Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.
The Subject: Local Accounts All computers have a local account database Allows people or code to authenticate locally Enable access to resources locally At least 1 administrator (full permissions) Maintained independently No linkage to Active Directory No centralized management UCRL: LLNL-PRES
The Problem: Common Passwords Admin Password typically set build time Typically the same on all machines (imaging) Password is seldom if ever changed Often neglected when joined to Domain UCRL: LLNL-PRES
The Problem: Illustrated Typical AD Environment Machines built from images Local Administrator enabled Password is common UCRL: LLNL-PRES
The Problem: Illustrated Machine hack = site hack AD is immune AD can’t help Hacker UCRL: LLNL-PRES
Disable Local Accounts? Offline without cached credentials Temporary administration Scientists on travel w/ need to install sw. Dropped from domain OS Virtualization Re-enable via Recovery Console requires physical access. UCRL: LLNL-PRES
The Options: Disable all local accounts Best option Not feasible in most environments Deny “Access This Computer From The Network” Force physical login Kills remote management capability Enabled accounts with common static passwords Most typical Most dangerous Other options Commercial solutions (expensive) UCRL: LLNL-PRES
Strong Local Admin Manager (SLAM) Dynamic/Unique Passwords Centralized Recovery No Centralized Password Storage No Specialized Authorization No Dedicated Infrastructure* UCRL: LLNL-PRES
Dynamic/Unique Passwords Unique Computer AD Attribute Master Key Strong Unique Value How it works: Computer Last Password Change Date + GUID SHA-256 HMAC Crypto-Random 256 bits RSA 1024 bit encrypted Local Administrator Password UCRL: LLNL-PRES
Centralized Recovery How it works: OU Administrator uses AD Users & Computers (ADUC) Custom Context Menu Option for SLAM Recovery ADUC connects to Web Service & returns password UCRL: LLNL-PRES
No Centralized Password Storage How it works: Passwords are NOT random Passwords are calculated Only the master hashing key & computer password change dates are stored No Specialized Authorization How it works: SLAM Recovery leverages existing authorization in AD Permissions Required: Full Control of computer object UCRL: LLNL-PRES
SLAM Infrastructure SLAM ClientAD OU Administrator Small.NET app Daily process Requests new Local Admin Pwd Creates local account if needed Computer Password Change Date Master Key ADUC Checks for recently expired Computer pwd Checks for recently recovered Admin pwd Validates Authorization Calculates and returns password SSL Web Service SSL Copy to clipboard Historical passwords Print UCRL: LLNL-PRES
SLAM LLNL Developed in April 2008 by David Frye and Joe Taitt Started deployment in June 2008 Became mandated in 2009 for all unclassified Windows computers (except DCs) ~9,000 Total SLAM Clients ~200 Password Recoveries per Month UCRL: LLNL-PRES
SLAM Next Steps SLAM Client for MAC (Daniel Hoit) Client is developed & currently in test Remove/Disable non-SLAM local accounts Necessary next step to gain full benefit Need exception policies and procedures Need to be careful UCRL: LLNL-PRES
Questions on SLAM? UCRL: LLNL-PRES