Tactic 4: Defend Your Domain Controllers Zaid Arafeh Microsoft Services Cybersecurity

Recap Tactic #3: Defend your Directory

Domain Controller Host 6/19/2018 5:08 AM AD Control Categories Domain Controller Host Credentials Security Dependencies Active Directory Data C:\> Active Directory Service © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Part I – Harden HOST Based PRIVILEGES 6/19/2018 5:08 AM Part I – Harden HOST Based PRIVILEGES Attackers can leverage weak privileges Privileges are specific to the machines and they are system-wide © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/19/2018 5:08 AM Control on the Host 1 2 Microsoft Windows C:\> WHO CAN EXECUTE COMMANDS ON A DC? WHAT PRIVILEGES CAN THEY EXECUTE WITH? Logon rights PowerShell Remoting Remote access tools $IPC share WMI Network Applications Back up files and directories Create a token object Debug programs Load and unload device drivers Restore files and directories Modify an object label Take ownership of files or other objects Ensure only authorized identities can execute commands on DCs Logon rights (Follow security baselines) PowerShell Remoting (Get- PSSessionConfiguration) WMI (COM Permissions) Remote access tools (Removal is highly recommended) $IPC share (ex: PSExec) Ensure only authorized identities have the following privileges Back up files and directories Create a token object Debug programs Load and unload device drivers Restore files and directories Modify an object label Take ownership of files or other objects Get-SmbShare | Where-Object {$_.Name -eq 'IPC$'} | Select-Object 'securityDescriptor‘ Expected output: O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;GA;;;IU) Get-PSSessionConfiguration Expected Output for PS and PS 32: NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/19/2018 5:08 AM Assign User Logon rights & privileges in accordance with Microsoft Baselines Keep DCs as close to a pristine phase as possible Think of them as boxes that perform a certain function Don’t log on to them directly Don’t install software on them unless it’s absolutely needed © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

User Rights Assignment

Establish Baselines Use Microsoft policy baselines 6/19/2018 5:08 AM Establish Baselines Use Microsoft policy baselines Microsoft Security Compliance Manager Specify allowed applications Keep these to the bare minimum! Baseline the OS image Microsoft Deployment Toolkit (MDT) Hardened User Rights on a DC Access Credential Manager as a trusted caller -- Access this computer from the network -- NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators Act as part of the operating system -- Add workstations to domain -- BUILTIN\Administrators Adjust memory quotas for a process -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Allow log on locally -- BUILTIN\Administrators Allow log on through Terminal Services -- BUILTIN\Administrators Back up files and directories -- BUILTIN\Administrators Change the system time -- BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE Change the time zone -- BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE Create a pagefile -- BUILTIN\Administrators Create a token object -- Create global objects -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators Create permanent shared objects -- Create symbolic links -- BUILTIN\Administrators Debug programs -- BUILTIN\Administrators Deny access to this computer from the network -- BUILTIN\Guests, NT AUTHORITY\Local account Deny log on as a batch job -- BUILTIN\Guests Deny log on as a service -- BUILTIN\Guests Deny log on locally -- BUILTIN\Guests Deny log on through Terminal Services -- BUILTIN\Guests, NT AUTHORITY\Local account Enable computer and user accounts to be trusted for delegation -- BUILTIN\Administrators Force shutdown from a remote system -- BUILTIN\Administrators Generate security audits -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Impersonate a client after authentication -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators Increase scheduling priority -- BUILTIN\Administrators Load and unload device drivers -- BUILTIN\Administrators Lock pages in memory -- Manage auditing and security log -- BUILTIN\Administrators Modify an object label -- Modify firmware environment values -- BUILTIN\Administrators Perform volume maintenance tasks -- BUILTIN\Administrators Profile single process -- BUILTIN\Administrators Profile system performance -- NT SERVICE\WdiServiceHost, BUILTIN\Administrators Replace a process level token -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Restore files and directories -- BUILTIN\Administrators Shut down the system -- BUILTIN\Administrators Synchronize directory service data Take ownership of files or other objects -- BUILTIN\Administrators © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Part II – Protecting the security Boundary 6/19/2018 5:08 AM Part II – Protecting the security Boundary Defines what we can make guarantees about The value of the boundary goes to 0 if a bug is unfixed You need to move stuff through the boundary according to a policy Basic Windows Security Boundaries Physical machines System virtual machines User Sessions © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Think of domain controllers as appliance machines 6/19/2018 5:08 AM Think of domain controllers as appliance machines Keep DCs as close to a pristine phase as possible Think of them as boxes that perform a certain function Don’t log on to them directly Don’t install software on them unless it’s absolutely needed © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Verizon Data Breach Investigation Report 2015

Host Patching Install security updates a.s.a.p. Install all other updates within 90 days Keep Antimalware up to date Patch third party software After you remove ALL unnecessary software Test updates in a lab Develop mitigation plans for updates that can’t be installed Automate Windows Software Update Services (WSUS) System Center Configuration Manager (SCCM)

Restrict Applications 6/19/2018 5:08 AM Restrict Applications AppLocker Note: Limitations Implement AppLocker whitelisting Thorough testing in Audit Mode is necessary Review NSA guidance on AppLocker Code Integrity (Server 2016 Feature) Help protect against Code injection and malware Administrators unintentionally running non-permitted code Powerful whitelisting technique for Kernel and User mode Can use hardware-level security to protect Test thoroughly and start with unsigned policies Whitelisting on Domain Controllers protects against code-based attacks not credential-based attacks © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Network Access Enable host-based firewall Disable Internet Access 6/19/2018 5:08 AM Network Access Enable host-based firewall Disable Internet Access Remove unnecessary services (ex: IIS) Restrict RDP access Restrict to the Administrators group using User Rights Assignment Defense in depth © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protect Startup Components Universal Extensible Firmware Interface (UEFI) Secure Boot Only trusted pre-boot components are allowed Early Load Antimalware (ELAM) Choose an ELAM compatible AV Measured Boot Allows for measuring startup component integrity

Physical Security Physical Domain Controllers 6/19/2018 5:08 AM Physical Security Physical Domain Controllers BitLocker (TPM Protection) Physical access control Virtual Domain Controllers Hyper-V fabric using Windows Server 2016 Supports existing 2012 VMs Backups Backups are a security dependency of AD Backups must be protected to the same extent as Domain Controllers Encrypt backups and control their storage and transportation Mitigates a number of Security Dependencies Physical Security is not commonly used in Cyber Attacks but definitely things to look out for © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Coming up next Tactic 5: Beware of Security Dependencies

Resources Shielded VMs Session  Sweet Device Guard Security Baselines for Win8.1/Server 2012 R2 by Aaron Margosis Microsoft Security Compliance Manager Microsoft Guidance on running AppLocker  Use on DCs NSA Guidance on AppLocker  For other machines User Rights Assignments documentation Need help from Microsoft Services Cybersecurity? CyberRFI@microsoft.com