Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tactic 4: Defend Your Domain Controllers

Published byIra Chase Modified over 6 years ago

Similar presentations

Presentation on theme: "Tactic 4: Defend Your Domain Controllers"— Presentation transcript:

1 Tactic 4: Defend Your Domain Controllers
Zaid Arafeh Microsoft Services Cybersecurity

2 Recap Tactic #3: Defend your Directory

3 Domain Controller Host
6/19/2018 5:08 AM AD Control Categories Domain Controller Host Credentials Security Dependencies Active Directory Data C:\> Active Directory Service © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Part I – Harden HOST Based PRIVILEGES
6/19/2018 5:08 AM Part I – Harden HOST Based PRIVILEGES Attackers can leverage weak privileges Privileges are specific to the machines and they are system-wide © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 6/19/2018 5:08 AM Control on the Host 1 2 Microsoft Windows C:\> WHO CAN EXECUTE COMMANDS ON A DC? WHAT PRIVILEGES CAN THEY EXECUTE WITH? Logon rights PowerShell Remoting Remote access tools $IPC share WMI Network Applications Back up files and directories Create a token object Debug programs Load and unload device drivers Restore files and directories Modify an object label Take ownership of files or other objects Ensure only authorized identities can execute commands on DCs Logon rights (Follow security baselines) PowerShell Remoting (Get- PSSessionConfiguration) WMI (COM Permissions) Remote access tools (Removal is highly recommended) $IPC share (ex: PSExec) Ensure only authorized identities have the following privileges Back up files and directories Create a token object Debug programs Load and unload device drivers Restore files and directories Modify an object label Take ownership of files or other objects Get-SmbShare | Where-Object {$_.Name -eq 'IPC$'} | Select-Object 'securityDescriptor‘ Expected output: O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;GA;;;IU) Get-PSSessionConfiguration Expected Output for PS and PS 32: NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 6/19/2018 5:08 AM Assign User Logon rights & privileges in accordance with Microsoft Baselines Keep DCs as close to a pristine phase as possible Think of them as boxes that perform a certain function Don’t log on to them directly Don’t install software on them unless it’s absolutely needed © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 User Rights Assignment

8 Establish Baselines Use Microsoft policy baselines
6/19/2018 5:08 AM Establish Baselines Use Microsoft policy baselines Microsoft Security Compliance Manager Specify allowed applications Keep these to the bare minimum! Baseline the OS image Microsoft Deployment Toolkit (MDT) Hardened User Rights on a DC Access Credential Manager as a trusted caller -- Access this computer from the network -- NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators Act as part of the operating system -- Add workstations to domain -- BUILTIN\Administrators Adjust memory quotas for a process -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Allow log on locally -- BUILTIN\Administrators Allow log on through Terminal Services -- BUILTIN\Administrators Back up files and directories -- BUILTIN\Administrators Change the system time -- BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE Change the time zone -- BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE Create a pagefile -- BUILTIN\Administrators Create a token object -- Create global objects -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators Create permanent shared objects -- Create symbolic links -- BUILTIN\Administrators Debug programs -- BUILTIN\Administrators Deny access to this computer from the network -- BUILTIN\Guests, NT AUTHORITY\Local account Deny log on as a batch job -- BUILTIN\Guests Deny log on as a service -- BUILTIN\Guests Deny log on locally -- BUILTIN\Guests Deny log on through Terminal Services -- BUILTIN\Guests, NT AUTHORITY\Local account Enable computer and user accounts to be trusted for delegation -- BUILTIN\Administrators Force shutdown from a remote system -- BUILTIN\Administrators Generate security audits -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Impersonate a client after authentication -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators Increase scheduling priority -- BUILTIN\Administrators Load and unload device drivers -- BUILTIN\Administrators Lock pages in memory -- Manage auditing and security log -- BUILTIN\Administrators Modify an object label -- Modify firmware environment values -- BUILTIN\Administrators Perform volume maintenance tasks -- BUILTIN\Administrators Profile single process -- BUILTIN\Administrators Profile system performance -- NT SERVICE\WdiServiceHost, BUILTIN\Administrators Replace a process level token -- NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Restore files and directories -- BUILTIN\Administrators Shut down the system -- BUILTIN\Administrators Synchronize directory service data Take ownership of files or other objects -- BUILTIN\Administrators © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Part II – Protecting the security Boundary
6/19/2018 5:08 AM Part II – Protecting the security Boundary Defines what we can make guarantees about The value of the boundary goes to 0 if a bug is unfixed You need to move stuff through the boundary according to a policy Basic Windows Security Boundaries Physical machines System virtual machines User Sessions © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Think of domain controllers as appliance machines
6/19/2018 5:08 AM Think of domain controllers as appliance machines Keep DCs as close to a pristine phase as possible Think of them as boxes that perform a certain function Don’t log on to them directly Don’t install software on them unless it’s absolutely needed © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Verizon Data Breach Investigation Report 2015

12 Host Patching Install security updates a.s.a.p.
Install all other updates within 90 days Keep Antimalware up to date Patch third party software After you remove ALL unnecessary software Test updates in a lab Develop mitigation plans for updates that can’t be installed Automate Windows Software Update Services (WSUS) System Center Configuration Manager (SCCM)

13 Restrict Applications
6/19/2018 5:08 AM Restrict Applications AppLocker Note: Limitations Implement AppLocker whitelisting Thorough testing in Audit Mode is necessary Review NSA guidance on AppLocker Code Integrity (Server 2016 Feature) Help protect against Code injection and malware Administrators unintentionally running non-permitted code Powerful whitelisting technique for Kernel and User mode Can use hardware-level security to protect Test thoroughly and start with unsigned policies Whitelisting on Domain Controllers protects against code-based attacks not credential-based attacks © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Network Access Enable host-based firewall Disable Internet Access
6/19/2018 5:08 AM Network Access Enable host-based firewall Disable Internet Access Remove unnecessary services (ex: IIS) Restrict RDP access Restrict to the Administrators group using User Rights Assignment Defense in depth © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Protect Startup Components
Universal Extensible Firmware Interface (UEFI) Secure Boot Only trusted pre-boot components are allowed Early Load Antimalware (ELAM) Choose an ELAM compatible AV Measured Boot Allows for measuring startup component integrity

16 Physical Security Physical Domain Controllers
6/19/2018 5:08 AM Physical Security Physical Domain Controllers BitLocker (TPM Protection) Physical access control Virtual Domain Controllers Hyper-V fabric using Windows Server 2016 Supports existing 2012 VMs Backups Backups are a security dependency of AD Backups must be protected to the same extent as Domain Controllers Encrypt backups and control their storage and transportation Mitigates a number of Security Dependencies Physical Security is not commonly used in Cyber Attacks but definitely things to look out for © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Coming up next Tactic 5: Beware of Security Dependencies

18 Resources Shielded VMs Session  Sweet Device Guard
Security Baselines for Win8.1/Server 2012 R2 by Aaron Margosis Microsoft Security Compliance Manager Microsoft Guidance on running AppLocker  Use on DCs NSA Guidance on AppLocker  For other machines User Rights Assignments documentation Need help from Microsoft Services Cybersecurity?

19

Download ppt "Tactic 4: Defend Your Domain Controllers"

Similar presentations

Windows Vista Security Tidbits

Windows Vista Security Tidbits
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Remote Desktop Services

Remote Desktop Services
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Understanding Active Directory

Understanding Active Directory
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Working with Workgroups and Domains

Working with Workgroups and Domains
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features.

MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google