ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam [email protected].
-
Upload
randolf-johnson -
Category
Documents
-
view
217 -
download
0
Transcript of ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam [email protected].
![Page 2: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/2.jpg)
Agenda
1. ONEForest Overview2. Preventing credential theft3. Secure Administration4. Takeaways
![Page 3: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/3.jpg)
ITS – Identity Services
ONEForest OverviewKey BenefitsSecurity GoalsTechnical Design
![Page 4: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/4.jpg)
ONEForest Key Benefits
Improve Penn State security posture• Consolidate local credential stores to a single point of control• Replace MIT-Kerberos as central authentication store• Extend domain management to off network computers
Foundation for Higher Level Services• Consistency of identities across services• Secure login to Office 365 with PSU credentials
![Page 5: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/5.jpg)
Improve Security Posture
ONEForest
Creds.
OU
OU OU
OUMIT
Kerberos
![Page 6: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/6.jpg)
Security Goals
• Follow best practices from Microsoft & NIST • Mitigate common credential theft attacks• Protect domain credentials at rest & in transit• Eliminate use of weak authentication protocols
![Page 7: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/7.jpg)
Active Directory Design
• Green field • Single Forest, Single Domain• Using TNS IPAM service• OU Structure to support delegation• Multiple Password Policies• GPOs to apply minimum security baseline
![Page 8: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/8.jpg)
ITS – Identity Services
Preventing Credential TheftPass the Hash DemoTechnical Vulnerabilities Mitigations
![Page 9: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/9.jpg)
Pass the Hash (Demo)
Social Engineering to gain admin access1. Spear Phishing to get user credential2. Pose as user to lure admin to login to compromised system3. Trick admin into running malicious code (online or local app) 4. Bingo! Access to admin’s credential
Credential Replay Attack
![Page 10: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/10.jpg)
PtH Demonstration
![Page 11: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/11.jpg)
Vulnerable Technology
• Caching of user credential (hash) for SSO (LSASS.exe)• Logins allowed to any client by any user• RDS provides user credential to local computer • Common local Administrator password• Host firewalls permit lateral movement across network
![Page 12: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/12.jpg)
Technical Mitigations
• Decommission Windows pre 8.1 & Windows Server pre 2012 R2• MS fixed LSASS.exe in more recent OS versions
• Turn off LM and NTLMv1 using GPOs• Easily exploitable
• Use of “Protected Users” Security Group for Admin accounts• No NTLM, high encryption, 4 hr. ticket lifetime
• Limit privileged account logins using User Rights GPOs• Require multiple credentials
![Page 13: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/13.jpg)
Technical Mitigations
• Use Microsoft Local Administrator Password Solution (LAPS)• Unique, per computer passwords for the local administrator account
• Use Remote Assistance to access workstations and for client management• Prevent exposure of admin credentials to clients
• Implement local firewall policies• Prevent unnecessary client-to-client communication
• Limit effectiveness of phishing by using 2FA• Integrate with remote applications & VPNs
![Page 14: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/14.jpg)
Mitigate with Best Practices
• Assume Compromise• Adjust our mindset – “not if, but when?”
• Follow Least Privileged Access model• Eliminate granting admin privileges to standard user accounts (LAPS)• Separate accounts for admin duties
• Use dedicated “jump” servers• Provide known good environment for admins
![Page 15: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/15.jpg)
ITS – Identity Services
Secure AdministrationRole SeparationRemote Desktop Services
![Page 16: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/16.jpg)
Role Separation Enterprise & Domain Admin
OU Admin
Server Admin
Workstation Admin
User Auth.
![Page 17: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/17.jpg)
Microsoft RemoteApp – Prerequisites • Compatible Remote Desktop client• Given access to ONEForest Remote Administration• Registered for DUO 2FA Push Notifications• Must have a PSU IP address • Setup MS RemoteApp connection on your client
![Page 18: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/18.jpg)
Microsoft RemoteApp – Workflow
Launch the RemoteApp
Authenticate with PSU account
Complete 2FA
Admin credential
Outcome:App running as admin on Session Host; displayed on client
![Page 19: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/19.jpg)
ITS – Identity Services
Takeaways
![Page 20: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/20.jpg)
Things you should do now
• “Assume Compromise” mindset• Upgrade clients & servers now!• Deploy LAPS• Implement jump servers for Admins• Configure local firewalls• Protect applications & VPNs with 2FA• Use “Protected Users" security group• Disable caching of AD credentials• Limit debug privileges
![Page 21: ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam oneforest@psu.edu.](https://reader036.fdocuments.net/reader036/viewer/2022062320/56649f435503460f94c6330f/html5/thumbnails/21.jpg)
Questions?
• “Assume Compromise” mindset• Upgrade clients & servers now!• Deploy LAPS• Implement jump servers for Admins• Configure local firewalls• Protect applications & VPNs with 2FA• Use “Protected Users" security group• Disable caching of AD credentials• Limit debug privileges