Bezpečnost Windows pro pokročilé: zajímavosti a UAC GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator | |

Specialties and demos Advanced Windows Security

Too many SIDs in access token  Access token can accumulate only up to 1025  More than that, user cannot log on cannot create the access token 0xC000015A = STATUS_TOO_MANY_CONTEXT_IDS  But the Account Logon Event will appear on DC as Kerberos authentication works fine

Translating SIDs in PowerShell 'S ', 'S ' | n = 'SID' ; e = { $_ } n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principal.NTA ccount')).Value } } 'Administrators', 'NT AUTHORITY\Network Service' | n = 'Name' ; e = { $_ } n = 'SID' ; e = { (New-Object Security.Principal.NTAccount $_).Translate([Security.Principal.SecurityIdentifier]).Value } } $rxSID = '[Ss]-1(?:-\d+){1,}' [regex]::Match('This SID S has been detected', $rxSID).Value

Deleted domain user accounts  AD LDAP replication requires tombstone technology  All deleted objects remain in the database tombstone lifetime 60/180/360 days or anything configured manually  SID, samAccountName

Enumerating all users and groups in PowerShell ( ) | % { "S $_" } | n = 'SID' ; e = { $_ } n = 'Name' ; e = { (New- Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principal.NTA ccount')).Value } } | ? { $_.Name -ne $null }

Example IIS app pool identity  Running IIS application pool under Network Service enables it to receive authenticated traffic from network  It also allows it to access network authenticated as the computer domain account  Running IIS application pool under Local Service prevents remote access

User Account Control Advanced Windows Security

Restricted Users  Users often work as local Administrators users on workstations/notebooks local administrators on servers  We may want restrict their default permissions and rights allow them to elevate if required  Does not apply for remote (network) connections

UAC Options on Windows 7

UAC Options on Windows 8  Only display settings  You must use the policy

Restricting Local Administrators  Windows XP and newer can restrict local Administrators enforced by default on Windows Vista+ must use Run As on Windows XP  LSASS can issue restricted access token Administrators and Domain Admins groups are marked as Deny Only basic user rights enabled  LSASS maintains two separate Kerberos ticket caches

“Deny” Groups in Access Token  User is not member of the group for Allow ACEs if something is granted to the group, it does not apply  User is member of the group for Deny ACEs if something is explicitly denied to the group, it still applies not a common case for Administrators, but still good to know

Deny Group in Access Token

UAC on Windows XP and 2003

Děkuji za pozornost GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator | |