enhanced security administrative environmentdownload.microsoft.com/documents/hk/technet... · cyber...
TRANSCRIPT
Enhanced Security Administrative Environment
Wally Lee
Cybersecurity Architect
Cybersecurity Global Practice
Britain targeted by 120,000
cyber attacks every DAY
INTERNATIONAL HEADLINES
Defense Secretary
Panetta warns next
Pearl Harbor could
be cyber attack
GANT DAILY
Washington, DC, United States (4E) –
Defense Secretary Leon Panetta repeated
his warning that the next Pearl Harbor
could be a cyber attack after a speech at
Georgetown University ….
Sophisticated cyber-
attack hits Energy
Department, China
possible suspect
FOX NEWS
The Energy Department has been hit by a
major cyber-attack, which resulted in the
personal information of several hundred
employees being compromised and could
have been aimed at obtaining ….
As Attacks Mount,
Governments
Grapple With
Cyber Security Policies
AP
CNET
Anonymous intends
to block Webcasts of
State of the Union
Cyber attack on
Twitter, 250,000
accounts hacked
AP
'Cyber-attack' strikes
Japan govt again
ASIA ONE
Threats, Attacks and Reality
• IT environments not designed
for credential-theft class of
attacks
• IT security resources trying to
defend every system equally
• Reputation impact concerns
hamper defender
collaboration
Change In Approach
从前 现在
Business
Challenges
6
• IT Environments not designed for credential theft class of attacks
• IT Security resources trying to defend every system equally
• Reputation impact concerns hamper defender collaboration
• Emergence of well-resourced and determined adversaries
• Attack tooling and automation improving drastically
• Specific targeting of organizations, people, data ATTACKER
DEFENDER
Attack
Scenarios
7
Builds the software much of the info
ecosystem runs on
Operates one of the world’s largest
commercial networks and has resources like
the Microsoft Security Response Center and
the Microsoft Malware Protection Center
Operates major online and cloud services
Operates a global network of research and
response labs
Has unparalleled visibility into the threat
environment
We have a wide range
of security services capabilities across Microsoft
We are building additional local and regional
security capabilities that can be deliver through
MCS and Premier.
Billions 600 million
20 billion
100 million
30 million
millions
Millions
Tier 2: Users and
Workstations
Tier 0: Domain
Controllers
Tier 1: Servers and
Applications
1. Attacker targets workstations en masse
2. User running as local admin is
compromised, attacker harvests
credentials
3. Attacker uses credentials for lateral
movement or privilege escalation
4. Attacker acquires domain admin
credentials
5. Attacker starts exercising this full
control of data and systems in the
environment
Pass-The-Hash Demo
Eason Lai
Microsoft Services – Technical Account Manager
DC01
Win7Hack
Win7
Step 1: Obtaining the local administrator hash
Step 2: Modify the sticky-
key feature
Step 3: Create a new local
administrator account
Step 4: Pass the hash -
wave 1
Step 5: Obtaining the
domain administrator hash
Step 6: Pass the Hash –
wave 2 – Fishing
Step 7: Prepare Take
control of the forest
Wo
rkst
ati
on
A
dm
inis
trato
r
User Access
Patient Zero
Thinking like an attacker
User Access Servers
Acc
ess
Data
Server Administrator
User
Credential
SYSTEM or Administrator
Server Admin
All Local Data
All
Workstation
s
Domain Admin Access
All Data
All AD Data
(Full Control)
All Credentials
(NT Hashes)
Domain
Controllers
Domain Admin
Domain Admin Domain
Admin Logon
User Action
SAM: NT Hashes
Active User
Credentials
Malware Install
Beacon, C&C
• Vuln & Exploit
• User = Admin
All Local
Data
Active User
Credentials
SAM: NT
Hashes
All Local Data
Active User
Credentials
SAM: NT Hashes
All AD Data
(Read) User’s
Data &
Keystrokes
PtH
Whitepaper
Assume Breach
15
Pass-the-Hash Mitigations
Architect a credential theft and reuse
defense
Establish a containment model for account privileges
17
Tier 0 – Forest admins: Direct or indirect administrative control of the Active Directory forest, domains, or domain controllers
Tier 1 – Server admins: Direct or indirect administrative control over a single or multiple servers
Tier 2 – Workstation Admins: Direct or indirect administrative control over a single or multiple devices
Tier 2
Tier 1
Tier 0
Same Tier
Logon
Higher Tier
Logon
Lower Tier
Logon
Blocked
Credential
Theft
Mitigation
Strategy
1. Privilege elevation
• Credential Theft
• Application Agents
• Service Accounts
2. Lateral traversal
• Credential Theft
• Application Agents
• Service Accounts
Tier 2 Users and
Workstations
Tier 0 Domain
Controllers
Tier 1 Servers and
Applications
1. Credential Partitioning
2. Mitigate local account traversal
3. Mitigate domain account traversal
Lo
go
n
Lo
go
n
Keep in mind that:
A. Applications and service accounts may pose
credential theft and re-use risks
B. Bad guys can target individual computers and
users, but these mitigations make it much
harder to:
• Steal powerful credentials
• Do anything with stolen credentials
4. Application and Service Risks
Access: Users and
Workstations
Admin Environment
Production
Power: Domain
Controllers
Management and
Monitoring
Domain Admins
IPsec Credential Partitioning
Hardened Admin Environment
Known Good Media
Network security
Hardened Workstations
Accounts and smartcards
Auto-Patching
Security Alerting
Tamper-resistant audit
Offline Administration
(enforces governance)
Assist with mitigating risks
Services and applications
Lateral traversal
Break Glass
Account(s) Red Card
Admins
Data: Servers and
Applications
Enhanced Security Administrative Environment
ESAE (Enhanced Security Administrator Environment)
Technologies
PKI & Smartcards
IPSec network isolation
Bitlocker & Applocker
SCM
SCOM
Mitigation for ‘Pass the Hash’ style of
attacks.
Builds a separate mini AD forest
which is locked down and used to
administer production Active
Directory forests.
Uses a range of built in technology
and features to enable a secure
administrator environment.
It is the strategic mitigation for
customers with compromised AD
environments.
Mitigate Theft Limit Usefulness
Additional Reco. Automated
Maintenance
Makes secure practices easier and insecure harder
http://aka.ms/SVC233
Session Evaluation