Download presentation
Presentation is loading. Please wait.
1
BACHELOR’S THESIS DEFENSE
Protecting Windows Privileged Accounts BACHELOR’S THESIS DEFENSE Loc Phan Van IDCR Supervisor: Ilhan Celebi – Infrastructure Engineer
2
Agenda Introduction Effectiveness of Implementation
Windows Active Directory Security Principles Windows Active Directory Security Development Best Practices Conclusions
3
Introduction Background Problems Objectives
Privileged accounts have always become a primary target It’s like a regular accounts, have a valid set of credentials -> system, network Windows privileged accounts are complicated compared to other systems Most popular Operating System, directory service Due to the complexity -> hard to manage, gets ignored. Expensive security software Give administrative principles Point out sensitive groups Develop a tool for privileged accounts information gathering Develop monitoring solution for privileged accounts
4
Effectiveness of implementation
Time line for typical attack scenario 80% from external attacks 75% of attacks take weeks or more (Verizon Report) $1,2M over a week for recovering (IT Sec Risk Report)
5
Effectiveness of implementation
Detect abnormal behaviors Alert to Administrators Extend the time of escalation by applying RBAC Tier Model Secondary account Tier-0 Groups Privileged Admin Workstation Naming Convention Privileged Account Cleaning-up
6
Windows AD Security Principles
Role based access control Tier Model Dealing With Tier-0 Groups Secondary accounts Privileged Admin Workstation Naming Convention Privileged accounts cleaning-up 1 2 3 4 5 6 +
7
Windows AD Security Principles
Privileged Account Cleaning-up Implement the data investigation on the AD objects. Have more focus on Administrative objects (accounts, groups). Find out if they are still being used. Promulgate the policies for those unused objects (delete them or deactivate them).
8
Windows AD Security Development
1 Privileged Accounts Information Gathering 2 Privileged Accounts Monitoring Development process
9
Windows AD Security Development
1 Privileged Accounts Information Gathering
10
Windows AD Security Development
2 Privileged Accounts Monitoring +
11
Windows AD Security Development
2 Privileged Accounts Monitoring
12
Best practices Inventory and reduce the number of privileged accounts.
Secondary accounts. Enforce least privileged for standard user accounts. Store password securely. Create a process for on- and off-boarding employees that have privileged accounts. Eliminate the practice of accounts that have non-expiring passwords. Password complexity and password age policy. Implement automated password verification and reconciliation. Privileged account information gathering. Proactivity detect malicious behavior.
13
Conclusions Very first stepping stones in Windows Security
Contribute Windows administrative principles Implement privileged accounts information gathering Manipulate and develop a monitoring solution Give best practices Further work: Dealing with service account
14
Thank you
15
Reviewer’s questions What was the reason why author did not research more deeply those 3rd party solutions for this problem? Author refers that Microsoft ATA (Advanced Threat Analytics) may solve most of problems but for some reason does not use that in solution. What was the reason for that? I much as I know ATA can be integrated with other monitoring systems as well. How author can ensure that solution will be properly maintained and sustainable? (Who will develop that, how organization need to monitor and change the solution in the future?) Who are those best practices listed in Section 5 related with and used in current theses/work?
16
Tier 0 groups Domain Admins
Active Directory group with full admin rights to the Active Directory domain and all computers (default). Enterprise Admins Active Directory group with full admin rights to all Active Directory domains in the AD forest and gains this right through automatic membership in the Administrators group in every domain in the forest. Schema Admins Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. Backup Operators Local or Active Directory group. AD group members can backup or restore Active Directory and have logon rights to Domain Controllers (default). Server Operators Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back-up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. Print Operators Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. Account Operators Active Directory group with default privileged rights on domain users and groups, plus the ability to logon to Domain Controllers. Administrators Local or Active Directory group. The AD group has full admin rights to the Active Directory domain and Domain Controllers.
17
Sensitive groups Pre–Windows 2000 Compatible Access
Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. Remote Desktop Users The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). WinRMRemoteWMIUsers__ In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers__ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions. The WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely whereas the Remote Management Users group is generally used to allow users to manage servers by using the Server Manager console. Protected User Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts.
18
Windows AD Security Principles
Role based access control Tier Model
19
Windows AD Security Principles
Dealing with Tier-0 Groups Domain Admins Enterprise Admins Schema Admins Backup Operators Server Operators Print Operators Account Operators Administrators One account for normal user activities: Mail Internet Browsing Line of business applications etc. Separate account for doing administration. One admin account for each tier For example: pe889 [^pe]: for regular user accounts ad335 [^ad]: for administrative accounts Secondary accounts
20
Windows AD Security Principles
Privileged Admin Workstation Role: Role-<Role Tier>-<Role Name> Prefix: Role Role Tier: T0/T1/2 Role Name: Job Function Role-T2-WorkstationAdmins Task: Task-<Target Object Type>-<Operation>-<Target> Prefix: Task Target Object Type: AD object type Operation: Create/Delete/Manage etc. Target: Short Name for OU/Target Task-Computer-Create-CORP Naming Convention
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.