Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | BASIC SECURITY PRINCIPLES
Outline
. User Identity and Access Tokens . Local User Accounts . Domain User Accounts . Authentication Mechanisms . User Rights . User Account Control . Group Policy Security Settings . Computer Environment . Groups and Group Scopes Advanced Windows Security USER IDENTITY AND ACCESS TOKENS
Windows Processes
. Everything runs as a process some code runs in Kernel mode, but mostly under identity of the calling process interrupts, DPCs and file cache are executing without user context . Every process runs under a user identity SYSTEM, Network Service, Local Service, local user, domain user . Access permissions are always checked there is no root superuser as in unix User Identity
. User identity is represented as a SID NT Authority\SYSTEM = S-1-5-18 NT Authority\Local Service = S-1-5-19 NT Authority\Network Service = S-1-5-20 BUILTIN\Administrators = S-1-5-32-544 BUILTIN\Users = S-1-5-32-545 local user = S-1-5-21-LocalSID-RID domain user = S-1-5-21-DomainSID-RID . Every process gets its own copy of an Access Token list of user’s SID and SIDs of his groups created by LSASS.exe (Local Security Authority)
Access Token
. Memory structure that contains user SID and the SIDs of his groups identified by its Logon Session ID . Inherited by child processes . Cached after a successful interactive logon in registry HKLM\Security\Cache Policy: Number of Previous Logons to Cache . Limitted to 1025 SIDs Access Token Cache Limit
Access token limit to 1025 SIDs Lab: indirect group membership in access token
Tools for Access Token
. WHOAMI /ALL built into Vista/2008 and newer member of Support Tools for 2003/xp and older . PROCEXP Process Explorer download from http://live.sysinternals.com . PSEXEC download from http://live.sysinternals.com . ADUC Attribute Editor Active Directory Users and Computers console Select View – Advanced Features Can show user and group SIDs in AD Lab: Access Token
. Log on to GPS-WKS as Kamil use WHOAMI /ALL to investigate his access token verify that he is member of Administratos and Employees groups note his SID and the SIDs of his groups . Use PSEXEC -D -S -I CMD to start command line under SYSTEM account use WHOAMI /ALL to verify its access token . Use PSEXEC -D -I -U “NT Authority\Network Service” CMD to start command line under Network Service account use WHOAMI /ALL to verify its access token . Start PROCEXP and verify contents of the access tokens of some processes . Start ADUC and use Attribute Editor tab to verify user SIDs in Active Directory
System SIDs
. Some SIDs are added automatically . INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON . Everyone, Authenticated Users, This Organization, NTLM Authentication Lab: SERVICE SID
. On GPS-DC create a service account for SNMPTRAP service user: svc-snmp options: password never expires, user cannot change password . On GPS-WKS reconfigure SNMP TRAP service to run under GPS\svc-snmp account . Using PROCEXP verify SERVICE SID injected into the processes access token
Translating SIDs with PowerShell 'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principa l.NTAccount')).Value } }
'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n = 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object Security.Principal.NTAccount $_).Translate([Security.Principal.SecurityIdentifier]).Value } }
$rxSID = '[Ss]-1(?:-\d+){1,}' [regex]::Match('This SID S-1-5-80-3964583643-2633443559- 2834438935-3739664028-1580655619 has been detected', $rxSID).Value All BUILTIN SIDs
(1..1000) | % {
$user = New-Object Security.Principal.SecurityIdentifier S-1-5-32-$_ $errorActionPreference = 'SilentlyContinue' write-host ("{0,35} = S-1-5-32-{1}" -f $user.Translate([Type]::GetType('System.Security.Princi pal.NTAccount')).Value.Replace('BUILTIN\', ''), $_) $errorActionPreference = 'Continue' }
Everyone vs. Authenticated Users . Windows 2000- Everyone = Authenticated Users + Anonymous Logon . Windows XP+ Everyone = Authenticated Users can be changed back in security policy Let Everyone permissions apply to Anonymous Users Everyone vs. Authenticated Users
Default Local Users Group and Domain User . By default local Users group contains Authenticated Users . Default security Everyone = Authenticated Users = Users = Domain Users . Do not use any of the groups for securing resources Default Local Users Group
Lab: Local Users on GPS-WKS Lab: Verify (non)Access
. Verify that users can log on to GPS-WKS workstation [email protected] (Employee) [email protected] (Employee) [email protected] (account from ELEARNING domain) . Verify that the following users cannot log on to GPS-WKS [email protected] (Contractor) BIKES\tanja (account from BIKES domain)
Advanced Windows Security LOCAL USER ACCOUNTS Local User Accounts
. Stored in local registry HKLM\SAM\Domains\Account . Password hashed (MD4) can be stored in full Policy: Store passwords using reversible encryption . Can enforce password complexity and history Policy: Password complexity requirements Policy: Enforce password history . Single login: COMPUTER\username
Do not store clear-text passwords LM Password Hashes
. Windows 2003/XP store LM password hashes extreme insecurity, only 7 uppercase characters remains in Default Domain Policy GPO if installed with Windows 2003 or older backward compatibility Windows 95, 3.1, MS-DOS . Should be disabled as soon as possible
LM Password Hashes Lab: Disable LM Hashes
. On GPS-DC open the GPMC console . Create a new GPO for domain name: Security: LM Hashes Disabled link to: gopas.virtual enforced: yes . Disable LM hashes Computer – Windows Settings – Local Policies - Security Options – Do not store LAN Manager hashes on next password change
Lab: Cracking Local Passwords with Cain . Log on to GPS-WKS as gps\kamil . Install Cain & Abel tool . Switch to Cracker tab . Import LM&NTLM hashes from local system . Perform Brute-Force Attack on one of the hashes http://hashcat.net performance (2016)
Brute-Force vs. Rainbow Tables
. Brute-force generate all the possible hashes taking time for the generation ca 80x per additional character . Rainbow Tables use pre-generated, sorted list of hashes taking one-time for the generation taking space to store the database ca 40x per additional character Local Password Policies
Password Policies
. Minimum recommended length: 10 characters http://www.sevecek.com/Lists/Posts/Post.aspx?ID =145 . Minimum password age the settings is necessary only to enforce password history . Password complexity 3of4: at least three from: a-z, A-Z, 0-9, #^%&* do not contain 3 or more chars from user’s login Complex Passwords
. Simple examples September2012 John-Lennon Buldo-zer56 . Login considered login: ondrej Invalid password: J@mES-BonD38
Local Account Lockout Policy Advanced Windows Security VOLATILE STATE VS. OFFLINE ATTACKS
Sensitive memory information
. LSASS.exe currently logged-on user hashes currently logged-on user plain-text passwords processes, services, jobs, IIS apppools . Only local administrators can attack online debug privilege! . Windows 8/2012 and older password + MD4 hash + LM hash (always) . Windows 8.1/2012R2 and newer MD4 hash (+ password if RDP SSO) LM hash if enabled Extract passwords/hashes
Pass-the-hash Sensitive information stored permanently . Only local administrators can extract online local user password hashes from registry service, scheduled tasks, IIS apppools plaintext passwords . Users can extract their own online IE stored passwords RDP stored passwords stored Windows credentials software keylogging . Offline extractions anything stored permanently except with SYSKEY
Permanently stored system-wide information
. HKLM\SAM local user account hashes (LM, MD4) non-salted = rainbow/brute-force . HKLM\SECURITY\Cache domain user account hash cache (1000x SHA-1) salted with username = brute-force . HKLM\SECURITY\Policy\Secrets LSA secret plain-text passwords for services, DefaultPassword, VPN (dialup) passwords . %windir%\System32\Config\SystemProfile\AppData \Local\Microsoft\Credentials scheduled task plain-text passwords protected with DPAPI Permanently stored system-wide and per- user information
. IIS application pool accounts plain-text applicationHost.config (DPAPI protected) appcmd list apppool /text:* . NPS RADIUS clients plain-text shared secrets netsh nps export exportpsk=yes
. Per user Windows Vault/Stored User Names and Passwords (DPAPI) %userprofile%\AppData\Roaming\Microsoft\Credentials %userprofile%\AppData\Local\Microsoft\Vault
Online fake password prompts
. Require CTRL-ALT-DEL . Require secure desktop UAC confirmation Require CTRL-ALT-DEL
Require secure UAC prompts Do not allow "Stored user names and passwords“ (WKS only vs. scheduled jobs)
Do not allow IE caching passwords (basic/forms)
. IE 7,6,… HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings DisablePasswordCaching = 1 . IE 8,9,10 disable Credential Manager . IE 11 HKCU\Software\Microsoft\Internet Explorer\Main FormSuggest Passwords = no Do not allow browser caching passwords (basic/forms)
. Edge HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main FormSuggest Passwords = no . Chrome for Business ADMX template
Protected Users – Kerberos tickets only (8.1, 2012 R2 and newer) Other browser issues
. Block Flash in IE, Edge, Chrome . Block other ActiveX plugins . Email attachments, application white listing, …
Password reveal button (Win8/IE) Credential (Device) Guard
Credentials (Device) Guard (Isolated User Mode) (Secure Kernel)
. Separated credentials from LSASS memory LSAISO . Isolated “VM” . Requirements Windows 10 Enterprise/2016 HW virtualization Hyper-V hypervisor enabled GPT boot disk + EFI system partition convert with MBR2GTP since Win10 1703 UEFI firmware (BIOS) UEFI boot stores environment variables (UEFI lock) Secure Boot boot process digital signatures UEFI Secure Boot enabled during OS installation MSINFO32 + UEFI Secure Boot
Disable Device Guard with UEFI lock Advanced Windows Security DOMAIN USER ACCOUNTS
Domain User Accounts
. Stored in Active Directory database . Password Hashes (MD4) stores Digest (MD5) since Windows 2003 Stores AES (SHA-1) since Windows 2008 . Two logins user principal name ([email protected]) SAM account name (GPS\kamil) . Can enforce password policies Domain-wide using Group Policy Per users/groups using Granular Password Policies Logins
. User Principal Name ([email protected]) userPrincipalName attribute up to 1023 characters recommended max64@max64 configurable UPN suffixes must be unique forest-wide . SAM Account Name (GPS\kamil) sAMAccountName attribute up to 20 characters always bound to NetBIOS domain name
Alternative UPN Suffixes Lab: Alternative UPN Suffixes
. On GPS-DC open the Active Directory Domains and Trusts console . Right-click at the root of the console . Select Properties . Verify the following alternative UPN suffixes gopas.cz . Open ADUC console on ELRN-DC . Modify UPN for ELEARNING\jan [email protected]
Listing all UPN logins from Global Catalogue (GC) Domain Password Policies
. Group Policy based domain wide can be defined in any GPO attached to domain (you can use Default Domain Policy or create a new one) . Granular (Fine-grained) Password Policies applied to users and/or groups require Windows 2008 Domain Functional Level (DFL)
Various user account types
Personal Admin Service
Typed frequently occasionally never
Remembered BFU Keepass on a nobody jump-server Length 10+ 15+ 25+
Changing ?? months ???? months on request
Smart card ?? yes no
Lockout 5 250 500 / no
NTLM yes Kerberos only ?? Default Domain Policy
Granular Password Policies (DFL 2008) Lab: GPO Password Policies
. On GPS-DC open the GPMC console . Create a new GPO for domain name: Security: Common User Passwords link to: gopas.virtual enforced: yes . Define password policies in the newly created GPO minimum password length: 8 (we want to keep Pa$$w0rd) minimum password age: 0 password complexity requirements: enabled regular password change: 90 days account lockout threshold: 15 attempts account lockout duration: 3 minutes
Lab: Granular Password Policies
. On GPS-DC open the ADSI Edit console . Create a new Granular Password Policies object in CN=Password Policies,CN=System,DC=gopas,DC=virtual name: Admin Passwords . Define password policies in the newly created PSO psoAppliesTo: Admin Accounts minimum password length: 8 (we want to keep Pa$$w0rd) minimum password age: 0 password complexity requirements: enabled regular password change: 90 days account lockout threshold: 5 attempts account lockout duration: until manual unlock Password Change vs. Reset
. Change password anybody who knows the original password all password policies apply . Reset password only Domain Admins and Account Operators no history, no minimum age
Account vs. Password Expiration
. Password expiration after policy configured time User Must Change Password at Next Logon Cannot log on in fact may not be able to change password remotely over VPN or web applications Affects smart cards . Account expiration Cannot log on after a specific time regardles of password validity Affects smart cards Account vs. Password Expiration
pwdLastSet vs. unicodePwd replication metadata Computer Account
. Just a special user account . DOMAIN\COMPUTER$ . Password stored in registry HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC changed regularly every 30 days (is online)
Computer Account Password Changes Optional lab: Computer account password corrupted . Use Hyper-V console to revert GPS-WKS back to a previous password . Use NETDOM RESETPWD to enforce computer password change NETDOM RESETPWD /Server:GPS-DC /UserD:gps\domain-admin /PasswordD:Pa$$w0rd
Trust relationship between this workstation and the primary domain failed The target account name is incorrect
Test secure channel
nltest /sc_verify:gps
Test-ComputerSecureChannel Lab: GPS-WKS$ network access
. On GPS-WKS start CMD under SYSTEM account psexec -s -i -d cmd . Try accessing the \\GPS-DC\Public share . On GPS-DC, change NTFS permissions of the C:\Service\Public folder to DENY access to the GPS-WKS$ account . Verify that the GPS-WKS machine looses access . Verify that the Kamil user account still have access
Password Policy Exceptions
. Computer, Managed Service Accounts, Trusts no password policies pwd never expire never lock out . Built-in Administrator account (the -500 SID) never lock out when disabled, can log on in Safe Mode can log on with more than 1025 SIDs in Access Token (gets trimmed) Lab: Computer account group
Advanced Windows Security AUTHENTICATION MECHANISMS Lab: Connect GPS-DATA to Domain
. On GPS-DC start ADUC console . Create GPS-DATA computer account in OU=Computers name: GPS-DATA who can connect to domain: SRV Admins . Log on to GPS-DATA and connect the machine to domain domain name: gopas.virtual user name: srv-admin . Add SRV Admins group to local Administrators
Windows Authentication
. Basic clear-text, may be transfered over TLS/SSL RDP/TS, IIS, SMTP, POP3, Telnet, LDAP Simple Bind, PS Remoting CredSSP no SSO (single sign on) . NTLM hashed, MD4 + MD5-MHAC fall-back method when Kerberos cannot be used . Kerberos hashed, MD4 + RC4/DES/AES default authentication can use smart cards . Schannel = TLS Client Certificate logon RSA/EC private key for TLS/SSL communications . CHAP/Digest MD5 authentication RADIUS/IAS/NPS/IIS Network Authentication Principle
FS In-band Client Login + Identity Proof SQL Web
Pass-through authentication with DC
DC
Kerberos Requirements
. Domain user from a domain computer to a domain member server . Forest trusts only NTLM is used on External Trusts . Internet Explorer only in local intranet sites and trusted sites (since IE7) . IP addresses always use NTLM . Many other more complex requirements (GOC16) time, SPN, ... NTLM and Schannel network logon
Client App Server 2000+ Traffic 2000+
In-band NTLM hash
SMB Pass-through NTLM hash D/COM
D/COM Dynamic TCP DC DC 2000+ 2000+
Kerberos network logon (basic principle)
Client App Server 2000+ Traffic 2000+
In-band TGS: Server
Kerberos TGT: User
TGS: Server
DC 2000+ Kerberos network logon (complete)
Client App Server 2000+ Traffic 2000+
In-band TGS: Server
SMB Occasional PAC Kerberos Validation TGT: User D/COM
TGS: Server
D/COM Dynamic TCP DC DC 2000+ 2000+
Tools for Kerberos
. KLIST lists Kerberos tickets purges ticket cache built into Windows 7/2008 R2, member of AD RSAT in Windows Vista/2008 . KERBTRAY GUI version of the same for Windows 2003/XP member of Windows Resource Kit . Auditing Account Logon Events Windows Vista/2008+ can use granular auditing Logon auditing
. Account Logon Event "authentication event" when an account database validates credentials . Logon Event "session event" every time an Access Token is created or closed
Auditing (2000+) Granular auditing (2008/Vista+)
Auditing (Interactive Logon)
2 Logon SQL FS WFE Client
1 Account Logon
DC Logon types
Type Value Interactive 2 Network 3 Batch 4 Service 5 Unlock 7 NetworkCleartext 8 NewCredentials 9 RemoteInteractive 10 CachedInteractive 11 CachedRemoteInteractive 12 CachedUnlock 13
Status codes
Status Value STATUS_WRONG_PASSWORD 0xC000006A STATUS_PASSWORD_RESTRICTION 0xC000006C STATUS_LOGON_FAILURE 0xC000006D STATUS_ACCOUNT_RESTRICTION 0xC000006E STATUS_INVALID_LOGON_HOURS 0xC000006F STATUS_INVALID_WORKSTATION 0xC0000070 STATUS_PASSWORD_EXPIRED 0xC0000071 STATUS_ACCOUNT_DISABLED 0xC0000072 STATUS_LOGON_NOT_GRANTED 0xC0000155 STATUS_LOGON_TYPE_NOT_GRANTED 0xC000015B STATUS_ACCOUNT_EXPIRED 0xC0000193 STATUS_PASSWORD_MUST_CHANGE 0xC0000224 STATUS_ACCOUNT_LOCKED_OUT 0xC0000234 Download err.exe
. version 2008 http://www.microsoft.com/en-us/download/details.aspx?id=985 . most up-to-date version SDK for Windows 8.1 http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx
Logon sessions
gwmi win32_LogonSession | select LogonId, @{ n = 'LogonIdHex' ; e = { '0x{0:X}' -f ([int] $_.LogonId) } }, AuthenticationPackage, LogonType, StartTime, @{ n = 'Login' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand Caption } }, @{ n = 'SID' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand SID } } Auditing (Network session)
2 Logon SQL FS WFE Client
1 Account Logon
DC
Account lockout
Mx Account Lockout ID 4625 Nx Account Lockout SQL FS ID 4625 WFE Client
1 Account Management ID 4740 DC Auditing (Interactive logoff)
1 Logoff SQL FS immediately at logoff WFE Client
DC
Auditing (Network session)
1 Logoff when TCP connection closed SQL FS WFE Client
DC Lab: Auditing Authentication
. On GPS-DC open the GPMC console . Create a new GPO for domain name: Security: Authentication Auditing link to: gopas.virtual enforced: yes . Enable auditing of Account Logon events Computer – Windows Settings – Local Policies - Security Settings – Advanced Audit Policy Configuration – Account Logon enable all audit subcategories . Refresh policy on GPS-DC by using GPUPDATE
Lab: Kerberos
. On GPS-WKS open CMD . Use KLIST /PURGE to purge Kerberos ticket cache . Type DIR \\GPS- DC\SYSVOL\gopas.virtual\Policies . Use KLIST to list Kerberos tickets . Note the KRBTGT user ticket with Initial flag . Note the CIFS ticket for the shared files . Note that AES is used as an encryption mechanism Lab: NTLM
. On GPS-WKS open CMD . Use KLIST /PURGE to purge Kerberos ticket cache . Type DIR \\10.10.0.11\SYSVOL\gopas.virtual\Policies . Use KLIST to list that there are no Kerberos tickets
Lab: Verifying Audit Events
. On GPS-DC open Event Viewer console . Open Security log . Filter out all events except for the following: Event sources: Microsoft Windows Security Auditing Task category: Kerberos Authentication Service Kerberos Service Tickets Credentials Validation Lab: Audit process tracking
Auditing Examle
Client VPN
2 Logon
3 NPS RADIUS NPS
1 Account Logon
DC NTLM Versions
. LM obsolete insecure using LM hashes default on Windows XP SP3, should be disabled . NTLM newer, MD4 + DES, still some security concerns default on Windows 2003, can be disabled . NTLMv2 newest, MD4 + MD5-HMAC supported by Windows 98 DSClient, NT4.0 SP4 and newer
Upgrading NTLM Version Enforce NTLMv2 session security
Lab: Enforcing NTLMv2
. On GPS-DC open the GPMC console . Create a new GPO for domain name: Security: NTLMv2 link to: gopas.virtual enforced: yes . Enforce NTLMv2 Computer – Windows Settings – Local Policies - Security Options – LAN Manager authentication Level: Send NTLMv2 response only Kerberos AES enforcement
lastLogon, lastLogonTimestamp
. Active Directory attribute of user accounts . lastLogon precise time of the last identity validation not replicated . lastLogonTimestamp DFL 2003+ replicated updated only once per 14 days Last interactive logon time
Alternative identities
. NET USE \\gps-data . NET USE \\gps-data.gopas.virtual is different then \\gps-data, you can use other credentials . NET USE \\10.10.0.21 is still different from the previous two, you can use yet another user account . RUNAS /user must have local logon . RUNAS /netonly /user supplies different network credentials for current user does not need any local logon LSASS caches alternate identities during logon session . NET USE \\gps-data /user:GPS\helena . NET USE \\gps-data /user:GPS\leos error 1219 Multiple connections to a server by the same user, using more than one user name, are not allowed . Must log-off or NET USE /DELETE
Advanced Windows Security USER RIGHTS Permissions vs. Rights
. Permissions object based access control NTFS, registry, LDAP, printers, windows, desktops, SQL server, ... . Rights (Privileges) not everything can be considered an object Restart/Shutdown, Logon, ...
Permissions User Rights Assignment
Types of User Rights
. Logon logon locally, from network, as batch job Deny variant exists . Actions shutdown the system, change system time, synchronize AD, manage auditing, impersonate, enable delegation, create pagefile, volume maintainance, ... . Forcible Overrides take ownership, add workstation to domain, bypass traverse checking, backup (read all), restore (write all) Granting and Enabling
. Users must be granted user rights in local policy (or GPO) . Processes must enable the user right once they want to perform the action backup application enables the backup right only for the duration of the backup operation Event Viewer enables the security right to list Security event log
Tools for User Rights
. WHOAMI /ALL lists user rights and their state for the current command line process . PROCEXP list user rights and their state for any process Lab: User Rights
. Log on to GPS-WKS as Kamil the user is member of local Administrators . Start CMD . Start Event Viewer and browse the Security event log . Start Notepad as Helena Helena is member of regular Users group only . Start PROCEXP, open Properties of the processes and switch to the Security tab verify the list of user rights verify that some user rights are granted while some of them are also enabled
Lab: BATCH SID
. On GPS-DC create a service account for BACKUP job user: job-backup options: password never expires, user cannot change password . On GPS-DATA create an empty scheduled task called BACKUP using the gps\job-backup account . Troubleshoot the scheduled job startup with Event Viewer and/or T:\ERR tool . Using PROCEXP verify BATCH SID injected into the processes access token Lab: Allow Credential Manager on the server to store the scheduled task password
Lab: Log on as a batch job in GPO Flow of Access Control Authentication Kerberos NTLM
Allow Logon Locally
Access Token
Authentication
Kerberos
NTLM
from Network from Access this Computer this Access
Access Token
NTFS Permissions
Disk
Advanced Windows Security USER ACCOUNT CONTROL UAC prompts – Run as administrator
Restricted Users
. Users often work as local Administrators users on workstations/notebooks local administrators on servers . We may want restrict their default permissions and rights allow them to elevate if required . Does not apply for remote (network) connections UAC Options on Windows 7
UAC Options on Windows 8
. Only display settings . You must use the policy Restricting Local Administrators . Windows XP and newer can restrict local Administrators enforced by default on Windows Vista+ must use Run As on Windows XP . LSASS can issue restricted access token Administrators and Domain Admins groups are marked as Deny Only basic user rights enabled . LSASS maintains two separate Kerberos ticket caches
“Deny” Groups in Access Token
. User is not member of the group for Allow ACEs if something is granted to the group, it does not apply . User is member of the group for Deny ACEs if something is explicitly denied to the group, it still applies not a common case for Administrators, but still good to know Deny Group in Access Token
Lab: User Account Control
. On GPS-WKS enable UAC and restart . Log on as Kamil on GPS-WKS the user is member of local Administrator . Start CMD and Notepad . Start CMD and Notepad with Run as Administrator . Use WHOAMI /ALL to see that the Administrators group is/isnot marked as Deny . Use PROCEXP to see the same for Notepad . Using the PROCEXP verify that the elevated processes are granted more use rights . Use KLIST in both CMD windows to see two distinct Kerberos ticket caches UAC on Windows XP and 2003
Flow of Access Control Authentication Kerberos NTLM
Allow Logon Locally
UAC Access Token Restricted Authentication
Kerberos
NTLM
from Network from Access this Computer this Access
Access Token
NTFS Permissions
Disk Remote UAC
. Enabled over network for non-domain accounts . HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System LocalAccountTokenFilterPolicy = DWORD = 1
Lab: UAC for Desktop computers Advanced Windows Security GROUP POLICY
Security in Group Policy
. Policies (always enforced) Passwords and Lockout Auditing User Rights Restricted Groups Services . Preferences (may be one-time) local Users and Groups Files and Folders Services Tools to Verify GP Application
. RSOP.MSC . GPRESULT /V . GPRESULT /H report.htm The only local tool to show Group Policy Preferences . Group Policy Management (GPMC) Group Policy Results Group Policy Modeling
RSOP.MSC RSOP.MSC
GPRESULT /H (includes GPO Preferences) WMI Filters
. Local filtering on the target machines . Uses WMI tables Win32_OperatingSystem Win32_ComputerSystem Win32_Environment Win32_LogicalDisk Win32_Service Win32_Process . Varying OS support, always GOOGLE for documentation
WMI Filters - Examples
. Win32_OperatingSystem ProductType = 1 = Workstation ProductType = 2 = DC ProductType = 3 = Server Version = 6.2 = Windows 8, Windows 2012 Version = 6.1 = Windows 7, Windows 2008 R2 Version = 6.0 = Windows Vista, Windows 2008 Version = 5.2 = Windows XP 64bit, Windows 2003 Version = 5.1 = Windows XP Version = 5.0 = Windows 2000 OSArchitecture = 32-bit / 64-bit (2008/Vista+ only) WMI Filters - Examples
. Win32_ComputerSystem SystemType = 64-bit / x86 TotalPhysicalMemory DNSHostName
. Win32_Battery BatteryStatus <> 0 … laptop . Win32_SystemEnclosure ChassesType … laptop vs. desktop
WMI Filters for Servers Lab: Create Server and Workstation WMI Filters . On GPS-DC start GPMC console . Create new WMI filter: name: Server filter: SELECT * FROM Win32_OperatingSystem WHERE ProductType = 3 . Create new WMI filter: name: Workstation filter: SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1 . Create new WMI filter: name: Workstation or Server filter: SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1 OR ProductType = 3
Advanced Windows Security COMPUTER ENVIRONMENT Admin Role Separation
domain-admin ntb-admin wks-admin DC DC DC NTB WKS NTB fs-admin web-admin WKS NTB FS1 WF1 WKS
FS2 WF2
sql-admin FS3 DB1 DB2
Admin Role Separation
domain-admin ntb-admin wks-admin DC DC DC NTB WKS NTB sql-admin WKS fs-admin NTB DB2 FS2 WKS
FS3 is-admin
FS1 WF1 WF2 DB1 Admin Role Separation (tiering)
domain-admin wks-admin DC DC DC NTB
WKS srv-admin NTB
SRV WKS NTB
SRV WKS
SRV
Lab: Admin Groups
. On GPS-DC start ADUC console . Create SRV Admins group in OU=Service . Create WKS Admins group in OU=Service . Create srv-admin account in OU=Service name: srv-admin options: Password never expires member of: Domain Users, Admin Accounts, SRV Admins . Create wks-admin account in OU=Service name: wks-admin options: Password never expires member of: Domain Users, Admin Accounts, WKS Admins Restricted Groups
. Group Policy setting supported since Windows 2000 . Can be used to grant local group membership to domain groups . Is enforced if you want add/remove functionality, use Group Policy Preferences
SRV Admins Group in Local Administrators GPO Preferences and Local Groups . Require optional update Windows XP, Windows 2003, Windows Vista . Can be changed from local GUI reapply every GPO refresh (120 minuts) . Are not removed with the GPO Restricted Groups return the local setting to their original
GPO Preferences and Groups Lab: Make SRV Admins Group Member of Local Administrators . On GPS-DC start GPMC console . Create new GPO for the domain OU=Computers name: Security: SRV Accounts link to: gopas.virtual WMI filter: Servers enforced: yes . Use Restricted Groups feature to add SRV Admins group as members of local Administrators group Computer – Windows Settings – Security Settings – Restricted Groups new group: SRV Admins is member of: Administrators
Lab: Make WKS Admins Group Member of Local Administrators . On GPS-DC start GPMC console . Create new GPO for the domain OU=Computers name: Security: WKS Accounts link to: gopas.virtual WMI filter: Workstations enforced yes . Use Restricted Groups feature to add WKS Admins group as members of local Administrators group Computer – Windows Settings – Security Settings – Restricted Groups new group: WKS Admins is member of: Administrators Lab: Connect GPS-WFE Securely to Domain . On GPS-DC start ADUC console . Create GPS-WFE computer account in OU=Computers name: GPS-WFE who can connect to domain: SRV Admins . Log on to GPS-WFE and connect the machine to domain domain name: gopas.virtual user name: srv-admin
Disable -500 Admins Advanced Windows Security GROUPS AND GROUP SCOPES
Groups
. Security groups have SID evaluated during logon . Distribution groups have SID are not evaluated during logon can be used by applications (such as Exchange) Group Scopes and Usage
. Local can be used on individual computers . Built-in Domain Local can be used on all DCs from a domain . Domain Local can be used on all members of the domain . Global can be used on all other domains the same forest or other domains over trusts . Universal the same as global
Group Scopes and Membership
. Local from any domain . Built-in Domain Local from any domain . Domain Local from any domain or trusted domains . Global from the same domain only . Universal from the same forest My membership (single forest)
B \ DL
B \ G
B \ U B G U Jitka
C \ DL A A \ DL C \ G A \ G C \ U A \ U C
My membership (single forest)
DE \ DL DE SAP Access
DE \ G German Sales
DE \ U DE
Jitka
SK Mkt Pictures SK \ DL CZ CZ \ DL Slovak Sales SK \ G CZ \ G Czech Sales SK \ U CZ \ U SK Access to my local server (single forest) B \ DL
B \ G
B \ U B
Jitka
C \ DL A A \ DL C \ G A \ G DATA C \ U A \ U C
Access to my local server (single forest) DE \ DL DE SAP Access
DE \ G German Sales
DE \ U DE
Jitka
SK Mkt Pictures SK \ DL CZ CZ \ DL Slovak Sales SK \ G CZ \ G Czech Sales DATA SK \ U CZ \ U SK Access to a remote server (single forest) B \ DL
B \ G
B \ U B
Jitka
C \ DL A A \ DL C \ G A \ G DATA C \ U A \ U C
MS recommended philosophy
A
P DL A
DL G A
DL U A
DL U G A MS recommended philosophy
A
SAP permissions P DL A
DL G A
DL U A
DE SAP Access World Employees CZ Employees DL U G A
2012 FFL OK philosophy Exchange 2010+ recommended
P U (Resource)
U (Organization)
A Group Limits
. Access token maximum 1025 SIDs . Kerberos ticket default 10500 B to store groups . Global group = 8 B . Domain local group = 40 B . Universal group = 8/40 B
Different Forests F \ DL F \ G
F \ U Different forest B \ DL
B \ G
B \ U Jitka B
A A \ DL C \ DL
A \ G C \ G C \ U A \ U C Lab: Groups
. Try adding ELEARNING\Employees and BIKES\Bikers into GPS\Employees this should not work, because GPS\Employees is a global group . Create universal group GPS\IS Access . Try adding GPS\Employees, ELEARNING\Employees and BIKES\Bikers into GPS\IS Access BIKES\Bikers cannot be members of a universal group from different forest . Switch GPS\IS Access to domain local group . Add BIKES\Bikers into the GPS\IS Access
Lab: IS Access result accountDomain\Global *\Universal Authentication Kerberos Flow of Access ControldomainB\Domain local NTLM
accountDomain\Global *\Universal Allow Logon Locally
UAC domainB\Domain local Access Token Restricted Authentication
Kerberos
NTLM
from Network from Access this Computer this Access
Access Token
NTFS Permissions
Disk
domainB.local
Temporary AD group membership (FFL 2003)
Real group
Proxy group with TTL
User account standard TGT lifetime Temporary AD objects (since FFL 2003)
. dynamicObject class . entryTTL = seconds
. CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration ms-DS-Other-Settings: DynamicObjectDefaultTTLSeconds DynamicObjectMinTTLSeconds
Privileged Access Management feature (FFL 2016)
. New AD optional feature Privileged Access Management Feature Get-ADOptionalFeature
. Add-ADGroupMember -MemberTimeToLive lowest lifetime propagates to Kerberos TGT tickets
. Get-ADGroup -Properties Member - ShowMemberTimeToLive
. LDP LDAP_SERVER_LINK_TTL_OID 1.2.840.113556.1.4.2309 Lab: SAP Access for 40 minutes
. Create SAP Access group . Add gps\kamil with 40 minutes TTL
Note: Autodelete groups
$ou = [ADSI] 'LDAP://OU=Company,DC=gopas,DC=virtual' $user = [ADSI] 'LDAP://CN=Kamil,OU=People,OU=Company,DC=gopas,DC=virtual' [int] $ttl = 20
$baseGroup = $ou.Create('group', 'CN=IS Access') $baseGroup.Put('sAMAccountName', 'IS Access') $baseGroup.SetInfo()
$expiringGroup = $ou.Create('group', "CN=IS Access Expiring in $ttl minutes") $expiringGroup.PutEx(2, 'objectClass', @('dynamicObject', 'group')) $expiringGroup.Put('entryTTL', ($ttl * 60)) $expiringGroup.Put('sAMAccountName', "IS Access Expiring in $ttl minutes") $expiringGroup.SetInfo()
$baseGroup.Add($expiringGroup.Path) $expiringGroup.Add($user.Path) Advanced Windows Security MODERN AUTHENTICATION METHODS
PIN logon PIN complexity
Cloud accounts mapped to local accounts