Post on 14-Dec-2015
ITS – Identity Services
ONEForest SecurityJake DeSantis
Keith Brautigamoneforest@psu.edu
Agenda
1. ONEForest Overview2. Preventing credential theft3. Secure Administration4. Takeaways
ITS – Identity Services
ONEForest OverviewKey BenefitsSecurity GoalsTechnical Design
ONEForest Key Benefits
Improve Penn State security posture• Consolidate local credential stores to a single point of control• Replace MIT-Kerberos as central authentication store• Extend domain management to off network computers
Foundation for Higher Level Services• Consistency of identities across services• Secure login to Office 365 with PSU credentials
Improve Security Posture
ONEForest
Creds.
OU
OU OU
OUMIT
Kerberos
Security Goals
• Follow best practices from Microsoft & NIST • Mitigate common credential theft attacks• Protect domain credentials at rest & in transit• Eliminate use of weak authentication protocols
Active Directory Design
• Green field • Single Forest, Single Domain• Using TNS IPAM service• OU Structure to support delegation• Multiple Password Policies• GPOs to apply minimum security baseline
ITS – Identity Services
Preventing Credential TheftPass the Hash DemoTechnical Vulnerabilities Mitigations
Pass the Hash (Demo)
Social Engineering to gain admin access1. Spear Phishing to get user credential2. Pose as user to lure admin to login to compromised system3. Trick admin into running malicious code (online or local app) 4. Bingo! Access to admin’s credential
Credential Replay Attack
PtH Demonstration
Vulnerable Technology
• Caching of user credential (hash) for SSO (LSASS.exe)• Logins allowed to any client by any user• RDS provides user credential to local computer • Common local Administrator password• Host firewalls permit lateral movement across network
Technical Mitigations
• Decommission Windows pre 8.1 & Windows Server pre 2012 R2• MS fixed LSASS.exe in more recent OS versions
• Turn off LM and NTLMv1 using GPOs• Easily exploitable
• Use of “Protected Users” Security Group for Admin accounts• No NTLM, high encryption, 4 hr. ticket lifetime
• Limit privileged account logins using User Rights GPOs• Require multiple credentials
Technical Mitigations
• Use Microsoft Local Administrator Password Solution (LAPS)• Unique, per computer passwords for the local administrator account
• Use Remote Assistance to access workstations and for client management• Prevent exposure of admin credentials to clients
• Implement local firewall policies• Prevent unnecessary client-to-client communication
• Limit effectiveness of phishing by using 2FA• Integrate with remote applications & VPNs
Mitigate with Best Practices
• Assume Compromise• Adjust our mindset – “not if, but when?”
• Follow Least Privileged Access model• Eliminate granting admin privileges to standard user accounts (LAPS)• Separate accounts for admin duties
• Use dedicated “jump” servers• Provide known good environment for admins
ITS – Identity Services
Secure AdministrationRole SeparationRemote Desktop Services
Role Separation Enterprise & Domain Admin
OU Admin
Server Admin
Workstation Admin
User Auth.
Microsoft RemoteApp – Prerequisites • Compatible Remote Desktop client• Given access to ONEForest Remote Administration• Registered for DUO 2FA Push Notifications• Must have a PSU IP address • Setup MS RemoteApp connection on your client
Microsoft RemoteApp – Workflow
Launch the RemoteApp
Authenticate with PSU account
Complete 2FA
Admin credential
Outcome:App running as admin on Session Host; displayed on client
ITS – Identity Services
Takeaways
Things you should do now
• “Assume Compromise” mindset• Upgrade clients & servers now!• Deploy LAPS• Implement jump servers for Admins• Configure local firewalls• Protect applications & VPNs with 2FA• Use “Protected Users" security group• Disable caching of AD credentials• Limit debug privileges
Questions?
• “Assume Compromise” mindset• Upgrade clients & servers now!• Deploy LAPS• Implement jump servers for Admins• Configure local firewalls• Protect applications & VPNs with 2FA• Use “Protected Users" security group• Disable caching of AD credentials• Limit debug privileges