Upload
dan-barr
View
36
Download
4
Embed Size (px)
Citation preview
Managing Local Administrator Passwords with LAPS
2015 PENN STATE SECURITY CONFERENCE
DAN BARR – [email protected]
SYSTEMS ADMINISTRATOR, APPLIED RESEARCH LABORATORY
10/14/2015 PENN STATE SECURITY CONFERENCE
The Shared Password ThreatShared passwords are one vector used in Pass-the-Hash attacks
It only takes one compromised client to effectively compromise every system using the same local Administrator password
Makes lateral movement within a “trusted” network trivial
Even if the clear text password isn’t compromised, you’re still in big trouble
So, how do we manage passwords on a large # of systems?◦ And rotate them often?
◦ And control who can access them?
◦ Without spending a small fortune on additional complex infrastructure or products?
10/14/2015 PENN STATE SECURITY CONFERENCE
What is Pass-the-Hash (PtH)?(The short, short version)Credential replay attack
Attacker does not need the cleartext password!
Hashes can be harvested from:◦ Memory (lsass.exe process)
◦ Local SAM database (local accounts and cached AD credentials)
◦ NTLM traffic sniffing (but requires brute-force since hash is encrypted over the wire)
NTLM and Kerberos (via ticket replay/forwarding) are both vulnerableCompromised Client Admin Client Clients Servers Databases
Attacker
10/14/2015 PENN STATE SECURITY CONFERENCE
More on PtHFor more in-depth information and a demo of Pass-the-Hash:
Security Features of OneForest Active Directory Deployment
Keith Brautigam & Jake DeSantis
Thursday at 2:50pm
10/14/2015 PENN STATE SECURITY CONFERENCE
What is LAPS?•Local Administrator Password Solution
•Free tool made public by Microsoft in May 2015
•Formerly only available to MS Premier Support agreement holders
•Securely manages unique, random local Administrator passwords on managed systems
•Completely implemented using AD & Group Policy, no additional infrastructure needed
•Developed due to frequency of shared admin passwords used as a primary attack vector in customer security incidents handled by Microsoft
•Does NOT eliminate PtH, just reduces the impact
10/14/2015 PENN STATE SECURITY CONFERENCE
How does it work?•Schema extension adds two attributes to Computer objects:• ms-Mcs-AdmPwd: Confidential, RODC Filtered
• ms-Mcs-AdmPwdExpirationTime
•Client-side GPO extension (DLL) installed via MSI
•Managed via simple GUI, PowerShell, or native AD management tools
Active Directory
Group Policy Framework
AdmPwd.dll
LAPS UI
PowerShell
Group Policy Editor
AD Computer Accountms-Mcs-AdmPwd
ms-Mcs-AdmPwdExpirationTime
10/14/2015 PENN STATE SECURITY CONFERENCE
LAPS Features & RequirementsFEATURES
•Passwords stored centrally in AD
•Optional audit/debug logging to client’s Security Event Log
•Define password parameters: length, complexity, age
•Force a password reset
•GUI, PowerShell, or native AD tools for management
REQUIREMENTS
AD: At least Server 2003 SP1
Officially-supported clients:◦ Vista with current SP & above
◦ Server 2003 SP2 & above
Unofficially works on XP
10/14/2015 PENN STATE SECURITY CONFERENCE
LAPS Process
GP RefreshCheck expiration timestamp in AD
attribute
If expired, generate new
password based on configured
rules
Store new password in AD
attribute and update expiration
timestamp
If successful, update local account PW
10/14/2015 PENN STATE SECURITY CONFERENCE
LAPS Security ConsiderationsKerberos encryption used in transit
Use AD object access auditing to track password retrievals
Currently only handles one account per client◦ Does not have to be built-in Administrator
Password is stored in clear text◦ Encryption at rest would require key exchange
(symmetric) or PKI (assymetric)
◦ ACLs adequately protect
◦ Maintains the solution’s simplicity
◦ Compromised AD means game over anyway
AD attribute is marked confidential, need one of the following permissions to read it:
◦ “Full Control” on computer object, OR
◦ “All Extended Rights” on computer object, OR
◦ “Control Access” on ms-Mcs-AdmPwd attribute
Not replicated to RODCs
Not exposed in audit logging
10/14/2015 PENN STATE SECURITY CONFERENCE
PowerShellModule “AdmPwd.PS”
Cmdlets:◦ Find-AdmPwdExtendedRights
◦ Get-AdmPwdPassword
◦ Reset-AdmPwdPassword
◦ Set-AdmPwdAuditing
◦ Set-AdmPwdComputerSelfPermission
◦ Set-AdmPwdReadPasswordPermission
◦ Set-AdmPwdResetPasswordPermission
◦ Update-AdmPwdADSchema
10/14/2015 PENN STATE SECURITY CONFERENCE
Typical Deployment Workflow
Extend AD Schema
Review/Revoke Extended
Rights
Add Machine Rights (SELF)
Add User Rights and Auditing
Apply Group Policy Settings
Deploy Client Side Extension
10/14/2015 PENN STATE SECURITY CONFERENCE
Deployment Workflow - PowerShellExtend AD Schema
◦ Update-AdmPwdADSchema
Audit/remove undesired extended rights◦ Find-AdmPwdExtendedRights -Identity <OU Name> | Format-Table
Add Machine rights (SELF permission to update new attributes)◦ Set-AdmPwdComputerSelfPermission -OrgUnit <OU Name>
Add User rights to read PW or force reset◦ Set-AdmPwdReadPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals<users/groups>
◦ Set-AdmPwdResetPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals<users/groups>
Enable access auditing◦ Set-AdmPwdAuditing -OrgUnit <OU Name> -AuditedPrincipals <users/groups/Everyone>
10/14/2015 PENN STATE SECURITY CONFERENCE
Other PtH MitigationsUpgrade clients – lots of kernel-level hardening in newer (Win8+) versions.
Limit client-to-client communications
Disable caching of AD credentials where possible
Limit use/scope of privileged accounts – least user access◦ Use hardened administrative stations & “jump” servers
◦ Offers fewer chances to harvest a privileged hash
Limit debug privileges (often used to access memory of protected processes)
10/14/2015 PENN STATE SECURITY CONFERENCE
THANK YOU!
Dan Barr – [email protected]
Reminder: Security of OneForest AD Deployment, 2:30pm tomorrowKeith Brautigam & Jake DeSantis, ITS Identity Services
10/14/2015 PENN STATE SECURITY CONFERENCE