Taking Windows Security to the Next Level with Group Policy Alan Burchill M390
Agenda Pass the Hash (in 5 minutes) What’s changed with security in Group Policy? Managing local passwords (the new way)
Pass the Hash (PtH) Why should I care? 4
Pass-the-Hash Technique Fred’s Laptop Sue’s Laptop File Server Fred’s User Session Sue’s User Session User: Fred User: Sue Password hash: A3D7… Password hash: C9DF… Malware User Session User: Fred Malware User Session User: Sue User: Fred Hash:A3D7 User: Fred User: Sue Hash:C9DF Password hash: A3D7… Hash: A3D7 Hash: C9DF 1 2 3 Fred runs malware Malware infects Sue’s laptop as Fred Malware infects File Server as Sue
Typical Pass The Hash Attack Power: Domain Controllers Bad guy targets workstations en masse User running as local admin compromised, Bad guy harvests credentials. Bad guy uses credentials for lateral traversal Data: Servers and Applications Bad guy acquires domain admin credentials and associated privileges – privilege escalation Bad guy has direct or indirect access to read/write/destroy data and systems in the environment. Access: Users and Workstations
Tier Admin Access Tier 0 – Domain Admins Tier 1 – Server Admins TechEd 2013 4/25/2019 9:59 AM Tier Admin Access Tier 0 – Domain Admins Tier 1 – Server Admins Tier 2 – Workstation Admins Normal / Mortal Accounts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechEd 2013 4/25/2019 9:59 AM Tier Admin Access http://www.microsoft.com/en-us/download/details.aspx?id=36036 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Group Policy Preferences Passwords Were Bad http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx http://technet.microsoft.com/en-us/library/cc771917.aspx
What is a cPassword? Lightly obscure password stored in AD encrypted using 32bit DES that is readable by all authenticated users Decryption key is can be found at: http://msdn.microsoft.com/en-us/library/cc232587.aspx
Configuring cPasswords via UI is now disabled MS14-025
Why should I care now? Metasploit “This module enumerates the victim machine's domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsofts public AES key.”
So how do I manage my local password? LAPS – Local Admin Password Service
LAPS DEMO
This all I have to do right? No! “Price of freedom is eternal vigilance” http://www.microsoft.com/en-us/download/details.aspx?id=36036
Related Ignite NZ Sessions Required Slide *delete this box once you have listed content that is related to your session. Speakers, please list the other Breakout Sessions that relate to your session. Also indicate where and when they can find you, to continue the discussion. If you’re going to be at Hub Happy Hour (5.30-6.30pm Wed and Thu, let them know) Related Ignite NZ Sessions 1 5 Azure Consistent Service Delivery Overview NZ1 Wed 10:00am Security and Assurance Overview NZ4 Fri 9:00am 6 What’s New in System Centre for Management NZ1 Fri 11:00am 2 Server Virtualisation Overview NZ2 Wed 1:30pm 3 Networking Overview SKYCITY Theatre Thu 11:00am Find me later at… Hub Happy Hour Wed 5:30-6:30pm Hub Happy Hour Thu 5:30-6:30pm Closing drinks Fri 3:00-4:30pm 4 Storage Overview SKYCITY Theatre Thu 3:30pm
Resources Microsoft Virtual Academy TechNet & MSDN Flash 4/25/2019 Microsoft Virtual Academy Resources TechNet & MSDN Flash Free Online Learning http://aka.ms/mva Subscribe to our fortnightly newsletter http://aka.ms/technetnz http://aka.ms/msdnnz Sessions on Demand http://aka.ms/ch9nz © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Complete your session evaluation now and win! 4/25/2019 9:59 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/25/2019 9:59 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.