active directory security
play

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s - PowerPoint PPT Presentation

Dec 18, 2023 •331 likes •1.35k views

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.ADSecurity.org TrimarcSecurity.com ABOUT Founder Trimarc, a security company. Microsoft Certified Master (MCM) Directory Services

  1. Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.ADSecurity.org TrimarcSecurity.com

  2. ABOUT ❖ Founder Trimarc, a security company. ❖ Microsoft Certified Master (MCM) Directory Services ❖ Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon ❖ Security Consultant / Researcher ❖ Own & Operate ADSecurity.org (Microsoft platform security info) * Not a Microsoft MVP Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  3. AGENDA • Current state of Active Directory Security • AD Security Evolution • Expanding AD Permissions • Common Issues • Microsoft Guidance • Recommendations Slides: Presentations.ADSecurity.org Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  4. The Current State of Active Directory: The Good, the Bad, & the UGLY Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  5. The Good • Better awareness of the importance of AD security. • AD security more thoroughly tested. • Less Domain Admins (overall). • Less credentials in Group Policy Preferences. • More local Admin passwords are automatically rotated (LAPS). • PowerShell security improvements (v5). Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  6. The Bad & UGLY • Too many Domain Admins still administer AD from their regular workstation. • Privilege escalation from regular user is still too easy. • Lots of legacy cruft reduces security. • Not enough (PowerShell) logging deployed. • Too many blind spots (poor visibility). • The UGLY • 2018: cybersecurity spending = ~$90B what improved? • Attack detection hasn’t really improved. • Now with more Ransom/Crypto-Ware Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  7. The Evolution of Active Directory Security Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  8. AD Security: The early days • The year is 2000, the OS is too! • Active Directory key design decisions • Replication is feared • Kerberos is embraced and extended • Enter SIDHistory • Compromises to support Windows NT legacy • NT lives on!  Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  9. AD Security: AD v2 & v3 • Windows 2003 Server • Lots of improvements • AD matures significantly • LastLogonTimestamp tracks last logon (& replicates!) • Constrained Delegation • Selective Authentication for Trusts. Everyone ignores… • Many organizations deploy Active Directory Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  10. AD: Let’s Do Security! • Windows Server 2008/2008 R2 • Enter the AD Recycle Bin • Last interactive logon information • Fine-grained password policies • Authentication mechanism assurance which identifies logon method type (smart card or user name/password) • Managed Service Accounts (let AD handle the password) • Automatic SPN management for services running under context of a Managed Service Account. • Goodbye Kerberos DES, hello AES Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  11. AD: Security Enhancements • Windows Server 2012/2012 R2 • Focus on protecting credentials • Shift in security focus • DC-side protections for Protected Users • No NTLM authentication • No Kerberos DES or RC4 ciphers • No Delegation – unconstrained or constrained delegation • No user tickets (TGTs) renewed beyond the initial 4 hr lifetime • Authentication Policies & Authentication Policy Silos Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  12. Rearchitecting Security Windows Server 2016/Windows 10 • Major changes in OS security architecture • From Normal World to Secure World (VSM) • Credential Guard & Remote Credential Guard • Lots of minor changes, big impact (recon) • New shadow security principals (groups) • An expiring links feature (Group TTL) • KDC enhancements to restrict Kerberos ticket lifetime to the lowest group TTL Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  13. AD Permissions: What you don’t know can hurt

  14. It's important to understand that it doesn't matter what Active Directory ry perm rmissions a user has when using the Exchange management tools. If If the user is authorized, via RBAC, to perform an action in the Exchange management tools, the user can perform the action re regardless of f his or r her r Active Directory ry permissions. https://technet.microsoft.com/en-us/library/dd638106.aspx Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  15. Highly Privileged Exchange Groups • Exchange Trusted Subsystem (like SYSTEM, only better) • “The Exchange Trusted Subsystem is a highly privileged …Group that has read/write access to every Exchange-related object in the Exchange organization.” • Members: Exchange Servers • MemberOf: Exchange Windows Permissions • Exchange Windows Permissions • Provides rights to AD objects (users, groups, etc) • Members: Exchange Trusted Subsystem • Organization Management (the DA of the Exchange world) • “Members … have administrative access to the entire Exchange 2013 organization and can perform almost any task against any Exchange 2013 object, with some exceptions. …is a very powerful role and as such, only users or … groups that perform organizational-level administrative tasks that can potentially impact the entire Exchange organization should be members of this role group.” • Members: 2 to 3 Exchange organization admin accounts (or less) Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  16. Exchange Rights & RBAC • Exchange has extensive rights throughout Active Directory. • Modify rights on most objects, including users and groups (even admins). • Except AdminSDHolder protected groups/users. • Access provided through Exchange groups (like Exchange Windows Permissions) • Migrated to O365? Great, all these permissions are still in AD. Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  17. Old Exchange Permissions Persist Upgrade after Upgrade… Exchange 2000  2003  2007  2010  2013  2016 Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  18. Microsoft System Center Configuration Manager (SCCM) • Originally SMS (not text messaging) • Granular delegation was a challenge, better in SCCM 2012. • Role-Based Access breakout • All Desktops - Workstation Assets • All Servers - Server Assets • Typically manages (& patches) all Windows systems • Workstations • Servers • Domain Controllers Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  19. 3rd Party Product Permission Requirements • Active Directory privileged • Domain user access rights • Operations systems access • Domain permissions • Mistaken identity – trust during install the installer • More access required • AD object rights than often needed. • Install permissions on • Initial start/run systems permissions • Needs System rights • Needs full AD rights Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  20. 3rd Party Product Permission Requirements • D omain user access • A ctive Directory privileged • O perations systems access rights • D omain permissions during • M istaken identity – trust install the installer • A D object rights • M ore access required than often needed. • I nstall permissions on • I nitial start/run permissions systems • N eeds System rights • N eeds full AD rights Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  21. Over-permissioned Delegation • Use of built-in groups for delegation • Clicking the "easy button": Full Control at the domain root. • Let's just "make it work" • Delegation tools in AD are challenging to get right Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  22. Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  23. Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  24. Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  25. Active Directory & the Cloud • AD provides Single Sign On (SSO) to cloud services. • Some directory sync tools synchronizes all users & attributes to cloud service(s). • Most sync engines only require AD user rights to send user and group information to cloud service. • Most organizations aren’t aware of all cloud services active in their environment. • Do you know what cloud services sync information from your Active Directory? Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  26. Azure AD Connect • Filtering – select specific objects to sync (default: all users, contacts, groups, & Win10). Adjust filtering based on domains, OUs, or attributes. • Password synchronization – AD pw hash hash ---> Azure AD. PW management only in AD (use AD pw policy) • Password writeback - enables users to update password while connected to cloud resources. • Device writeback – writes Azure AD registered device info to AD for conditional access. • Prevent accidental deletes – protects against large number of deletes (enabled by default). feature is turned on by default and protects your cloud directory from numerous deletes at the same time. By default it allows 500 deletes per run. You can change this setting depending on your organization size. • Automatic upgrade – Keeps Azure AD Connect version current (express settings enabled by default). Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  27. Express Permissions for Azure AD Connect Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  28. Express Permissions for Azure AD Connect DEF CON 25 (July 2017) Sean Metcalf (@PyroTek3) TrimarcSecurity.com

  29. DCSync Sean Metcalf (@PyroTek3) TrimarcSecurity.com

Recommend

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls, Active Directory is based on standard

557 views • 27 slides
Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min Introduction Active Directory context NT inheritance SAM (Security Account Manager, Samba V3) Active Directory (2000 2003)

429 views • 27 slides
Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory Collection of related objects Files, Printers, Fax servers etc. Directory Service Information needed to use and manage the objects. Source

438 views • 27 slides
Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus Works mostly in Infrastructure security. Passionate about offensive security. CRTE and CRTP certified. Member of DEF CON Trivandrum

457 views • 18 slides
Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active Directory Disasters) Guido Grillenmeier Senior Consultant Technology Solutions Group Hewlett-Packard Agenda What is a Disaster? Authoritative

363 views • 19 slides
Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in Azure Active Directory (https://azure.microsoft.com/en- us/services/active-directory/) using the Azure Resource Manager API's. Documentation regarding

925 views • 46 slides
all at once with Azure Active Directory Etan Basseri Senior Program Manager Identity Engineering

all at once with Azure Active Directory Etan Basseri Senior Program Manager Identity Engineering

Identity, Security and Collaboration, all at once with Azure Active Directory Etan Basseri Senior Program Manager Identity Engineering Microsoft 365 Enterprise Office 365 Windows 10 Enterprise Mobility Enterprise Enterprise + Security

503 views • 7 slides
Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

25. DECUS Symposium 16.04.2002 Windows.NET Beta 3 Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features Active Active Directory New Features Wolfgang Werner Wolfgang Werner Compaq Compaq Decus Bonn

588 views • 31 slides
Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory Terms Domain: A directory of users, groups, roles, etc... User: An individual accounts Group: A collection of other users and groups Role: Something that

492 views • 22 slides
Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers

Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers

21/05/2013 Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers (ADUC) Active Directory Users and Computers (ADUC) After installing AD DS, the next task is to create your Organizational Units,

535 views • 41 slides
How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15

How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15

How to impress your management when you are an Active Directory noob? Vincent LE TOUX 15:15 -> 16:00 #RomHack2019 28th of September 2019 in Rome Whoami Vincent LE TOUX https://www.pingcastle.com / @mysmartlogon Management (Architect,

584 views • 35 slides
Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory

Speeding up Samba by backing up Experiences in implementing and optimizing Active Directory features in Samba What has been done in the last year? Samba 4.9 Password and membership change auditing LMDB back-end (semi-experimental)

1.06k views • 49 slides
Certificate Directory for SIP Cullen Jennings fluffy@cisco.com SIP Security & SMIME SIP

Certificate Directory for SIP Cullen Jennings fluffy@cisco.com SIP Security & SMIME SIP

Certificate Directory for SIP Cullen Jennings fluffy@cisco.com SIP Security & SMIME SIP Security depends on S/MIME with user certificates Encryption of SDP (and keys for SRTP) Refer Identity Request History End to

275 views • 5 slides
Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick Mike Dorman cjellick@godaddy.com mdorman@godaddy.com Go Daddy OpenStack Cloud Platform Group Agenda OpenStack at Go Daddy Keystone

875 views • 28 slides
Zoho Corporation Bootstrapped and profitable 2018 6,500 Employees 65% Fortune 500

Zoho Corporation Bootstrapped and profitable 2018 6,500 Employees 65% Fortune 500

Zoho Corporation Bootstrapped and profitable 2018 6,500 Employees 65% Fortune 500 35 million users 2001 2005 1996 190+ countries IT service Active Directory management management Help desk Active Directory

516 views • 26 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and looks up entries that match attribute-based specifications (e.g., Microsoft's Active Directory Service, X.500 and LDAP) Case Study - X.500

515 views • 12 slides
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

298 views • 29 slides
Stash Directory: A Scalable Directory for Many-Core

Stash Directory: A Scalable Directory for Many-Core

Stash Directory: A Scalable Directory for Many-Core Coherence Socrates Demetriades and Sangyeun Cho 20 th Interna+onal Symposium On High Performance

782 views • 31 slides
Modernizing Active Directory Manage Business Transformation Initiatives in a rapidly evolving

Modernizing Active Directory Manage Business Transformation Initiatives in a rapidly evolving

Modernizing Active Directory Manage Business Transformation Initiatives in a rapidly evolving business environment Digital Business Transformation IT is now a part of the All industries are New business business, not just undergoing a

394 views • 20 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active

Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active

Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob

2.08k views • 160 slides
Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2018-06-07 https://samba.org/~metze/presentations/2018/SambaXP/ Talks at SambaXP/SDC 2017 Last year I gave talks

388 views • 27 slides
Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of attributes Miroslav Milinovic, University Computing Centre, University of Zagreb Jasmina Hodzic, Center for Information Technology Services,

1.65k views • 20 slides
Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights Directory of accurate, trusted provider data available to vetted healthcare entities (Not consumer-facing) Authoritative data sources that feed the

529 views • 11 slides

More recommend