Tactic 1: Adopt Least Privilege

Slides:



Advertisements
Similar presentations
Auditing Microsoft Active Directory
Advertisements

Service Manager for MSPs
Managing User, Computer and Group Accounts
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory
Chapter 7 WORKING WITH GROUPS.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Managing Active Directory Domain Services Objects
Module 6: Designing Active Directory Security in Windows Server 2008.
Chapter 7: WORKING WITH GROUPS
Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)
Designing Active Directory for Security
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Microsoft ® Official Course Module 3 Managing Active Directory Domain Services Objects.
DC440: Security (Part 2 of 2): Logons, permissions and views - how these systems work and how to manage them Pradeep GanapathyRaj Program Manager Project.
Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Privileged Access Management (PAM) with MIM 2016
Module 10: Implementing Administrative Templates and Audit Policy.
Module 3: Managing Groups. Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups.
11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Windows Enterprise Services.  Introductions  UNM Directory Services  RSAT  Organizational Units (OU)  Active Directory Groups  Naming Convention.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Assignment # 8.
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Active Directory Replication (Part 1) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved.
O365 & AZURE ADDS Mladen Baranek, Miadria
Tactic 4: Defend Your Domain Controllers
Overview of Active Directory Domain Services
Tactic 2: Protect Privileged Identities
Active Directory Administration
Microsoft Ignite /21/2018 5:56 PM
Determined Human Adversaries: Mitigations
{ Security Technologies}
Active Directory Overview
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Determined Human Adversaries: Mitigations
Designing IIS Security (IIS – Internet Information Service)
Unit 6 NT1330 Client-Server Networking II Date: 7/19/2016
Active Directory Assessment Results
SharePoint Server Assessment Results
Pass-the-Hash.
Presentation transcript:

Tactic 1: Adopt Least Privilege Zaid Arafeh, Clare Kearney Microsoft Services Cybersecurity

Agenda Part I: Understanding Tier-0 Part II: Minimizing Privilege

Part I –Understanding Tier-0

The Tier Model AD Forest AD Service & Tier-0 Dependencies Tier-1 5/6/2018 1:24 AM The Tier Model AD Forest Security Dependencies AD Service AD Service & Dependencies Tier-0 Global Access Control Tier-1 AD Data Enterprise Data & Services - AD Service: Any AD configuration item or securable object with sufficient privilege to alter access control decisions globally in AD - AD Data: Any AD securable object Zaid - How would an organization separate out their assets by tiers? If this doesn’t exist today, what does it take from an implementation perspective to get to this model you just reviewed? Let's look at how tier separation and AD control categories have an important role during an attack… Tier-2 Devices and Users © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Central Control vs Function Control 5/6/2018 1:24 AM Central Control vs Function Control Different body parts control different functions of the body. The brain controls all those body parts and therefore all the functions © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AD Forest AD Service Management vs AD Data Management AD Service AD Data - IT AD Data - Accounting AD Data - PR AD Data - HR AD Service AD Data - Legal AD Data - Sales Similarly, different AD data (securable objects) managers can manager different parts of the organization. The AD Service owners can manage and control all of AD’s data. AD data _makes up _ the business’ digital assets AD Control © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/6/2018 1:24 AM What makes up tier-0? Principals that control the AD service either directly or indirectly Principals Control User Objects Security Groups Servers Workstations … Take Ownership Change ACLs Read Secrets Full Write … Any principal who can control the AD Services AD Service DCs Priv Groups Domain GPOs Configuration NTDS.DIT … © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Examples of tier-0 components The Domain Admins group Members of the Backup Operators group A Domain Controller (DC) A virtualization host running a DC A Config Manager server managing a DC

5/6/2018 1:24 AM Napoléon Bonaparte 1769 - 1821 “Fire must be concentrated on one point, and as soon as the breach is made, the equilibrium is broken and the rest is nothing” In a Microsoft based environment this point is Tier-0. Minimize the size of its surface to make it harder to aim at and harden it. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Securing AD Ensuring that the size of tier-0 is kept to a minimum. Ex: Minimize members of tier-0 groups Minimize security dependencies Remove unnecessary Access Control Entries in AD Remove unnecessary User Rights on DCs Effectively protecting tier-0 components. Ex: Protect tier-0 users against credential theft Harden Domain Controllers Harden domain security requirements 1 Privilege Reduction 2 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Consider all of Tier-0 components to be equally powerful And treat them as such

AD Service Management Backing-up DCs Managing DC GPOs Managing Trusts 5/6/2018 1:24 AM AD Service Management Backing-up DCs Managing DC GPOs Managing Trusts Patching DCs Managing Schema Managing Sites © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AD Service Management Backing-up DCs Managing DC GPOs Managing Trusts 5/6/2018 1:24 AM AD Service Management Backing-up DCs Managing DC GPOs Steal NTDS.DIT Deploy Malware Managing Trusts Patching DCs SID History attacks Disguise legit tools as updates to call malware Managing Schema Managing Sites Change default security descriptors Link malicious GPO to entire site © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Part II – Privilege Reduction

Guiding Principles For Built-in Tier-0 Groups For resource management 5/6/2018 1:24 AM Guiding Principles For Built-in Tier-0 Groups Use Built-in groups sparingly and only for managing tier 0 For resource management  Delegate privileges over target resources only For tier management If tier management is needed, manage only one tier at a time with the appropriate account For service accounts If possible, replace domain accounts with a local service identities Otherwise, follow least privilege and the tier model Service identity context are local service, network service or system © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dealing with default Tier-0 Groups 5/6/2018 1:24 AM Dealing with default Tier-0 Groups Administrators Domain Admins Enterprise Admins Schema Admins Backup Operators Server Operators Print Operators Account Operators Those are the groups that will allow members to control the AD service. There are other risky groups, but their don’t directly grant you tier-0 capabilities. Here’s the breakdown Administrators This is where your AD and DC admins belong Domain Admins This group can directly control any machine in the domain, and indirectly in the enterprise. This includes domain controllers by virtue of membership in the administrators group. Do not use this group since it traverses all tiers and breaks the separation. Instead, use the built-in administrators group for managing domain controllers. Leave the build in administrator account in the domain admins group for supportability. Use this hotfix to grant Administrators the right to create GPOs by default. https://support.microsoft.com/en- us/kb/321476 Enterprise Admins Leave this group empty. Only add a user account to it temporarily to perform Enterprise wide functions. Schema Admins Leave this group empty. Only add a user account to it temporarily to make schema changes Backup Operators’ Keep it empty Server Operators Print Operators Official Description “Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain” Account Operators Very tricky ones. By default cannot control default admins, but the problem is it can control default admins. It is best to delegate permission instead of using this group © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Request – Give me Domain Admin! 5/6/2018 1:24 AM Request – Give me Domain Admin! IdM service account AD Service Domain Admins Inherent Control AD Data Sample scenario – what would you do? Asset Control No Asset Control © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Response – Let’s talk about least privilege :) 5/6/2018 1:24 AM Response – Let’s talk about least privilege :) IdM service account AD Service Domain Admins Inherent Control AD Data An exception to this would be applications that _actually_ require domain admin equivalent. In such a case you have to evaluate the risk and weigh it against the value of the application Asset Control No Asset Control © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Action Items Minimize privileged group membership Configure alerting on privileged groups

Coming up next Tactic #2: Protect Privileged Identities

Resources AD ACL Scanner Tool by Robin Granberg Active Directory Group Descriptions Need help from Microsoft Services Cybersecurity? CyberRFI@microsoft.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.