ITS – Identity Services

ONEForest SecurityJake DeSantis

Keith Brautigamoneforest@psu.edu

Agenda

1. ONEForest Overview2. Preventing credential theft3. Secure Administration4. Takeaways

ITS – Identity Services

ONEForest OverviewKey BenefitsSecurity GoalsTechnical Design

ONEForest Key Benefits

Improve Penn State security posture• Consolidate local credential stores to a single point of control• Replace MIT-Kerberos as central authentication store• Extend domain management to off network computers

Foundation for Higher Level Services• Consistency of identities across services• Secure login to Office 365 with PSU credentials

Improve Security Posture

ONEForest

Creds.

OU

OU OU

OUMIT

Kerberos

Security Goals

• Follow best practices from Microsoft & NIST • Mitigate common credential theft attacks• Protect domain credentials at rest & in transit• Eliminate use of weak authentication protocols

Active Directory Design

• Green field • Single Forest, Single Domain• Using TNS IPAM service• OU Structure to support delegation• Multiple Password Policies• GPOs to apply minimum security baseline

ITS – Identity Services

Preventing Credential TheftPass the Hash DemoTechnical Vulnerabilities Mitigations

Pass the Hash (Demo)

Social Engineering to gain admin access1. Spear Phishing to get user credential2. Pose as user to lure admin to login to compromised system3. Trick admin into running malicious code (online or local app) 4. Bingo! Access to admin’s credential

Credential Replay Attack

PtH Demonstration

Vulnerable Technology

• Caching of user credential (hash) for SSO (LSASS.exe)• Logins allowed to any client by any user• RDS provides user credential to local computer • Common local Administrator password• Host firewalls permit lateral movement across network

Technical Mitigations

• Decommission Windows pre 8.1 & Windows Server pre 2012 R2• MS fixed LSASS.exe in more recent OS versions

• Turn off LM and NTLMv1 using GPOs• Easily exploitable

• Use of “Protected Users” Security Group for Admin accounts• No NTLM, high encryption, 4 hr. ticket lifetime

• Limit privileged account logins using User Rights GPOs• Require multiple credentials

Technical Mitigations

• Use Microsoft Local Administrator Password Solution (LAPS)• Unique, per computer passwords for the local administrator account

• Use Remote Assistance to access workstations and for client management• Prevent exposure of admin credentials to clients

• Implement local firewall policies• Prevent unnecessary client-to-client communication

• Limit effectiveness of phishing by using 2FA• Integrate with remote applications & VPNs

Mitigate with Best Practices

• Assume Compromise• Adjust our mindset – “not if, but when?”

• Follow Least Privileged Access model• Eliminate granting admin privileges to standard user accounts (LAPS)• Separate accounts for admin duties

• Use dedicated “jump” servers• Provide known good environment for admins

ITS – Identity Services

Secure AdministrationRole SeparationRemote Desktop Services

Role Separation Enterprise & Domain Admin

OU Admin

Server Admin

Workstation Admin

User Auth.

Microsoft RemoteApp – Prerequisites • Compatible Remote Desktop client• Given access to ONEForest Remote Administration• Registered for DUO 2FA Push Notifications• Must have a PSU IP address • Setup MS RemoteApp connection on your client

Microsoft RemoteApp – Workflow

Launch the RemoteApp

Authenticate with PSU account

Complete 2FA

Admin credential

Outcome:App running as admin on Session Host; displayed on client

ITS – Identity Services

Takeaways

Things you should do now

• “Assume Compromise” mindset• Upgrade clients & servers now!• Deploy LAPS• Implement jump servers for Admins• Configure local firewalls• Protect applications & VPNs with 2FA• Use “Protected Users" security group• Disable caching of AD credentials• Limit debug privileges

Questions?

• “Assume Compromise” mindset• Upgrade clients & servers now!• Deploy LAPS• Implement jump servers for Admins• Configure local firewalls• Protect applications & VPNs with 2FA• Use “Protected Users" security group• Disable caching of AD credentials• Limit debug privileges