Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tactic 1: Adopt Least Privilege

Published byBernard Peregrine Simpson Modified over 6 years ago

Similar presentations

Presentation on theme: "Tactic 1: Adopt Least Privilege"— Presentation transcript:

1 Tactic 1: Adopt Least Privilege
Zaid Arafeh, Clare Kearney Microsoft Services Cybersecurity

2 Agenda Part I: Understanding Tier-0 Part II: Minimizing Privilege

3 Part I –Understanding Tier-0

4 The Tier Model AD Forest AD Service & Tier-0 Dependencies Tier-1
5/6/2018 1:24 AM The Tier Model AD Forest Security Dependencies AD Service AD Service & Dependencies Tier-0 Global Access Control Tier-1 AD Data Enterprise Data & Services AD Service: Any AD configuration item or securable object with sufficient privilege to alter access control decisions globally in AD AD Data: Any AD securable object Zaid - How would an organization separate out their assets by tiers? If this doesn’t exist today, what does it take from an implementation perspective to get to this model you just reviewed? Let's look at how tier separation and AD control categories have an important role during an attack… Tier-2 Devices and Users © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Central Control vs Function Control
5/6/2018 1:24 AM Central Control vs Function Control Different body parts control different functions of the body. The brain controls all those body parts and therefore all the functions © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 AD Forest AD Service Management vs AD Data Management AD Service
AD Data - IT AD Data - Accounting AD Data - PR AD Data - HR AD Service AD Data - Legal AD Data - Sales Similarly, different AD data (securable objects) managers can manager different parts of the organization. The AD Service owners can manage and control all of AD’s data. AD data _makes up _ the business’ digital assets AD Control © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 5/6/2018 1:24 AM What makes up tier-0? Principals that control the AD service either directly or indirectly Principals Control User Objects Security Groups Servers Workstations Take Ownership Change ACLs Read Secrets Full Write Any principal who can control the AD Services AD Service DCs Priv Groups Domain GPOs Configuration NTDS.DIT © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Examples of tier-0 components
The Domain Admins group Members of the Backup Operators group A Domain Controller (DC) A virtualization host running a DC A Config Manager server managing a DC

9 5/6/2018 1:24 AM Napoléon Bonaparte “Fire must be concentrated on one point, and as soon as the breach is made, the equilibrium is broken and the rest is nothing” In a Microsoft based environment this point is Tier-0. Minimize the size of its surface to make it harder to aim at and harden it. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Securing AD Ensuring that the size of tier-0 is kept to a minimum. Ex:
Minimize members of tier-0 groups Minimize security dependencies Remove unnecessary Access Control Entries in AD Remove unnecessary User Rights on DCs Effectively protecting tier-0 components. Ex: Protect tier-0 users against credential theft Harden Domain Controllers Harden domain security requirements 1 Privilege Reduction 2 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Consider all of Tier-0 components to be equally powerful And treat them as such

12 AD Service Management Backing-up DCs Managing DC GPOs Managing Trusts
5/6/2018 1:24 AM AD Service Management Backing-up DCs Managing DC GPOs Managing Trusts Patching DCs Managing Schema Managing Sites © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 AD Service Management Backing-up DCs Managing DC GPOs Managing Trusts
5/6/2018 1:24 AM AD Service Management Backing-up DCs Managing DC GPOs Steal NTDS.DIT Deploy Malware Managing Trusts Patching DCs SID History attacks Disguise legit tools as updates to call malware Managing Schema Managing Sites Change default security descriptors Link malicious GPO to entire site © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Part II – Privilege Reduction

15 Guiding Principles For Built-in Tier-0 Groups For resource management
5/6/2018 1:24 AM Guiding Principles For Built-in Tier-0 Groups Use Built-in groups sparingly and only for managing tier 0 For resource management  Delegate privileges over target resources only For tier management If tier management is needed, manage only one tier at a time with the appropriate account For service accounts If possible, replace domain accounts with a local service identities Otherwise, follow least privilege and the tier model Service identity context are local service, network service or system © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Dealing with default Tier-0 Groups
5/6/2018 1:24 AM Dealing with default Tier-0 Groups Administrators Domain Admins Enterprise Admins Schema Admins Backup Operators Server Operators Print Operators Account Operators Those are the groups that will allow members to control the AD service. There are other risky groups, but their don’t directly grant you tier-0 capabilities. Here’s the breakdown Administrators This is where your AD and DC admins belong Domain Admins This group can directly control any machine in the domain, and indirectly in the enterprise. This includes domain controllers by virtue of membership in the administrators group. Do not use this group since it traverses all tiers and breaks the separation. Instead, use the built-in administrators group for managing domain controllers. Leave the build in administrator account in the domain admins group for supportability. Use this hotfix to grant Administrators the right to create GPOs by default. us/kb/321476 Enterprise Admins Leave this group empty. Only add a user account to it temporarily to perform Enterprise wide functions. Schema Admins Leave this group empty. Only add a user account to it temporarily to make schema changes Backup Operators’ Keep it empty Server Operators Print Operators Official Description “Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain” Account Operators Very tricky ones. By default cannot control default admins, but the problem is it can control default admins. It is best to delegate permission instead of using this group © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Request – Give me Domain Admin!
5/6/2018 1:24 AM Request – Give me Domain Admin! IdM service account AD Service Domain Admins Inherent Control AD Data Sample scenario – what would you do? Asset Control No Asset Control © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Response – Let’s talk about least privilege :)
5/6/2018 1:24 AM Response – Let’s talk about least privilege :) IdM service account AD Service Domain Admins Inherent Control AD Data An exception to this would be applications that _actually_ require domain admin equivalent. In such a case you have to evaluate the risk and weigh it against the value of the application Asset Control No Asset Control © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Action Items Minimize privileged group membership
Configure alerting on privileged groups

20 Coming up next Tactic #2: Protect Privileged Identities

21 Resources AD ACL Scanner Tool by Robin Granberg
Active Directory Group Descriptions Need help from Microsoft Services Cybersecurity?

22

Download ppt "Tactic 1: Adopt Least Privilege"

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Service Manager for MSPs

Service Manager for MSPs
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory

Understanding Active Directory
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Access Control Lists and NTFS Permissions INFO333 – Lecture 4 2010 Mariusz Nowostawski Noria Foukia.

Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.

Similar presentations

Ads by Google