1. Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

2. The Subject: Local Accounts  All computers have a local account database  Allows people or code to authenticate locally  Enable access to resources locally  At least 1 administrator (full permissions)  Maintained independently No linkage to Active Directory No centralized management UCRL: LLNL-PRES-413302

3. The Problem: Common Passwords  Admin Password typically set build time  Typically the same on all machines (imaging)  Password is seldom if ever changed  Often neglected when joined to Domain UCRL: LLNL-PRES-413302

4. The Problem: Illustrated Typical AD Environment Machines built from images Local Administrator enabled Password is common UCRL: LLNL-PRES-413302

5. The Problem: Illustrated Machine hack = site hack AD is immune AD can’t help Hacker UCRL: LLNL-PRES-413302

6. Disable Local Accounts?  Offline without cached credentials  Temporary administration Scientists on travel w/ need to install sw.  Dropped from domain OS Virtualization  Re-enable via Recovery Console requires physical access. UCRL: LLNL-PRES-413302

7. The Options:  Disable all local accounts Best option Not feasible in most environments  Deny “Access This Computer From The Network” Force physical login Kills remote management capability  Enabled accounts with common static passwords Most typical Most dangerous  Other options Commercial solutions (expensive) UCRL: LLNL-PRES-413302

8. Strong Local Admin Manager (SLAM) Dynamic/Unique Passwords Centralized Recovery No Centralized Password Storage No Specialized Authorization No Dedicated Infrastructure* UCRL: LLNL-PRES-413302

9. Dynamic/Unique Passwords Unique Computer AD Attribute Master Key Strong Unique Value How it works: Computer Last Password Change Date + GUID SHA-256 HMAC Crypto-Random 256 bits RSA 1024 bit encrypted Local Administrator Password UCRL: LLNL-PRES-413302

10. Centralized Recovery How it works: OU Administrator uses AD Users & Computers (ADUC) Custom Context Menu Option for SLAM Recovery ADUC connects to Web Service & returns password UCRL: LLNL-PRES-413302

11. No Centralized Password Storage How it works: Passwords are NOT random Passwords are calculated Only the master hashing key & computer password change dates are stored No Specialized Authorization How it works: SLAM Recovery leverages existing authorization in AD Permissions Required: Full Control of computer object UCRL: LLNL-PRES-413302

12. SLAM Infrastructure SLAM ClientAD OU Administrator Small.NET app Daily process Requests new Local Admin Pwd Creates local account if needed Computer Password Change Date Master Key ADUC Checks for recently expired Computer pwd Checks for recently recovered Admin pwd Validates Authorization Calculates and returns password SSL Web Service SSL Copy to clipboard Historical passwords Print UCRL: LLNL-PRES-413302

13. SLAM Rollout @ LLNL  Developed in April 2008 by David Frye and Joe Taitt  Started deployment in June 2008  Became mandated in 2009 for all unclassified Windows computers (except DCs)  ~9,000 Total SLAM Clients  ~200 Password Recoveries per Month UCRL: LLNL-PRES-413302

14. SLAM Next Steps  SLAM Client for MAC (Daniel Hoit) Client is developed & currently in test  Remove/Disable non-SLAM local accounts Necessary next step to gain full benefit Need exception policies and procedures Need to be careful UCRL: LLNL-PRES-413302

15. Questions on SLAM? UCRL: LLNL-PRES-413302