Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCIT304. 1. numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&

Published byBridget Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "PCIT304. 1. numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&"— Presentation transcript:

1 PCIT304

2

3

4 1. http://bits.blogs.nytimes.com/2013/04/22/the-year-in-hacking-by-the- numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&

5 5 The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag. “… I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network...”

6

7 http://arstechnica.com/security/2014/06/a ws-console-breach-leads-to-demise-of- service-with-proven-backup-plan/

8 http://www.beckershospitalrevie w.com/legal-regulatory- issues/stolen-laptop-leads-to- 20-year-ftc-oversight-for- accretive-health.html

9 http://www.greentechmedia.com/articles/read/ u.s.-officials-charge-chinese-wind-firm-for- committing-corporate-homicide

10

11 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s User Session 4 1.Sue enters username and password 2.PC creates Sue’s user session 3.PC proves knowledge of Sue’s hash to Server 4.Server creates a session for Sue

12 User: Fred Hash:A3 D7 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Malware User Session User: Fred Password hash: A3D7… Malware User Session User: Fred Hash: A3D7 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9 DF 1 2 3 1.Fred runs malware 2.Malware infects Sue’s laptop as Fred 3.Malware infects File Server as Sue

13 User: Sue Hash: C9DF4E… Sue’s Laptop PTHDemo-DC Local Security Authority (LSASS) NTLM Digest Kerberos NTOWF: C9DF4E56A2D1… Password: a1b2c3 Ticket- Granting Ticket Service Ticket Password: a1b2c3 User: Sue 192.168.1.1 Service Ticket “Credential footprint” PTHDemo-DC

14 Sue’s Laptop Local Security Authority (LSASS) NTLM Digest Kerberos NTOWF: C9DF4E56A2D1… Password: a1b2c3 Ticket- Granting Ticket Credential Store Service Ticket NTOWF: A3D723B95DA…

15

16 Fred’s Laptop Security Accounts Manager User: Admin Hash:A2 DF… User: Admin Hash:A2 DF… Sue’s Laptop Security Accounts Manager User: Admin Hash:A2 DF…

17 ObjectiveHowOutcome This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks. Enforce the restrictions available in Windows Vista and later versions, preventing local accounts from being used for remote administration. Explicitly deny network and Remote Desktop logon rights for all administrative local accounts. Create unique passwords for local accounts with administrative privileges. An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network. Built-in SIDs for local accounts and local administrators

18

19 Get Credentials Social engineering and phishing schemes are used to trick personnel and obtain credentials. Most organizations do not recognize when attackers are already within the network and have access to information such as emails, confidential documents and other intellectual property. Get Data The attack doesn’t stop there. Attackers look for the next set of credentials with elevated permissions to access servers. Once elevated credentials are obtained and servers are compromised, organizations risk losing revenue, brand reputation and business continuity. Get Control The ultimate goal of the attacker may be to gain access to the domain controllers, the central clearing hub for all credentials and identities. Once compromised, an attacker has complete control over an entire organization. All assets, intellectual property, physical property and personal information are in jeopardy.

20 Sue’s Laptop Local Security Authority (LSASS) NTLM Digest Kerberos NTOWF: C9DF4E56A2D1… Password: a1b2c3 Ticket- Granting Ticket Credential Store Service Ticket

21 User: Sue Pass:a1b 2c3 Fred’s Laptop Sue’s Helpdesk PC Remote Desktop Client LSASS NTLM NTOWF: C9… Digest Pass: a1b2c3 Kerberos Tick et Mimikatz Credential Store

22 ObjectiveHowOutcome This mitigation reduces the risk of administrators from inadvertently exposing privileged credentials to higher risk computers. Restrict DA/EA accounts from authenticating to lower trust computers Provide admins with accounts to perform administrative duties Assign dedicated workstations for administrative tasks. Mark privileged accounts as “sensitive and cannot be delegated” Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer. Addition of authentication policies

23

24 ObjectiveHowOutcome This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections. Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers. An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations. No technical changes

25

26 Attributed to Dean Rusk, US Secretary of State, 1961-1969

27 Mission Threats

28 Identify High Value Assets Consider Attacker Mindset Baseline Normal Behavior

29 Architect a complete credential theft defense Consider usability a security feature

30 Create hardened and restricted administrative hosts Develop a containment strategy

31 Focus on High Value Assets Monitor Event IDs Of Interest Collect and Correlate Events

32 Closely Observe Affected Hosts Ensure Attack Vectors Are Properly Addressed Regularly Update Protection and Detection Mechanisms Follow Up On Lessons Learned

33 Regain Control Over Accounts Change compromised account passwords or Disable an account and remove group memberships Considerations: Only effective against future authentication Offline attackers can still use cached logon pv Attacker may be able to re-obtain password Attacker may persist using malware in user context

34 Tactical RecoveryStrategic Recovery A short-term operation designed to disrupt a known adversary operation Useful intelligence on the adversary presence Stealth operation that the adversary is unaware of Properly scoped defender operation A long-term plan that consists of multiple operations focused on recovering integrity at a high assurance level Risk of migration Risk of coexistence Planned end state Consider professional incident response services

35

36 FeaturesDescription AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 8.1 / Server 2012 R2 REQUIRES DOMAIN UPGRADE Windows Server 2012 R2 Domain Functional Level Remove LAN Manager (LM) hashes and plaintext credentials from LSASS LAN Manager legacy hashes and (reversibly encrypted) plaintext passwords are no longer stored in LSASS  Enforce credential removal after logoff New mechanisms have been implemented to eliminate session leaks in LSASS, thereby preventing credentials from remaining in memory  Logon restrictions with new well- known security identifiers (SIDs) Use the new SIDs to block network logon for local users and groups by account type, regardless of what the local accounts are named 

37 FeaturesDescription AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 8.1 / Server 2012 R2 REQUIRES DOMAIN UPGRADE Windows Server 2012 R2 Domain Functional Level Restricted Admin mode for Remote Desktop Connection The Remote Desktop application and service have been updated to support authentication without providing credentials to the remote host  Protected Users security group The new Protected Users security group enables administrators to restrict authentication to the Kerberos protocol only for group members within a domain  Authentication Policy and Authentication Policy Silos New Authentication policies provide the ability to restrict account authentication to specific hosts and resources  LSA Protection Allows the LSASS process to be turned into a Protected Process, thus preventing other processes (including processes running as SYSTEM\Administrator) that are not signed by Microsoft from tampering with the LSASS process 

38

39 HelpdeskRecommendations Domain administration Operations and service management Service accounts Business group isolation Bring your own device (BYOD) Separate administrative accounts from user accounts Use hardened and restricted hosts Limit exposure of administrative credentials RDP /RestrictedAdmin Tools that only use network logon (Type 3) Add accounts to Protected Users security group (if Kerberos only is feasible) Create authentication policies and silos (if protected users is feasible)

40 Recommendations Separate administrative accounts from user accounts Use hardened and restricted hosts Limit exposure of administrative credentials RDP /RestrictedAdmin Tools that only use network logon (Type 3) Add accounts to Protected Users security group (if Kerberos only is feasible) Create authentication policies and silos (if protected users is feasible)

41 Recommendations Reduce privileges and privilege use Only use DA/EA for DC Maintenance and Delegation Separate administrative accounts from user accounts Use hardened and restricted hosts Strengthen authentication assurance Implement security monitoring Add accounts to Protected Users security group (if Kerberos only is feasible) Create authentication policies and silos (if protected users is feasible)

42 Recommendations Grant the least privilege Never add to Domain Admins or Enterprise Admins Use managed service accounts Change passwords regularly Strengthen authentication assurance Monitor service account activity Contain credential exposure

43 Recommendations Define Use Cases Use hardened and restricted hosts Restrict account logons Consider blocking Internet access Do not share accounts or passwords Ensure unique local administrative passwords on workstations and servers

44 Recommendations Define use cases and policies Ensure risks are understood and accepted Do not use BYOD devices for administration Ensure that high business impact (HBI) data is not being stored on these devices No shared password for corporate and personal accounts No use of privileged service accounts on BYOD devices Deploy available security policies Isolate network access Create response/recovery strategies

45 Subscribe to our fortnightly newsletter http://aka.ms/technetnz http://aka.ms/msdnnz Free Virtual Hands-on Labs http://aka.ms/ch9nz Free Online Learning http://aka.ms/mva http://aka.ms/technetlabs Sessions on Demand

46

Download ppt "PCIT304. 1. numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&"

Similar presentations

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 12 Network Security.

Chapter 12 Network Security.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s.

2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server Sue’s.
Understanding Active Directory

Understanding Active Directory
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Working with Workgroups and Domains

Working with Workgroups and Domains
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

Similar presentations

Ads by Google