BASIC SECURITY PRINCIPLES

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |

Outline

User Identity and Access Tokens

Local User Accounts

Domain User Accounts

Authentication Mechanisms

User Rights

User Account Control

Group Policy Security Settings

Computer Environment

Groups and Group Scopes

USER IDENTITY AND ACCESS TOKENS

Advanced Windows Security

Windows Processes

Everything runs as a process some code runs in Kernel mode, but mostly under

identity of the calling process

interrupts, DPCs and file cache are executing without user context

Every process runs under a user identity SYSTEM, Network Service, Local Service, local

user, domain user

Access permissions are always checked there is no root superuser as in unix

User Identity

User identity is represented as a SID NT Authority\SYSTEM = S-1-5-18 NT Authority\Local Service = S-1-5-19 NT Authority\Network Service = S-1-5-20 BUILTIN\Administrators = S-1-5-32-544 BUILTIN\Users = S-1-5-32-545 local user = S-1-5-21-LocalSID-RID domain user = S-1-5-21-DomainSID-RID

Every process gets its own copy of an Access Token list of user’s SID and SIDs of his groups created by LSASS.exe (Local Security Authority)

Access Token

Memory structure that contains user SID and the SIDs of his groups

identified by its Logon Session ID

Inherited by child processes

Cached after a successful interactive logon in registry

HKLM\Security\Cache

Policy: Number of Previous Logons to Cache

Limitted to 1025 SIDs

Access Token Cache Limit

Access token limit to 1025 SIDs

Lab: indirect group membership in access token

Tools for Access Token

WHOAMI /ALL built into Vista/2008 and newer member of Support Tools for 2003/xp and older

PROCEXP Process Explorer download from http://live.sysinternals.com

PSEXEC download from http://live.sysinternals.com

ADUC Attribute Editor Active Directory Users and Computers console Select View – Advanced Features Can show user and group SIDs in AD

Lab: Access Token

Log on to GPS-WKS as Kamil use WHOAMI /ALL to investigate his access token verify that he is member of Administratos and Employees groups note his SID and the SIDs of his groups

Use PSEXEC -D -S -I CMD to start command line under SYSTEM account use WHOAMI /ALL to verify its access token

Use PSEXEC -D -I -U “NT Authority\Network Service” CMD to start command line under Network Service account use WHOAMI /ALL to verify its access token

Start PROCEXP and verify contents of the access tokens of some processes

Start ADUC and use Attribute Editor tab to verify user SIDs in Active Directory

System SIDs

Some SIDs are added automatically

INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON

Everyone, Authenticated Users, This Organization, NTLM Authentication

Lab: SERVICE SID

On GPS-DC create a service account for SNMPTRAP service

user: svc-snmp

options: password never expires, user cannot change password

On GPS-WKS reconfigure SNMP TRAP service to run under GPS\svc-snmp account

Using PROCEXP verify SERVICE SID injected into the processes access token

Translating SIDs withPowerShell'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ }

}, @{ n = 'Name' ; e = { (New-Object

System.Security.Principal.SecurityIdentifier

$_).Translate([System.Type]::GetType('System.Security.Principa

l.NTAccount')).Value } }

'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n

= 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object

Security.Principal.NTAccount

$_).Translate([Security.Principal.SecurityIdentifier]).Value }

}

$rxSID = '[Ss]-1(?:-\d+){1,}'

[regex]::Match('This SID S-1-5-80-3964583643-2633443559-

2834438935-3739664028-1580655619 has been detected',

$rxSID).Value

All BUILTIN SIDs

(1..1000) | % {

$user = New-Object

Security.Principal.SecurityIdentifier S-1-5-32-$_

$errorActionPreference = 'SilentlyContinue'

write-host ("{0,35} = S-1-5-32-{1}" -f

$user.Translate([Type]::GetType('System.Security.Princi

pal.NTAccount')).Value.Replace('BUILTIN\', ''), $_)

$errorActionPreference = 'Continue'

}

Everyone vs. Authenticated Users

Windows 2000-

Everyone = Authenticated Users + Anonymous Logon

Windows XP+

Everyone = Authenticated Users

can be changed back in security policy

Let Everyone permissions apply to Anonymous Users

Everyone vs. Authenticated Users

Default Local Users Group

By default local Users group contains

Authenticated Users

Default security

Everyone = Authenticated Users = Users

Do not use any of the groups for securing resources

Default Local Users Group

Lab: Local Users on GPS-WKS

Lab: Verify (non)Access

Verify that users can log on to GPS-WKSworkstation kamil@gopas.cz (Employee)

helena@gopas.cz (Employee)

Verify that the following users cannot log on to GPS-WKS jitka@gopas.cz (Contractor)

jan@elearning.local (account from ELEARNING domain)

BIKES\tanja (account from BIKES domain)

LOCAL USER ACCOUNTS

Advanced Windows Security

Local User Accounts

Stored in local registry HKLM\SAM\Domains\Account

Password hashed (MD4) can be stored in full

Policy: Store passwords using reversible encryption

Can enforce password complexity and history Policy: Password complexity requirements

Policy: Enforce password history

Single login: COMPUTER\username

LM Password Hashes

Windows 2003/XP store LM password hashes

extreme insecurity, only 7 uppercase characters

remains in Default Domain Policy GPO if installed with Windows 2003 or older

backward compatibility

Windows 95, 3.1, MS-DOS

Should be disabled as soon as possible

LM Password Hashes

Lab: Disable LM Hashes

On GPS-DC open the GPMC console

Create a new GPO for domain

name: Security: LM Hashes Disabled

link to: gopas.virtual

enforced: yes

Disable LM hashes

Computer – Windows Settings – Local Policies -Security Options – Do not store LAN Manager hashes on next password change

Lab: Cracking Local Passwords with Cain

Log on to GPS-WKS as gps\kamil

Install Cain & Abel tool

Switch to Cracker tab

Import LM&NTLM hashes from local system

Perform Brute-Force Attack on one of the hashes

http://hashcat.net performance

Brute-Force vs. Rainbow Tables

Brute-force

generate all the possible hashes

taking time for the generation

ca 80x per additional character

Rainbow Tables

use pre-generated, sorted list of hashes

taking one-time for the generation

taking space to store the database

ca 40x per additional character

Local Password Policies

Password Policies

Minimum recommended length: 10 characters

http://www.sevecek.com/Lists/Posts/Post.aspx?ID=145

Minimum password age the settings is necessary only to enforce password

history

Password complexity 3of4: at least three from: a-z, A-Z, 0-9, #^%&*

do not contain 3 or more chars from user’s login

Complex Passwords

Simple examples

September2012

John-Lennon

Buldo-zer56

Login considered

login: ondrej

Invalid password: J@mES-BonD38

Local Account Lockout Policy

VOLATILE STATE VS. OFFLINE ATTACKS

Advanced Windows Security

Sensitive memory information

LSASS.exe currently logged-on user hashes currently logged-on user plain-text passwords processes, services, jobs, IIS apppools

Only local administrators can attack online debug privilege!

Windows 8/2012 and older password + MD4 hash + LM hash (always)

Windows 8.1/2012R2 and newer MD4 hash (+ password if RDP SSO) LM hash if enabled

Extract passwords/hashes

Pass-the-hash

Sensitive information stored permanently

Only local administrators can extract online local user password hashes from registry

service, scheduled tasks, IIS apppools plaintext passwords

Users can extract their own online IE stored passwords

RDP stored passwords

stored Windows credentials

software keylogging

Offline extractions anything stored permanently except with SYSKEY

Permanently stored system-wide information

HKLM\SAM local user account hashes (LM, MD4) non-salted = rainbow/brute-force

HKLM\SECURITY\Cache domain user account hash cache (1000x SHA-1) salted with username = brute-force

HKLM\SECURITY\Policy\Secrets LSA secret plain-text passwords for services,

DefaultPassword, VPN (dialup) passwords

%windir%\System32\Config\SystemProfile\AppData\Local\Microsoft\Credentials scheduled task plain-text passwords protected with DPAPI

Permanently stored system-wide and per-user information

IIS application pool accounts plain-text applicationHost.config (DPAPI protected)

appcmd list apppool /text:*

NPS RADIUS clients plain-text shared secrets netsh nps export exportpsk=yes

Per user Windows Vault/Stored User Names and Passwords (DPAPI) %userprofile%\AppData\Roaming\Microsoft\Credentials

%userprofile%\AppData\Local\Microsoft\Vault

Online fake password prompts

Require CTRL-ALT-DEL

Require secure desktop UAC confirmation

Require CTRL-ALT-DEL

Require secure UAC prompts

Do not allow "Stored user names and passwords“ (WKS only vs. scheduled jobs)

Do not allow IE caching passwords (basic/forms)

IE 7,6,…

HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings

DisablePasswordCaching = 1

IE 8,9,10

disable Credential Manager

IE 11 HKCU\Software\Microsoft\Internet Explorer\Main

FormSuggest Passwords = no

Do not allow browser caching passwords (basic/forms)

Edge

HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main

FormSuggest Passwords = no

Chrome for Business ADMX template

Other browser issues

Block Flash in IE, Edge, Chrome

Block other ActiveX plugins

Password reveal button (Win8/IE)

Credential (Device) Guard

Credentials (Device) Guard

Separated credentials from LSASS memory LSAISO

Isolated “VM” Requirements

Windows 10/2016 HW virtualization Hyper-V UEFI firmware (BIOS)

stores environment variables (UEFI lock)

Secure Boot boot process digital signatures

Disable Device Guard with UEFI lock

DOMAIN USER ACCOUNTS

Advanced Windows Security

Domain User Accounts

Stored in Active Directory database

Password Hashes (MD4) stores Digest (MD5) since Windows 2003

Stores AES (SHA-1) since Windows 2008

Two logins user principal name (kamil@gopas.virtual)

SAM account name (GPS\kamil)

Can enforce password policies Domain-wide using Group Policy

Per users/groups using Granular Password Policies

Logins

User Principal Name (kamil@gopas.virtual) userPrincipalName attribute

up to 1023 characters

recommended max64@max64

configurable UPN suffixes

must be unique forest-wide

SAM Account Name (GPS\kamil) sAMAccountName attribute

up to 20 characters

always bound to NetBIOS domain name

Alternative UPN Suffixes

Lab: Alternative UPN Suffixes

On GPS-DC open the Active Directory Domains and Trusts console

Right-click at the root of the console

Select Properties

Verify the following alternative UPN suffixes gopas.cz

Open ADUC console on ELRN-DC

Modify UPN for ELEARNING\jan jan.sik@gopas.cz

Listing all UPN logins from Global Catalogue (GC)

Domain Password Policies

Group Policy based

domain wide

can be defined in any GPO attached to domain (you can use Default Domain Policy or create a new one)

Granular (Fine-grained) Password Policies

applied to users and/or groups

require Windows 2008 Domain Functional Level (DFL)

Default Domain Policy

Granular Password Policies

Lab: GPO Password Policies

On GPS-DC open the GPMC console Create a new GPO for domain

name: Security: Common User Passwords link to: gopas.virtual enforced: yes

Define password policies in the newly created GPO minimum password length: 8 (we want to keep Pa$$w0rd) minimum password age: 0 password complexity requirements: enabled regular password change: 90 days account lockout threshold: 15 attempts account lockout duration: 3 minutes

Lab: Granular Password Policies

On GPS-DC open the ADSI Edit console Create a new Granular Password Policies object in

CN=Password Policies,CN=System,DC=gopas,DC=virtual name: Admin Passwords

Define password policies in the newly created PSO psoAppliesTo: Admin Accounts minimum password length: 8 (we want to keep Pa$$w0rd) minimum password age: 0 password complexity requirements: enabled regular password change: 90 days account lockout threshold: 5 attempts account lockout duration: until manual unlock

Password Change vs. Reset

Change password

anybody who knows the original password

all password policies apply

Reset password

only Domain Admins and Account Operators

no history, no minimum age

Account vs. Password Expiration

Password expiration after policy configured time

User Must Change Password at Next Logon

Cannot log on in fact may not be able to change password remotely over VPN

or web applications

Affects smart cards

Account expiration Cannot log on after a specific time regardles of

password validity

Affects smart cards

Account vs. Password Expiration

Computer Account

Just a special user account

DOMAIN\COMPUTER$

Password stored in registry

HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC

changed regularly every 30 days (is online)

Computer Account Password Changes

Optional lab: Computer account password corrupted

Use Hyper-V console to revert GPS-WKS back to a previous password

Use NETDOM RESETPWD to enforce computer password changeNETDOM RESETPWD /Server:GPS-DC

/UserD:gps\domain-admin /PasswordD:Pa$$w0rd

Trust relationship between this workstation and the primary domain failed

Lab: GPS-WKS$ network access

On GPS-WKS start CMD under SYSTEM account

psexec -s -i -d cmd

Try accessing the \\GPS-DC\Public share

On GPS-DC, change NTFS permissions of the C:\Service\Public folder to DENY access to the GPS-WKS$ account

Verify that the GPS-WKS machine looses access

Verify that the Kamil user account still have access

Password Policy Exceptions

Computer, Managed Service Accounts, Trusts

no password policies

pwd never expire

never lock out

Built-in Administrator account (the -500 SID)

never lock out

when disabled, can log on in Safe Mode

can log on with more than 1025 SIDs in Access Token (gets trimmed)

Lab: Computer account group

AUTHENTICATION MECHANISMS

Advanced Windows Security

Lab: Connect GPS-DATA to Domain

On GPS-DC start ADUC console

Create GPS-DATA computer account in OU=Computers name: GPS-DATA

who can connect to domain: SRV Admins

Log on to GPS-DATA and connect the machine to domain domain name: gopas.virtual

user name: srv-admin

Add SRV Admins group to local Administrators

Windows Authentication

Basic clear-text, may be transfered over TLS/SSL RDP/TS, IIS, SMTP, POP3, Telnet, LDAP Simple Bind no SSO (single sign on)

NTLM hashed, MD4 + MD5-MHAC fall-back method when Kerberos cannot be used

Kerberos hashed, MD4 + RC4/DES/AES default authentication can use smart cards

Schannel = TLS Client Certificate logon RSA/EC private key for TLS/SSL communications

CHAP/Digest MD5 authentication RADIUS/IAS/NPS/IIS

Network Authentication Principle

Client

DC

FSSQLWeb

In-bandLogin + Identity Proof

Pass-throughauthentication with DC

Kerberos Requirements

Domain user from a domain computer to a domain member server

Forest trusts only NTLM is used on External Trusts

Internet Explorer only in local intranet sites and trusted sites (since IE7)

IP addresses always use NTLM

Many other more complex requirements (GOC16) time, SPN, ...

NTLM and Schannel network logon

DC2000+

Client2000+

Server2000+

App Traffic

DC2000+

SMBD/COM

In-bandNTLM hash

Pass-through NTLM hash

D/COM Dynamic TCP

Kerberos network logon (basic principle)

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

TGT: User

In-bandTGS: Server

TGS: Server

Kerberos network logon (complete)

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

DC2000+

SMBD/COMTGT: User

In-bandTGS: Server

Occasional PAC Validation

TGS: Server

D/COM Dynamic TCP

Tools for Kerberos

KLIST lists Kerberos tickets

purges ticket cache

built into Windows 7/2008 R2, member of AD RSAT in Windows Vista/2008

KERBTRAY GUI version of the same for Windows 2003/XP

member of Windows Resource Kit

Auditing Account Logon Events Windows Vista/2008+ can use granular auditing

Logon auditing

Account Logon Event

"authentication event"

when an account database validates credentials

Logon Event

"session event"

every time an Access Token is created or closed

Auditing (2000+)

Granular auditing (2008/Vista+)

Auditing (Interactive Logon)

SQLFS

WFE

DC

Client

Account Logon1

Logon2

Logon types

Type Value

Interactive 2

Network 3

Batch 4

Service 5

Unlock 7

NetworkCleartext 8

NewCredentials 9

RemoteInteractive 10

CachedInteractive 11

CachedRemoteInteractive 12

CachedUnlock 13

Status codesStatus Value

STATUS_WRONG_PASSWORD 0xC000006A

STATUS_PASSWORD_RESTRICTION 0xC000006C

STATUS_LOGON_FAILURE 0xC000006D

STATUS_ACCOUNT_RESTRICTION 0xC000006E

STATUS_INVALID_LOGON_HOURS 0xC000006F

STATUS_INVALID_WORKSTATION 0xC0000070

STATUS_PASSWORD_EXPIRED 0xC0000071

STATUS_ACCOUNT_DISABLED 0xC0000072

STATUS_LOGON_NOT_GRANTED 0xC0000155

STATUS_LOGON_TYPE_NOT_GRANTED 0xC000015B

STATUS_ACCOUNT_EXPIRED 0xC0000193

STATUS_PASSWORD_MUST_CHANGE 0xC0000224

STATUS_ACCOUNT_LOCKED_OUT 0xC0000234

Download err.exe

version 2008 http://www.microsoft.com/en-us/download/details.aspx?id=985

most up-to-date version

SDK for Windows 8.1 http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

Logon sessions

gwmi win32_LogonSession |

select LogonId,

@{ n = 'LogonIdHex' ; e = { '0x{0:X}' -f ([int] $_.LogonId) } },

AuthenticationPackage,

LogonType,

StartTime,

@{ n = 'Login' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand Caption } },

@{ n = 'SID' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand SID } }

Auditing (Network session)

SQLFS

WFE

DC

Client

Account Logon1

Logon2

Account lockout

SQLFS

WFE

DC

Client

Account Management1

Account LockoutMx

ID 4740

Account LockoutNxID 4625

ID 4625

immediately at logoff

Auditing (Interactive logoff)

SQLFS

WFE

DC

Client

Logoff1

SQLFS

WFE

when TCP connection closed

Auditing (Network session)

DC

Client

Logoff1

Lab: Auditing Authentication

On GPS-DC open the GPMC console

Create a new GPO for domain name: Security: Authentication Auditing

link to: gopas.virtual

enforced: yes

Enable auditing of Account Logon events Computer – Windows Settings – Local Policies -

Security Settings – Advanced Audit Policy Configuration – Account Logon

enable all audit subcategories

Refresh policy on GPS-DC by using GPUPDATE

Lab: Kerberos

On GPS-WKS open CMD

Use KLIST /PURGE to purge Kerberos ticket cache

Type DIR \\GPS-DC\SYSVOL\gopas.virtual\Policies

Use KLIST to list Kerberos tickets

Note the KRBTGT user ticket with Initial flag

Note the CIFS ticket for the shared files

Note that AES is used as an encryption mechanism

Lab: NTLM

On GPS-WKS open CMD

Use KLIST /PURGE to purge Kerberos ticket cache

Type DIR \\10.10.0.11\SYSVOL\gopas.virtual\Policies

Use KLIST to list that there are no Kerberos tickets

Lab: Verifying Audit Events

On GPS-DC open Event Viewer console

Open Security log

Filter out all events except for the following:

Event sources: Microsoft Windows Security Auditing

Task category:

Kerberos Authentication Service

Kerberos Service Tickets

Credentials Validation

Lab: Audit process tracking

Auditing Examle

RADIUSNPS

DC

Client

Account Logon1

Logon2

VPN

NPS3

NTLM Versions

LM obsolete insecure using LM hashes

default on Windows XP SP3, should be disabled

NTLM newer, MD4 + DES, still some security concerns

default on Windows 2003, can be disabled

NTLMv2 newest, MD4 + MD5-HMAC

supported by Windows 98 DSClient, NT4.0 SP4 and newer

Upgrading NTLM Version

Lab: Enforcing NTLMv2

On GPS-DC open the GPMC console

Create a new GPO for domain

name: Security: NTLMv2

link to: gopas.virtual

enforced: yes

Enforce NTLMv2

Computer – Windows Settings – Local Policies -Security Options – LAN Manager authentication Level: Send NTLMv2 response only

Kerberos AES enforcement

lastLogon, lastLogonTimestamp

Active Directory attribute of user accounts

lastLogon

precise time of the last identity validation

not replicated

lastLogonTimestamp

DFL 2003+

replicated

updated only once per 14 days

Last interactive logon time

Alternative identities

NET USE \\gps-data NET USE \\gps-data.gopas.virtual

is different then \\gps-data, you can use other credentials

NET USE \\10.10.0.21 is still different from the previous two, you can use yet

another user account

RUNAS /user must have local logon

RUNAS /netonly /user supplies different network credentials for current user does not need any local logon

LSASS caches alternate identities during logon session

NET USE \\gps-data /user:GPS\helena

NET USE \\gps-data /user:GPS\leos

error 1219

Multiple connections to a server by the same user, using more than one user name, are not allowed

Must log-off or NET USE /DELETE

USER RIGHTS

Advanced Windows Security

Permissions vs. Rights

Permissions

object based access control

NTFS, registry, LDAP, printers, windows, desktops, SQL server, ...

Rights (Privileges)

not everything can be considered an object

Restart/Shutdown, Logon, ...

Permissions

User Rights Assignment

Types of User Rights

Logon logon locally, from network, as batch job

Deny variant exists

Actions shutdown the system, change system time,

synchronize AD, manage auditing, impersonate, enable delegation, create pagefile, volume maintainance, ...

Forcible Overrides take ownership, add workstation to domain, bypass

traverse checking, backup (read all), restore (write all)

Granting and Enabling

Users must be granted user rights in local policy (or GPO)

Processes must enable the user right once they want to perform the action

backup application enables the backup right only for the duration of the backup operation

Event Viewer enables the security right to list Security event log

Tools for User Rights

WHOAMI /ALL

lists user rights and their state for the current command line process

PROCEXP

list user rights and their state for any process

Lab: User Rights

Log on to GPS-WKS as Kamil the user is member of local Administrators

Start CMD Start Event Viewer and browse the Security event

log Start Notepad as Helena

Helena is member of regular Users group only

Start PROCEXP, open Properties of the processes and switch to the Security tab verify the list of user rights verify that some user rights are granted while some of

them are also enabled

Lab: BATCH SID

On GPS-DC create a service account for BACKUP job user: job-backup options: password never expires, user cannot change

password

On GPS-DATA create an empty scheduled task called BACKUP using the gps\job-backup account

Troubleshoot the scheduled job startup with Event Viewer and/or T:\ERR tool

Using PROCEXP verify BATCH SID injected into the processes access token

Lab: Allow Credential Manager on the server to store the scheduled task password

Lab: Log on as a batch job in GPO

Disk

Flow of Access Control

NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Kerberos

NTLM

Allow Logon Locally

Authentication Kerberos

NTLM

Access Token

Access Token

USER ACCOUNT CONTROL

Advanced Windows Security

UAC prompts – Run as administrator

Restricted Users

Users often work as local Administrators

users on workstations/notebooks

local administrators on servers

We may want restrict their default permissions and rights

allow them to elevate if required

Does not apply for remote (network) connections

UAC Options on Windows 7

UAC Options on Windows 8

Only display settings

You must use the policy

Restricting Local Administrators

Windows XP and newer can restrict local Administrators enforced by default on Windows Vista+

must use Run As on Windows XP

LSASS can issue restricted access token Administrators and Domain Admins groups are

marked as Deny

Only basic user rights enabled

LSASS maintains two separate Kerberos ticket caches

“Deny” Groups in Access Token

User is not member of the group for Allow ACEs

if something is granted to the group, it does not apply

User is member of the group for Deny ACEs

if something is explicitly denied to the group, it still applies

not a common case for Administrators, but still good to know

Deny Group in Access Token

Lab: User Account Control

On GPS-WKS enable UAC and restart Log on as Kamil on GPS-WKS

the user is member of local Administrator

Start CMD and Notepad Start CMD and Notepad with Run as Administrator Use WHOAMI /ALL to see that the Administrators

group is/isnot marked as Deny Use PROCEXP to see the same for Notepad Using the PROCEXP verify that the elevated

processes are granted more use rights Use KLIST in both CMD windows to see two distinct

Kerberos ticket caches

UAC on Windows XP and 2003

Disk

Flow of Access Control

NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Kerberos

NTLM

Allow Logon Locally

Authentication Kerberos

NTLM

Access Token

Access Token

UAC Restricted

Remote UAC

Enabled over network for non-domain accounts

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

LocalAccountTokenFilterPolicy = DWORD = 1

Lab: UAC for Desktop computers

GROUP POLICY

Advanced Windows Security

Security in Group Policy

Policies (always enforced) Passwords and Lockout

Auditing

User Rights

Restricted Groups

Services

Preferences (may be one-time) local Users and Groups

Files and Folders

Services

Tools to Verify GP Application

RSOP.MSC

GPRESULT /V

GPRESULT /H report.htm

The only local tool to show Group Policy Preferences

Group Policy Management (GPMC)

Group Policy Results

Group Policy Modeling

RSOP.MSC

RSOP.MSC

GPRESULT /H (includes GPO Preferences)

WMI Filters

Local filtering on the target machines

Uses WMI tables Win32_OperatingSystem

Win32_ComputerSystem

Win32_Environment

Win32_LogicalDisk

Win32_Service

Win32_Process

Varying OS support, always GOOGLE for documentation

WMI Filters - Examples

Win32_OperatingSystem ProductType = 1 = Workstation

ProductType = 2 = DC

ProductType = 3 = Server

Version = 6.2 = Windows 8, Windows 2012

Version = 6.1 = Windows 7, Windows 2008 R2

Version = 6.0 = Windows Vista, Windows 2008

Version = 5.2 = Windows XP 64bit, Windows 2003

Version = 5.1 = Windows XP

Version = 5.0 = Windows 2000

OSArchitecture = 32-bit / 64-bit (2008/Vista+ only)

WMI Filters - Examples

Win32_ComputerSystem

SystemType = 64-bit / x86

TotalPhysicalMemory

DNSHostName

WMI Filters for Servers

Lab: Create Server and Workstation WMI Filters On GPS-DC start GPMC console Create new WMI filter:

name: Server filter: SELECT * FROM Win32_OperatingSystem WHERE

ProductType = 3

Create new WMI filter: name: Workstation filter: SELECT * FROM Win32_OperatingSystem WHERE

ProductType = 1

Create new WMI filter: name: Workstation or Server filter: SELECT * FROM Win32_OperatingSystem WHERE

ProductType = 1 OR ProductType = 3

COMPUTER ENVIRONMENT

Advanced Windows Security

ntb-admin

wks-admin

fs-admin

domain-admin

Admin Role Separation

DC DC DC

FS1

FS2

FS3

WKS

WKS

WKS

NTB

NTB

NTB

web-admin

WF1

WF2

sql-admin

DB1 DB2

is-admin

ntb-adminwks-admin

fs-admin

domain-admin

Admin Role Separation

DC DC DC

FS1

FS2

FS3

WKS

WKS

WKS

NTB

NTB

NTB

WF1 WF2

sql-admin

DB1

DB2

wks-admin

srv-admin

domain-admin

Admin Role Separation

DC DC DC

SRV

SRV

SRV

WKS

WKS

WKS

NTB

NTB

NTB

Lab: Admin Groups

On GPS-DC start ADUC console

Create SRV Admins group in OU=Service

Create WKS Admins group in OU=Service

Create srv-admin account in OU=Service name: srv-admin

options: Password never expires

member of: Domain Users, Admin Accounts, SRV Admins

Create wks-admin account in OU=Service name: wks-admin

options: Password never expires

member of: Domain Users, Admin Accounts, WKS Admins

Restricted Groups

Group Policy setting

supported since Windows 2000

Can be used to grant local group membership to domain groups

Is enforced

if you want add/remove functionality, use Group Policy Preferences

SRV Admins Group in Local Administrators

GPO Preferences and Local Groups

Require optional update

Windows XP, Windows 2003, Windows Vista

Can be changed from local GUI

reapply every GPO refresh (120 minuts)

Are not removed with the GPO

Restricted Groups return the local setting to their original

GPO Preferences and Groups

Lab: Make SRV Admins Group Member of Local Administrators On GPS-DC start GPMC console

Create new GPO for the domain OU=Computers name: Security: SRV Accounts

link to: gopas.virtual

WMI filter: Servers

enforced: yes

Use Restricted Groups feature to add SRV Adminsgroup as members of local Administrators group Computer – Windows Settings – Security Settings –

Restricted Groups new group: SRV Admins

is member of: Administrators

Lab: Make WKS Admins Group Member of Local Administrators On GPS-DC start GPMC console

Create new GPO for the domain OU=Computers name: Security: WKS Accounts

link to: gopas.virtual

WMI filter: Workstations

enforced yes

Use Restricted Groups feature to add WKS Adminsgroup as members of local Administrators group Computer – Windows Settings – Security Settings –

Restricted Groups new group: WKS Admins

is member of: Administrators

Lab: Connect GPS-WFE Securely to Domain

On GPS-DC start ADUC console

Create GPS-WFE computer account in OU=Computers

name: GPS-WFE

who can connect to domain: SRV Admins

Log on to GPS-WFE and connect the machine to domain

domain name: gopas.virtual

user name: srv-admin

Disable -500 Admins

GROUPS AND GROUP SCOPES

Advanced Windows Security

Groups

Security groups

have SID

evaluated during logon

Distribution groups

have SID

are not evaluated during logon

can be used by applications (such as Exchange)

Group Scopes and Usage

Local can be used on individual computers

Built-in Domain Local can be used on all DCs from a domain

Domain Local can be used on all members of the domain

Global can be used on all other domains the same forest or other domains over trusts

Universal the same as global

Group Scopes and Membership

Local from any domain

Built-in Domain Local from any domain

Domain Local from any domain or trusted domains

Global from the same domain only

Universal from the same forest

My membership (single forest)

C

A

B

Jitka

A \ DL

A \ G

A \ U

B \ DL

B \ G

B \ U

C \ DL

C \ G

C \ U

My membership (single forest)

SK

CZ

DE

Jitka

CZ \ DL

CZ \ G

CZ \ U

DE \ DL

DE \ G

DE \ U

SK \ DL

SK \ G

SK \ U

German Sales

Czech SalesSlovak Sales

DE SAP Access

SK Mkt Pictures

Access to my local server(single forest)

C

A

DATA

B

Jitka

A \ DL

A \ G

A \ U

B \ DL

B \ G

B \ U

C \ DL

C \ G

C \ U

Access to a remote server(single forest)

C

A

DATA

B

Jitka

A \ DL

A \ G

A \ U

B \ DL

B \ G

B \ U

C \ DL

C \ G

C \ U

MS recommended philosophy

A

P DL

G

A

A

U

DL

DL A

UDL AG

MS recommended philosophy

A

P DL

G

A

A

U

DL

DL A

UDL AG

CZ EmployeesWorld Employees

SAP permissions

DE SAP Access

2012 FFL OK philosophyExchange 2010+ recommended

P U (Resource)

U (Organization)

A

Group Limits

Access token

maximum 1025 SIDs

Kerberos ticket

default 10500 B to store groups

Global group = 8 B

Domain local group = 40 B

Universal group = 8/40 B

B

B \ DL

B \ G

B \ U

Different Forests

C

A

Jitka

A \ DL

A \ G

A \ U

C \ DL

C \ G

C \ U

Different forest

F \ DL

F \ G

F \ U

Lab: Groups

Try adding ELEARNING\Employees and BIKES\Bikers into GPS\Employees this should not work, because GPS\Employees is a

global group

Create universal group GPS\IS Access Try adding ELEARNING\Employees and

BIKES\Bikers into GPS\IS Access BIKES\Bikers cannot be members of a universal group

from different forest

Switch GPS\IS Access to domain local group Add BIKES\Bikers into the GPS\IS Access

Lab: IS Access result

domainB.local

Disk

Flow of Access Control

NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Kerberos

NTLM

Allow Logon Locally

Authentication Kerberos

NTLM

Access Token

Access Token

UAC Restricted

domainB\Domain local

accountDomain\Global*\Universal

domainB\Domain local

accountDomain\Global*\Universal

Temporary AD group membership (FFL 2003)

Realgroup

Proxygroup

with TTL

Useraccount

standard TGT lifetime

Temporary AD objects (since FFL 2003)

dynamicObject class entryTTL = seconds

CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration ms-DS-Other-Settings:

DynamicObjectDefaultTTLSecondsDynamicObjectMinTTLSeconds

Privileged Access Management feature (FFL 2016)

New AD optional feature Privileged Access Management Feature Get-ADOptionalFeature

Add-ADGroupMember -MemberTimeToLive lowest lifetime propagates to Kerberos TGT tickets

Get-ADGroup -Properties Member -ShowMemberTimeToLive

LDP LDAP_SERVER_LINK_TTL_OID 1.2.840.113556.1.4.2309

Lab: SAP Access for 40 minutes

Create SAP Access group

Add gps\kamil with 40 minutes TTL

Note: Autodelete groups

$ou = [ADSI] 'LDAP://OU=Company,DC=gopas,DC=virtual'

$user = [ADSI] 'LDAP://CN=Kamil,OU=People,OU=Company,DC=gopas,DC=virtual'

[int] $ttl = 20

$baseGroup = $ou.Create('group', 'CN=IS Access')

$baseGroup.Put('sAMAccountName', 'IS Access')

$baseGroup.SetInfo()

$expiringGroup = $ou.Create('group', "CN=IS Access Expiring in $ttl minutes")

$expiringGroup.PutEx(2, 'objectClass', @('dynamicObject', 'group'))

$expiringGroup.Put('entryTTL', ($ttl * 60))

$expiringGroup.Put('sAMAccountName', "IS Access Expiring in $ttl minutes")

$expiringGroup.SetInfo()

$baseGroup.Add($expiringGroup.Path)

$expiringGroup.Add($user.Path)