Identities – Service Accounts

26 Trusted Identities – AppPoolIdentity

27 Trusted Identities – Managed Service Account

28 IDENTITY ISOLATION FOR SERVICES Kerberos Underworld

29 Identity Isolation Services on a single machine Services that access other back-end services

30 Windows Identities IdentityPasswordPAC Validation Local Isolation Network Isolation Operating System SYSTEMrandom changed 30 days noAdministrators no isolation no2000 AD User Accountadministrator changed??? yesUsers isolated yes2000 Network Servicerandom changed 30 days noUsers no isolation noXP Local Serviceno network credentials noUsers no isolation noXP Service Accountrandom changed 30 days noUsers isolated noVista 2008 Managed Service Account random changed 30 days noUsers isolated yes7 2008 R2

31 SMART CARD LOGON Kerberos Underworld

32 Smart Card Logon DC 2000+ Client 2000+ Kerberos PKINIT Server 2000+ App Traffic DC 2000+ TGT: User TGS: Server

33 Smart Card Logon and NTLM DC 2000+ Client 2000+ Server 2000+ NTLM Hash DC 2000+ TGT: User TGS: Server NTLM Hash

34 Smart Card Logon and NTLM DC 2000+ Client 2000+ Server 2000+ NTLM Hash DC 2000+ TGT: User TGS: Server NTLM Hash

35 DELEGATION Kerberos Underworld

36 Basic Delegation Client Front-End Server Back-End Server DC Password TGS: Back-End TGT: User

37 Kerberos Delegation Options

38 Kerberos Delegation (Simplified) DC Client TGT: User TGS: Front-End Front-End Server Back-End Server DC TGS: Front-End TGS: Back-End

39 Protocol Transition Client Front-End Server Back-End Server DC TGS: Back-End Nothing Kamil

40 GROUP MEMBERSHIP Kerberos Underworld

41 Group Membership Limits AD Group in forest with 2000 FFL 5000 direct members limit AD Group in forest with 2003+ FFL unlimited membership Kerberos Ticket network transport limited to 8 kB on 2000 and XP up to 12 kB on 2003+ HTTP.SYS header limits 16 kB of Base-64 encoded tickets Access Token local representation of a logon up to 1025 groups including local and system

42 Kerberos Ticket (PAC) KamilS-1-5-Prague-1158 Prague MarketingGlobal30828 Bytes Prague SalesGlobal30838 Bytes Paris VisitorsDomain Local Paris S-1-5-Paris-211540 Bytes Roma ISDomain Local Roma S-1-5-Roma-171740 Bytes Prague DocumentsDomain Local IDTT S-1-5-Prague-308440 Bytes Business OwnersUniversal IDTT 30858 Bytes EmployeesUniversal Paris S-1-5-Paris-211640 Bytes

43 TAKEAWAY Kerberos Underworld

44 Takeaway Kerberos is most secure, flexible and performance efficient Don’t be afraid and play with them! Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com

45 Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!

Download ppt "Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |"

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
Understanding Active Directory

Understanding Active Directory
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.

Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Group 11 CSE 8343 Group 1 Windows 2000 Domain Security & Authentication.

Group 11 CSE 8343 Group 1 Windows 2000 Domain Security & Authentication.
Bezpečnost Windows pro pokročilé: uživatelské účty GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |

Bezpečnost Windows pro pokročilé: uživatelské účty GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |

Similar presentations

Ads by Google