Michael Hayden Four star general Director of the NSA Director of the CIA Director of National Intelligence.
Download ReportTranscript Michael Hayden Four star general Director of the NSA Director of the CIA Director of National Intelligence.
Michael Hayden
Four star general
Director of the NSA
Director of the CIA
Director of National Intelligence
Edward Snowden
Age 30
College dropout
Admins have the keys to the kingdom
You’re an Admin
PWNED!!!
Hunting and Hacking Sys Admins
‘Yet the document makes clear that the admins are not suspected of any
criminal activity – they are targeted only because they control access to
networks the agency wants to infiltrate. “Who better to target than the person
that already has the ‘keys to the kingdom’?” one of the posts says.’
Admins are an attack surface!
Most Administration is Binary!
Authoring
Two simple concepts
JEA Toolkit
Well defined list of commands to support a set of activities
JEA Endpoint
Connection point where authorized users run commands from JEA Toolkits as an administrator
Deciding who should do what requires effort
xJeaToolkit Demo_1_Toolkit
{
Name = 'Demo_1_Toolkit'
CommandSpecs = @'
Module,Name,Parameter,ValidateSet,ValidatePattern
,Get-Service,,,
,Restart-Service,Name,,SQL\w*
,Get-EventLog,Name,Application,,
SMBShare,Get-*,,,
'@
}
xJeaEndpoint Demo_1_Endpoint
{
Name
= 'Demo_1_Endpoint'
ToolKit
= 'Demo_1_Toolkit'
SecurityDescriptorSddl
=
'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) '
DependsOn
= '[xJeaToolKit]Demo_1_Toolkit'
}
Configuration FileServers
{
Node $node
{
xJeaToolkit StorageTools
{
Name = ‘StorageTools’
CommandSpecs = @'
Module
Storage
SMBShare
'@
}
xJeaEndpoint StorageEP
{
Name
= ‘StorageEP’
ToolKit
= 'StorageTools‘
SecurityDescriptorSddl = 'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)'
}
}
}
}
Traditional Scripts
DSC Configuration
Intent
DSC Engine
Dependency Resolution
Logging & Error Handling
Reboot Resiliency
Repeatable Automation
Technology Specific
DSC Resources
Technology Specific
Author
Compile
Deploy
Push Mode
PowerShell
Configuration
Document
3rd Party
“Make it So”
Configuration
Document
DSC Engine
JEA DSC Resources
xJEA Module
DSC Pull
Server
Pull Mode
Endpoint
Toolkit
Endpoint
Authoring
Two simple concepts
JEA Toolkit
Well defined list of commands to support a set of activities
JEA Endpoint
Connection point where authorized users run commands from JEA Toolkits as an administrator
Authoring: Real World
Two Three simple concepts
PowerShell Modules
Built in or custom-authored functions for your environment
JEA Toolkit
Well defined list of command to support a set of activities
JEA Endpoint
Connection point where authorized users run commands from JEA Toolkits as an administrator
Capability limited administration
Time
Better Together
Lee / PIM Admin
Admin Jen is
assigned to a role
The role is pending
an elevation
process for Jen
Jen asks for
elevation into the
role
Elevation process
is preparing
Automatic
approval
Pending MFA
Elevation period
ends
Role is not active
for Jen anymore
Jen / Admin
Automation
Role is active
Pending Role
Owner approval
Admin Jen gets
permissions for the
JEA Endpoint
...
on top of
into
Admins are an attack surface!
Simple concepts
JeaToolkit
Set of commands to support certain activities
JeaEndPoint
Connection point where authorized users can run commands from Toolkits as an elevated
account
Desired State Configuration
PowerShell Modules
BlackHat 2010
Q: What do we do about all
these attacks?
A: “Man up and defend yourselves!”
Feedback Requested
We are looking for partners
Tell us about any blockers
Contact: [email protected]
Questions/Comments
http://aka.ms/moderninfrastructure
http://aka.ms/deployinghyperv
http://aka.ms/cloud-platform-ebook
http://aka.ms/virtualization-lab
http://aka.ms/wap-lab
@MS_ITPro
http://myignite.microsoft.com