1. Attacker targets workstations en masse 2. User running as local admin is compromised, attacker harvests credentials 3.

Download Report

Transcript 1. Attacker targets workstations en masse 2. User running as local admin is compromised, attacker harvests credentials 3.

1. Attacker targets workstations en masse
2. User running as local admin is
compromised, attacker harvests credentials
3. Attacker uses credentials for lateral
movement or privilege escalation
4. Attacker acquires domain admin
credentials
5. Attacker exercises full control of data
and systems in the environment
Domain Administrator Access
Server Administrator
Domain
Admin
Active User
Credentials
All Credentials
(NT Hashes)
Security Accounts
Manager (SAM): NT
Hashes
All Local Data
All Active
Directory Data
(Full Control)
Pass the hash
(PTH)
Servers
Domain
Admin
Server Admin
Access Data
Workstation
Administrator
Active User
Credentials
SAM: NT Hashes
User Action
All Active
Directory
Data (Read)
Malware Install
Beacon,
Command & Control
Domain
Admin
Logon
Active User
Credentials
All Local Data
Patient Zero
User Access
Domain
Controllers
PTH
User Access
All Data
User’s
Data
and
Keystrokes
User
Credential
Vulnerability & Exploit
User = Administrator
All Local
Data
SAM: NT
Hashes
System or Administrator
All Workstations
Domain.Local
DC
Attack Operator
Client
DomainAdmin
1. Credential Theft
1. Prevent Exposure
High Privilege/Value
2. Credential Re-Use (Illicit)
2. Limit Usefulness
High Exposure (to Internet/Risk)
Tier 0
1. Privilege escalation
• Credential Theft
• Application Agents
• Service Accounts
2. Lateral traversal
• Credential Theft
• Application Agents
• Service Accounts
Tier 1
Tier 2
Tier 0
Tier 1
Tier 2
Admin Environment
Production
Power:
 Credential Partitioning
 Hardened Admin Environment
 Known Good Media
 Network security
 Hardened Workstations
 Accounts and smartcards
 Auto-Patching
 Security Alerting
 Tamper-resistant audit
 Offline Administration
(enforces governance)
 Assist with mitigating risks
 Services and applications
 Lateral traversal
Domain
Controllers
IPsec
Production
Domain Admins
Management and
Monitoring
Data:
Servers and
Applications
Access:
Users and
Workstations
Red Card
Admins
Break Glass
Account(s)
ESAE - Managing Multiple Forests/Domains
Admin Environment
Production Domain(s)
Domain
& Forest
 Increase Security Protections
 Enterprise threats
 Known internet threats
 Hardened Workstations
 Known Good Media
 20+ security controls
 Network Traffic Restrictions
 Admin smartcards (optional)
Domain
Admins
Servers and
Applications
Workstations
& Users
Server
& App
Admins
Privileged Account Workstation (PAW) – Cloud Security
Social Media, Publishing,
Brand Management
Privileged Account Workstations
 Increase Security Protections
 Enterprise threats
 Known internet threats
 Security Protections include
 Known Good Media
 20+ security controls
 Smartcards (Optional)
 Security Alerting (Optional)
Cloud Infrastructure &
Services Administration
9:00
1. Request Access (10:00)
2a. Auto-Approve (10:00)
2b. E-mail Notification (10:00)
10:00
4. Privilege Expires (12:00)
MARS Server
11:00
12:00
3. Access Resource (10:01)
1:00
2:00
3:00
Candidate
Account
5. Attempt Access (3:15)
Managed Privilege
(Group Membership
or Custom Actions)
Resource(s)
• Managed Servers
• Domain Admin
• Schema Admin
• Top Secret Project
With 8.1/2012 R2 Features
Enhanced Security Admin Environment (ESAE)
Domain and Forest Administration
Production Domain(s)
Security Alerting
Domain and Forest
Application &
Service Hardening
Lateral Traversal
Mitigations
Server and System Management
App and Data Management
Helpdesk and Workstation Management
User Assistance and Support
Hardened Hosts
and Accounts
Privileged Account
Workstation (PAW)
Managed Access
Request System (MARS)
Protected
Users
Auth Policies and Silos
RDP w/Restricted Admin
Application and Service Hardening
Upstream Risks (Controlling the Application)
Unpatched Software Vulnerability, Weak OS Configuration
Business
critical data?
Downstream Control
Management agents on server and scheduled tasks
Local operating system administrators
Backup and storage administrators
Application
service accounts
Baseboard Management Controllers (BMCs)
Physical access and virtual machine administrators
ACLs on Computer account, OU, GPO, GPO Content
Host Installation Media/Process
Application administrator roles
Important: upstream risks also includes hosts where
upstream administrator credentials are exposed.
Application agents or
software
Application
24
For More Information
Windows Server 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205286
System Center 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack
http://www.microsoft.com/en-us/servercloud/products/windows-azure-pack
Microsoft Azure
http://azure.microsoft.com/en-us/
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure Management
TechExpo Level 1 Hall CD
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn