Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | BASIC SECURITY PRINCIPLES Outline . User Identity and Access Tokens . Local User Accounts . Domain User Accounts . Authentication Mechanisms . User Rights . User Account Control . Group Policy Security Settings . Computer Environment . Groups and Group Scopes Advanced Windows Security USER IDENTITY AND ACCESS TOKENS Windows Processes . Everything runs as a process some code runs in Kernel mode, but mostly under identity of the calling process interrupts, DPCs and file cache are executing without user context . Every process runs under a user identity SYSTEM, Network Service, Local Service, local user, domain user . Access permissions are always checked there is no root superuser as in unix User Identity . User identity is represented as a SID NT Authority\SYSTEM = S-1-5-18 NT Authority\Local Service = S-1-5-19 NT Authority\Network Service = S-1-5-20 BUILTIN\Administrators = S-1-5-32-544 BUILTIN\Users = S-1-5-32-545 local user = S-1-5-21-LocalSID-RID domain user = S-1-5-21-DomainSID-RID . Every process gets its own copy of an Access Token list of user’s SID and SIDs of his groups created by LSASS.exe (Local Security Authority) Access Token . Memory structure that contains user SID and the SIDs of his groups identified by its Logon Session ID . Inherited by child processes . Cached after a successful interactive logon in registry HKLM\Security\Cache Policy: Number of Previous Logons to Cache . Limitted to 1025 SIDs Access Token Cache Limit Access token limit to 1025 SIDs Lab: indirect group membership in access token Tools for Access Token . WHOAMI /ALL built into Vista/2008 and newer member of Support Tools for 2003/xp and older . PROCEXP Process Explorer download from http://live.sysinternals.com . PSEXEC download from http://live.sysinternals.com . ADUC Attribute Editor Active Directory Users and Computers console Select View – Advanced Features Can show user and group SIDs in AD Lab: Access Token . Log on to GPS-WKS as Kamil use WHOAMI /ALL to investigate his access token verify that he is member of Administratos and Employees groups note his SID and the SIDs of his groups . Use PSEXEC -D -S -I CMD to start command line under SYSTEM account use WHOAMI /ALL to verify its access token . Use PSEXEC -D -I -U “NT Authority\Network Service” CMD to start command line under Network Service account use WHOAMI /ALL to verify its access token . Start PROCEXP and verify contents of the access tokens of some processes . Start ADUC and use Attribute Editor tab to verify user SIDs in Active Directory System SIDs . Some SIDs are added automatically . INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON . Everyone, Authenticated Users, This Organization, NTLM Authentication Lab: SERVICE SID . On GPS-DC create a service account for SNMPTRAP service user: svc-snmp options: password never expires, user cannot change password . On GPS-WKS reconfigure SNMP TRAP service to run under GPS\svc-snmp account . Using PROCEXP verify SERVICE SID injected into the processes access token Translating SIDs with PowerShell 'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principa l.NTAccount')).Value } } 'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n = 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object Security.Principal.NTAccount $_).Translate([Security.Principal.SecurityIdentifier]).Value } } $rxSID = '[Ss]-1(?:-\d+){1,}' [regex]::Match('This SID S-1-5-80-3964583643-2633443559- 2834438935-3739664028-1580655619 has been detected', $rxSID).Value All BUILTIN SIDs (1..1000) | % { $user = New-Object Security.Principal.SecurityIdentifier S-1-5-32-$_ $errorActionPreference = 'SilentlyContinue' write-host ("{0,35} = S-1-5-32-{1}" -f $user.Translate([Type]::GetType('System.Security.Princi pal.NTAccount')).Value.Replace('BUILTIN\', ''), $_) $errorActionPreference = 'Continue' } Everyone vs. Authenticated Users . Windows 2000- Everyone = Authenticated Users + Anonymous Logon . Windows XP+ Everyone = Authenticated Users can be changed back in security policy Let Everyone permissions apply to Anonymous Users Everyone vs. Authenticated Users Default Local Users Group and Domain User . By default local Users group contains Authenticated Users . Default security Everyone = Authenticated Users = Users = Domain Users . Do not use any of the groups for securing resources Default Local Users Group Lab: Local Users on GPS-WKS Lab: Verify (non)Access . Verify that users can log on to GPS-WKS workstation [email protected] (Employee) [email protected] (Employee) [email protected] (account from ELEARNING domain) . Verify that the following users cannot log on to GPS-WKS [email protected] (Contractor) BIKES\tanja (account from BIKES domain) Advanced Windows Security LOCAL USER ACCOUNTS Local User Accounts . Stored in local registry HKLM\SAM\Domains\Account . Password hashed (MD4) can be stored in full Policy: Store passwords using reversible encryption . Can enforce password complexity and history Policy: Password complexity requirements Policy: Enforce password history . Single login: COMPUTER\username Do not store clear-text passwords LM Password Hashes . Windows 2003/XP store LM password hashes extreme insecurity, only 7 uppercase characters remains in Default Domain Policy GPO if installed with Windows 2003 or older backward compatibility Windows 95, 3.1, MS-DOS . Should be disabled as soon as possible LM Password Hashes Lab: Disable LM Hashes . On GPS-DC open the GPMC console . Create a new GPO for domain name: Security: LM Hashes Disabled link to: gopas.virtual enforced: yes . Disable LM hashes Computer – Windows Settings – Local Policies - Security Options – Do not store LAN Manager hashes on next password change Lab: Cracking Local Passwords with Cain . Log on to GPS-WKS as gps\kamil . Install Cain & Abel tool . Switch to Cracker tab . Import LM&NTLM hashes from local system . Perform Brute-Force Attack on one of the hashes http://hashcat.net performance (2016) Brute-Force vs. Rainbow Tables . Brute-force generate all the possible hashes taking time for the generation ca 80x per additional character . Rainbow Tables use pre-generated, sorted list of hashes taking one-time for the generation taking space to store the database ca 40x per additional character Local Password Policies Password Policies . Minimum recommended length: 10 characters http://www.sevecek.com/Lists/Posts/Post.aspx?ID =145 . Minimum password age the settings is necessary only to enforce password history . Password complexity 3of4: at least three from: a-z, A-Z, 0-9, #^%&* do not contain 3 or more chars from user’s login Complex Passwords . Simple examples September2012 John-Lennon Buldo-zer56 . Login considered login: ondrej Invalid password: J@mES-BonD38 Local Account Lockout Policy Advanced Windows Security VOLATILE STATE VS. OFFLINE ATTACKS Sensitive memory information . LSASS.exe currently logged-on user hashes currently logged-on user plain-text passwords processes, services, jobs, IIS apppools . Only local administrators can attack online debug privilege! . Windows 8/2012 and older password + MD4 hash + LM hash (always) . Windows 8.1/2012R2 and newer MD4 hash (+ password if RDP SSO) LM hash if enabled Extract passwords/hashes Pass-the-hash Sensitive information stored permanently . Only local administrators can extract online local user password hashes from registry service, scheduled tasks, IIS apppools plaintext passwords . Users can extract their own online IE stored passwords RDP stored passwords stored Windows credentials software keylogging . Offline extractions anything stored permanently except with SYSKEY Permanently stored system-wide information . HKLM\SAM local user account hashes (LM, MD4) non-salted = rainbow/brute-force . HKLM\SECURITY\Cache domain user account hash cache (1000x SHA-1) salted with username = brute-force . HKLM\SECURITY\Policy\Secrets LSA secret plain-text passwords for services, DefaultPassword, VPN (dialup) passwords . %windir%\System32\Config\SystemProfile\AppData \Local\Microsoft\Credentials scheduled task plain-text passwords protected with DPAPI Permanently stored system-wide and per- user information . IIS application pool accounts plain-text applicationHost.config (DPAPI protected) appcmd list apppool /text:* . NPS RADIUS clients plain-text shared secrets netsh nps export exportpsk=yes . Per user Windows Vault/Stored User Names and Passwords (DPAPI) %userprofile%\AppData\Roaming\Microsoft\Credentials %userprofile%\AppData\Local\Microsoft\Vault Online fake password prompts . Require CTRL-ALT-DEL . Require secure desktop UAC confirmation Require CTRL-ALT-DEL Require secure UAC prompts Do not allow "Stored user names and passwords“ (WKS only vs. scheduled jobs) Do not allow IE caching passwords (basic/forms) . IE 7,6,… HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings DisablePasswordCaching = 1 . IE 8,9,10 disable Credential Manager . IE 11 HKCU\Software\Microsoft\Internet Explorer\Main FormSuggest Passwords = no Do not allow browser caching passwords (basic/forms) . Edge HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main FormSuggest Passwords = no . Chrome