Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Slides:



Advertisements
Similar presentations
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Advertisements

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Introduction to Kerberos Kerberos and Domain Authentication.
Understanding Active Directory
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Smart Card Single Sign On with Access Gateway Enterprise Edition
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Group 11 CSE 8343 Group 1 Windows 2000 Domain Security & Authentication.
Bezpečnost Windows pro pokročilé: uživatelské účty GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
What would a real hacker do to your AD GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Passwords Everywhere GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP:
What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
SQL Server Security By Mattias Lind For PASS Security VC.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Bezpečnost Windows pro pokročilé: zajímavosti a UAC GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Module 7: Implementing Security Using Group Policy.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Bezpečnost Windows pro pokročilé: protokoly a sledování přihlášení GOPAS: | | Ing. Ondřej Ševeček.
Restricted Admin & Credential Exposure MMS Minnesota 2014 Hasain Alshakarti – TrueSec Enterprise Security #MMSMinnesota #MMSConfigMgr #MMSLove.
Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting
KERBEROS SYSTEM Kumar Madugula.
LM/NTLMv1 Retirement Hosted by LSP Services.
Module 1: Introduction to Windows 2000 and Networking.
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official.
Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security.
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 | What would a real hacker do to your AD.
Taming the Beast How a SQL DBA can keep Kerberos under control David Postlethwaite 29/08/2015David Postlethwaite.
#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.
Understand User Authentication LESSON 2.1A Security Fundamentals.
Secure Connected Infrastructure
What is new in security in Windows 2012 or Dynamic Access Control
AuthLite 2-Factor for Windows Administration
Enabling Secure Internet Access with TMG
Passwords Everywhere Ing. Ondřej Ševeček | GOPAS a.s. |
Active Directory Fundamentals
Radius, LDAP, Radius used in Authenticating Users
Darren Mar-Elia Head of Product
Implementing TMG Server Publishing
Goals Introduce the Windows Server 2003 family of operating systems
SharePoint and IIS core integration
GOPAS TechEd 2012 Kerberos Delegation
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

AN INTRODUCTION Kerberos Underworld

The topics The hell of windows authentication mechanisms Basic, NTLM, Kerberos Certificates and smart cards or tokens How they work differently What is better or worse Weird and weirder things that you may not know

And the environment Windows 2000 and newer Active Directory domains Maybe some trusts or multidomain forests Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers

NETWORK INTERACTIONS Kerberos Underworld

Local Logon DC Client Kerberos LDAP SMB TGT: User GPO List GPO Download TGS: LDAP, CIFS

CTRL-ALT-DEL Password Password is stored in memory only LSASS process In the form of MD4 hash never given out

Authentication Interactions in General DC Client Kerberos Server App Traffic DC SMB D/COM TGT: User In-band TGS: Server NTLM Occasional PAC Validation TGS: Server D/COM Dynamic TCP NTLM Pass-through

The three authentication methods Basic plain-text password results in Kerberos authentication NTLM hashed password (MD4) method from the past LM (DES), NTLM (DES), NTLMv2 (MD5) Kerberos hashed password (MD4) plus RC4/DES or AES mutual authentication and delegation can use certificates instead of passwords

Basic and RDP Network Logon DC Client Server App Traffic DC In-band clear text Kerberos TGT: User

NTLM Network Logon DC Client Server App Traffic DC SMB D/COM In-band NTLM hash Pass-through NTLM hash D/COM Dynamic TCP

Kerberos Network Logon (basic principle) DC Client Kerberos Server App Traffic TGT: User In-band TGS: Server

Kerberos Network Logon (complete) DC Client Kerberos Server App Traffic DC SMB D/COM TGT: User In-band TGS: Server Occasional PAC Validation TGS: Server D/COM Dynamic TCP

PERFORMANCE COMPARISON Kerberos Underworld

NTLM Network Logon DC Client Server DC % CPU 55 % CPU

Kerberos Network Logon, no PAC Validation DC Client Server DC % CPU 0 % CPU

Kerberos Network Logon with PAC Validation DC Client Server DC % CPU 0 % CPU14 % CPU

Basic Authentication DC Client Server DC % CPU 0 % CPU

NTLM Performance Issues DC ClientServer 7 concurrent Client 40 sec.

NTLM Trusts DC B D\UserA\Server DC A DC CDC D

Kerberos Trusts DC B D\UserA\Server DC A DC CDC D

WE WANT KERBEROS, SO WHAT? Kerberos Underworld

Basic Facts Do not use IP addresses Configure SPN (service principal name) Have time in sync Use trusted identities to run services on Windows 2008 and newer instead of AD user accounts no PAC validation Enable AES with Windows 2008 DFL

Trusted Identities – Network Service

Trusted Identities – Service Accounts

Trusted Identities – AppPoolIdentity

Trusted Identities – Managed Service Account

IDENTITY ISOLATION FOR SERVICES Kerberos Underworld

Identity Isolation Services on a single machine Services that access other back-end services

Windows Identities IdentityPasswordPAC Validation Local Isolation Network Isolation Operating System SYSTEMrandom changed 30 days noAdministrators no isolation no2000 AD User Accountadministrator changed??? yesUsers isolated yes2000 Network Servicerandom changed 30 days noUsers no isolation noXP Local Serviceno network credentials noUsers no isolation noXP Service Accountrandom changed 30 days noUsers isolated noVista 2008 Managed Service Account random changed 30 days noUsers isolated yes R2

SMART CARD LOGON Kerberos Underworld

Smart Card Logon DC Client Kerberos PKINIT Server App Traffic DC TGT: User TGS: Server

Smart Card Logon and NTLM DC Client Server NTLM Hash DC TGT: User TGS: Server NTLM Hash

Smart Card Logon and NTLM DC Client Server NTLM Hash DC TGT: User TGS: Server NTLM Hash

DELEGATION Kerberos Underworld

Basic Delegation Client Front-End Server Back-End Server DC Password TGS: Back-End TGT: User

Kerberos Delegation Options

Kerberos Delegation (Simplified) DC Client TGT: User TGS: Front-End Front-End Server Back-End Server DC TGS: Front-End TGS: Back-End

Protocol Transition Client Front-End Server Back-End Server DC TGS: Back-End Nothing Kamil

GROUP MEMBERSHIP Kerberos Underworld

Group Membership Limits AD Group in forest with 2000 FFL 5000 direct members limit AD Group in forest with FFL unlimited membership Kerberos Ticket network transport limited to 8 kB on 2000 and XP up to 12 kB on HTTP.SYS header limits 16 kB of Base-64 encoded tickets Access Token local representation of a logon up to 1025 groups including local and system

Kerberos Ticket (PAC) KamilS-1-5-Prague-1158 Prague MarketingGlobal30828 Bytes Prague SalesGlobal30838 Bytes Paris VisitorsDomain Local Paris S-1-5-Paris Bytes Roma ISDomain Local Roma S-1-5-Roma Bytes Prague DocumentsDomain Local IDTT S-1-5-Prague Bytes Business OwnersUniversal IDTT Bytes EmployeesUniversal Paris S-1-5-Paris Bytes

TAKEAWAY Kerberos Underworld

Takeaway Kerberos is most secure, flexible and performance efficient Don’t be afraid and play with them! Ondrej Sevecek | MCM: Directory | MVP: Security |

Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.