BASIC SECURITY PRINCIPLES - Sevecek indirect group membership in access token Tools for Access Token...
Transcript of BASIC SECURITY PRINCIPLES - Sevecek indirect group membership in access token Tools for Access Token...
BASIC SECURITY PRINCIPLES
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
Outline
User Identity and Access Tokens
Local User Accounts
Domain User Accounts
Authentication Mechanisms
User Rights
User Account Control
Group Policy Security Settings
Computer Environment
Groups and Group Scopes
USER IDENTITY AND ACCESS TOKENS
Advanced Windows Security
Windows Processes
Everything runs as a process some code runs in Kernel mode, but mostly under
identity of the calling process
interrupts, DPCs and file cache are executing without user context
Every process runs under a user identity SYSTEM, Network Service, Local Service, local
user, domain user
Access permissions are always checked there is no root superuser as in unix
User Identity
User identity is represented as a SID NT Authority\SYSTEM = S-1-5-18 NT Authority\Local Service = S-1-5-19 NT Authority\Network Service = S-1-5-20 BUILTIN\Administrators = S-1-5-32-544 BUILTIN\Users = S-1-5-32-545 local user = S-1-5-21-LocalSID-RID domain user = S-1-5-21-DomainSID-RID
Every process gets its own copy of an Access Token list of user’s SID and SIDs of his groups created by LSASS.exe (Local Security Authority)
Access Token
Memory structure that contains user SID and the SIDs of his groups
identified by its Logon Session ID
Inherited by child processes
Cached after a successful interactive logon in registry
HKLM\Security\Cache
Policy: Number of Previous Logons to Cache
Limitted to 1025 SIDs
Lab: indirect group membership in access token
Tools for Access Token
WHOAMI /ALL built into Vista/2008 and newer member of Support Tools for 2003/xp and older
PROCEXP Process Explorer download from http://live.sysinternals.com
PSEXEC download from http://live.sysinternals.com
ADUC Attribute Editor Active Directory Users and Computers console Select View – Advanced Features Can show user and group SIDs in AD
Lab: Access Token
Log on to GPS-WKS as Kamil use WHOAMI /ALL to investigate his access token verify that he is member of Administratos and Employees groups note his SID and the SIDs of his groups
Use PSEXEC -D -S -I CMD to start command line under SYSTEM account use WHOAMI /ALL to verify its access token
Use PSEXEC -D -I -U “NT Authority\Network Service” CMD to start command line under Network Service account use WHOAMI /ALL to verify its access token
Start PROCEXP and verify contents of the access tokens of some processes
Start ADUC and use Attribute Editor tab to verify user SIDs in Active Directory
System SIDs
Some SIDs are added automatically
INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON
Everyone, Authenticated Users, This Organization, NTLM Authentication
Lab: SERVICE SID
On GPS-DC create a service account for SNMPTRAP service
user: svc-snmp
options: password never expires, user cannot change password
On GPS-WKS reconfigure SNMP TRAP service to run under GPS\svc-snmp account
Using PROCEXP verify SERVICE SID injected into the processes access token
Translating SIDs withPowerShell'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ }
}, @{ n = 'Name' ; e = { (New-Object
System.Security.Principal.SecurityIdentifier
$_).Translate([System.Type]::GetType('System.Security.Principa
l.NTAccount')).Value } }
'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n
= 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object
Security.Principal.NTAccount
$_).Translate([Security.Principal.SecurityIdentifier]).Value }
}
$rxSID = '[Ss]-1(?:-\d+){1,}'
[regex]::Match('This SID S-1-5-80-3964583643-2633443559-
2834438935-3739664028-1580655619 has been detected',
$rxSID).Value
All BUILTIN SIDs
(1..1000) | % {
$user = New-Object
Security.Principal.SecurityIdentifier S-1-5-32-$_
$errorActionPreference = 'SilentlyContinue'
write-host ("{0,35} = S-1-5-32-{1}" -f
$user.Translate([Type]::GetType('System.Security.Princi
pal.NTAccount')).Value.Replace('BUILTIN\', ''), $_)
$errorActionPreference = 'Continue'
}
Everyone vs. Authenticated Users
Windows 2000-
Everyone = Authenticated Users + Anonymous Logon
Windows XP+
Everyone = Authenticated Users
can be changed back in security policy
Let Everyone permissions apply to Anonymous Users
Everyone vs. Authenticated Users
Default Local Users Group
By default local Users group contains
Authenticated Users
Default security
Everyone = Authenticated Users = Users
Do not use any of the groups for securing resources
Lab: Verify (non)Access
Verify that users can log on to GPS-WKSworkstation [email protected] (Employee)
[email protected] (Employee)
Verify that the following users cannot log on to GPS-WKS [email protected] (Contractor)
[email protected] (account from ELEARNING domain)
BIKES\tanja (account from BIKES domain)
LOCAL USER ACCOUNTS
Advanced Windows Security
Local User Accounts
Stored in local registry HKLM\SAM\Domains\Account
Password hashed (MD4) can be stored in full
Policy: Store passwords using reversible encryption
Can enforce password complexity and history Policy: Password complexity requirements
Policy: Enforce password history
Single login: COMPUTER\username
LM Password Hashes
Windows 2003/XP store LM password hashes
extreme insecurity, only 7 uppercase characters
remains in Default Domain Policy GPO if installed with Windows 2003 or older
backward compatibility
Windows 95, 3.1, MS-DOS
Should be disabled as soon as possible
LM Password Hashes
Lab: Disable LM Hashes
On GPS-DC open the GPMC console
Create a new GPO for domain
name: Security: LM Hashes Disabled
link to: gopas.virtual
enforced: yes
Disable LM hashes
Computer – Windows Settings – Local Policies -Security Options – Do not store LAN Manager hashes on next password change
Lab: Cracking Local Passwords with Cain
Log on to GPS-WKS as gps\kamil
Install Cain & Abel tool
Switch to Cracker tab
Import LM&NTLM hashes from local system
Perform Brute-Force Attack on one of the hashes
http://hashcat.net performance
Brute-Force vs. Rainbow Tables
Brute-force
generate all the possible hashes
taking time for the generation
ca 80x per additional character
Rainbow Tables
use pre-generated, sorted list of hashes
taking one-time for the generation
taking space to store the database
ca 40x per additional character
Local Password Policies
Password Policies
Minimum recommended length: 10 characters
http://www.sevecek.com/Lists/Posts/Post.aspx?ID=145
Minimum password age the settings is necessary only to enforce password
history
Password complexity 3of4: at least three from: a-z, A-Z, 0-9, #^%&*
do not contain 3 or more chars from user’s login
Complex Passwords
Simple examples
September2012
John-Lennon
Buldo-zer56
Login considered
login: ondrej
Invalid password: J@mES-BonD38
Sensitive memory information
LSASS.exe currently logged-on user hashes currently logged-on user plain-text passwords processes, services, jobs, IIS apppools
Only local administrators can attack online debug privilege!
Windows 8/2012 and older password + MD4 hash + LM hash (always)
Windows 8.1/2012R2 and newer MD4 hash (+ password if RDP SSO) LM hash if enabled
Extract passwords/hashes
Pass-the-hash
Sensitive information stored permanently
Only local administrators can extract online local user password hashes from registry
service, scheduled tasks, IIS apppools plaintext passwords
Users can extract their own online IE stored passwords
RDP stored passwords
stored Windows credentials
software keylogging
Offline extractions anything stored permanently except with SYSKEY
Permanently stored system-wide information
HKLM\SAM local user account hashes (LM, MD4) non-salted = rainbow/brute-force
HKLM\SECURITY\Cache domain user account hash cache (1000x SHA-1) salted with username = brute-force
HKLM\SECURITY\Policy\Secrets LSA secret plain-text passwords for services,
DefaultPassword, VPN (dialup) passwords
%windir%\System32\Config\SystemProfile\AppData\Local\Microsoft\Credentials scheduled task plain-text passwords protected with DPAPI
Permanently stored system-wide and per-user information
IIS application pool accounts plain-text applicationHost.config (DPAPI protected)
appcmd list apppool /text:*
NPS RADIUS clients plain-text shared secrets netsh nps export exportpsk=yes
Per user Windows Vault/Stored User Names and Passwords (DPAPI) %userprofile%\AppData\Roaming\Microsoft\Credentials
%userprofile%\AppData\Local\Microsoft\Vault
Online fake password prompts
Require CTRL-ALT-DEL
Require secure desktop UAC confirmation
Require CTRL-ALT-DEL
Require secure UAC prompts
Do not allow "Stored user names and passwords“ (WKS only vs. scheduled jobs)
Do not allow IE caching passwords (basic/forms)
IE 7,6,…
HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings
DisablePasswordCaching = 1
IE 8,9,10
disable Credential Manager
IE 11 HKCU\Software\Microsoft\Internet Explorer\Main
FormSuggest Passwords = no
Do not allow browser caching passwords (basic/forms)
Edge
HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main
FormSuggest Passwords = no
Chrome for Business ADMX template
Other browser issues
Block Flash in IE, Edge, Chrome
Block other ActiveX plugins
Password reveal button (Win8/IE)
Credential (Device) Guard
Credentials (Device) Guard
Separated credentials from LSASS memory LSAISO
Isolated “VM” Requirements
Windows 10/2016 HW virtualization Hyper-V UEFI firmware (BIOS)
stores environment variables (UEFI lock)
Secure Boot boot process digital signatures
Domain User Accounts
Stored in Active Directory database
Password Hashes (MD4) stores Digest (MD5) since Windows 2003
Stores AES (SHA-1) since Windows 2008
Two logins user principal name ([email protected])
SAM account name (GPS\kamil)
Can enforce password policies Domain-wide using Group Policy
Per users/groups using Granular Password Policies
Logins
User Principal Name ([email protected]) userPrincipalName attribute
up to 1023 characters
recommended max64@max64
configurable UPN suffixes
must be unique forest-wide
SAM Account Name (GPS\kamil) sAMAccountName attribute
up to 20 characters
always bound to NetBIOS domain name
Alternative UPN Suffixes
Lab: Alternative UPN Suffixes
On GPS-DC open the Active Directory Domains and Trusts console
Right-click at the root of the console
Select Properties
Verify the following alternative UPN suffixes gopas.cz
Open ADUC console on ELRN-DC
Modify UPN for ELEARNING\jan [email protected]
Listing all UPN logins from Global Catalogue (GC)
Domain Password Policies
Group Policy based
domain wide
can be defined in any GPO attached to domain (you can use Default Domain Policy or create a new one)
Granular (Fine-grained) Password Policies
applied to users and/or groups
require Windows 2008 Domain Functional Level (DFL)
Lab: GPO Password Policies
On GPS-DC open the GPMC console Create a new GPO for domain
name: Security: Common User Passwords link to: gopas.virtual enforced: yes
Define password policies in the newly created GPO minimum password length: 8 (we want to keep Pa$$w0rd) minimum password age: 0 password complexity requirements: enabled regular password change: 90 days account lockout threshold: 15 attempts account lockout duration: 3 minutes
Lab: Granular Password Policies
On GPS-DC open the ADSI Edit console Create a new Granular Password Policies object in
CN=Password Policies,CN=System,DC=gopas,DC=virtual name: Admin Passwords
Define password policies in the newly created PSO psoAppliesTo: Admin Accounts minimum password length: 8 (we want to keep Pa$$w0rd) minimum password age: 0 password complexity requirements: enabled regular password change: 90 days account lockout threshold: 5 attempts account lockout duration: until manual unlock
Password Change vs. Reset
Change password
anybody who knows the original password
all password policies apply
Reset password
only Domain Admins and Account Operators
no history, no minimum age
Account vs. Password Expiration
Password expiration after policy configured time
User Must Change Password at Next Logon
Cannot log on in fact may not be able to change password remotely over VPN
or web applications
Affects smart cards
Account expiration Cannot log on after a specific time regardles of
password validity
Affects smart cards
Account vs. Password Expiration
Computer Account
Just a special user account
DOMAIN\COMPUTER$
Password stored in registry
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC
changed regularly every 30 days (is online)
Computer Account Password Changes
Optional lab: Computer account password corrupted
Use Hyper-V console to revert GPS-WKS back to a previous password
Use NETDOM RESETPWD to enforce computer password changeNETDOM RESETPWD /Server:GPS-DC
/UserD:gps\domain-admin /PasswordD:Pa$$w0rd
Trust relationship between this workstation and the primary domain failed
Lab: GPS-WKS$ network access
On GPS-WKS start CMD under SYSTEM account
psexec -s -i -d cmd
Try accessing the \\GPS-DC\Public share
On GPS-DC, change NTFS permissions of the C:\Service\Public folder to DENY access to the GPS-WKS$ account
Verify that the GPS-WKS machine looses access
Verify that the Kamil user account still have access
Password Policy Exceptions
Computer, Managed Service Accounts, Trusts
no password policies
pwd never expire
never lock out
Built-in Administrator account (the -500 SID)
never lock out
when disabled, can log on in Safe Mode
can log on with more than 1025 SIDs in Access Token (gets trimmed)
Lab: Computer account group
AUTHENTICATION MECHANISMS
Advanced Windows Security
Lab: Connect GPS-DATA to Domain
On GPS-DC start ADUC console
Create GPS-DATA computer account in OU=Computers name: GPS-DATA
who can connect to domain: SRV Admins
Log on to GPS-DATA and connect the machine to domain domain name: gopas.virtual
user name: srv-admin
Add SRV Admins group to local Administrators
Windows Authentication
Basic clear-text, may be transfered over TLS/SSL RDP/TS, IIS, SMTP, POP3, Telnet, LDAP Simple Bind no SSO (single sign on)
NTLM hashed, MD4 + MD5-MHAC fall-back method when Kerberos cannot be used
Kerberos hashed, MD4 + RC4/DES/AES default authentication can use smart cards
Schannel = TLS Client Certificate logon RSA/EC private key for TLS/SSL communications
CHAP/Digest MD5 authentication RADIUS/IAS/NPS/IIS
Network Authentication Principle
Client
DC
FSSQLWeb
In-bandLogin + Identity Proof
Pass-throughauthentication with DC
Kerberos Requirements
Domain user from a domain computer to a domain member server
Forest trusts only NTLM is used on External Trusts
Internet Explorer only in local intranet sites and trusted sites (since IE7)
IP addresses always use NTLM
Many other more complex requirements (GOC16) time, SPN, ...
NTLM and Schannel network logon
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
SMBD/COM
In-bandNTLM hash
Pass-through NTLM hash
D/COM Dynamic TCP
Kerberos network logon (basic principle)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
TGT: User
In-bandTGS: Server
TGS: Server
Kerberos network logon (complete)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
DC2000+
SMBD/COMTGT: User
In-bandTGS: Server
Occasional PAC Validation
TGS: Server
D/COM Dynamic TCP
Tools for Kerberos
KLIST lists Kerberos tickets
purges ticket cache
built into Windows 7/2008 R2, member of AD RSAT in Windows Vista/2008
KERBTRAY GUI version of the same for Windows 2003/XP
member of Windows Resource Kit
Auditing Account Logon Events Windows Vista/2008+ can use granular auditing
Logon auditing
Account Logon Event
"authentication event"
when an account database validates credentials
Logon Event
"session event"
every time an Access Token is created or closed
Auditing (Interactive Logon)
SQLFS
WFE
DC
Client
Account Logon1
Logon2
Logon types
Type Value
Interactive 2
Network 3
Batch 4
Service 5
Unlock 7
NetworkCleartext 8
NewCredentials 9
RemoteInteractive 10
CachedInteractive 11
CachedRemoteInteractive 12
CachedUnlock 13
Status codesStatus Value
STATUS_WRONG_PASSWORD 0xC000006A
STATUS_PASSWORD_RESTRICTION 0xC000006C
STATUS_LOGON_FAILURE 0xC000006D
STATUS_ACCOUNT_RESTRICTION 0xC000006E
STATUS_INVALID_LOGON_HOURS 0xC000006F
STATUS_INVALID_WORKSTATION 0xC0000070
STATUS_PASSWORD_EXPIRED 0xC0000071
STATUS_ACCOUNT_DISABLED 0xC0000072
STATUS_LOGON_NOT_GRANTED 0xC0000155
STATUS_LOGON_TYPE_NOT_GRANTED 0xC000015B
STATUS_ACCOUNT_EXPIRED 0xC0000193
STATUS_PASSWORD_MUST_CHANGE 0xC0000224
STATUS_ACCOUNT_LOCKED_OUT 0xC0000234
Download err.exe
version 2008 http://www.microsoft.com/en-us/download/details.aspx?id=985
most up-to-date version
SDK for Windows 8.1 http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx
Logon sessions
gwmi win32_LogonSession |
select LogonId,
@{ n = 'LogonIdHex' ; e = { '0x{0:X}' -f ([int] $_.LogonId) } },
AuthenticationPackage,
LogonType,
StartTime,
@{ n = 'Login' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand Caption } },
@{ n = 'SID' ; e = { $_.GetRelated('Win32_Account') | select -f 1 | select -Expand SID } }
Auditing (Network session)
SQLFS
WFE
DC
Client
Account Logon1
Logon2
Account lockout
SQLFS
WFE
DC
Client
Account Management1
Account LockoutMx
ID 4740
Account LockoutNxID 4625
ID 4625
immediately at logoff
Auditing (Interactive logoff)
SQLFS
WFE
DC
Client
Logoff1
SQLFS
WFE
when TCP connection closed
Auditing (Network session)
DC
Client
Logoff1
Lab: Auditing Authentication
On GPS-DC open the GPMC console
Create a new GPO for domain name: Security: Authentication Auditing
link to: gopas.virtual
enforced: yes
Enable auditing of Account Logon events Computer – Windows Settings – Local Policies -
Security Settings – Advanced Audit Policy Configuration – Account Logon
enable all audit subcategories
Refresh policy on GPS-DC by using GPUPDATE
Lab: Kerberos
On GPS-WKS open CMD
Use KLIST /PURGE to purge Kerberos ticket cache
Type DIR \\GPS-DC\SYSVOL\gopas.virtual\Policies
Use KLIST to list Kerberos tickets
Note the KRBTGT user ticket with Initial flag
Note the CIFS ticket for the shared files
Note that AES is used as an encryption mechanism
Lab: NTLM
On GPS-WKS open CMD
Use KLIST /PURGE to purge Kerberos ticket cache
Type DIR \\10.10.0.11\SYSVOL\gopas.virtual\Policies
Use KLIST to list that there are no Kerberos tickets
Lab: Verifying Audit Events
On GPS-DC open Event Viewer console
Open Security log
Filter out all events except for the following:
Event sources: Microsoft Windows Security Auditing
Task category:
Kerberos Authentication Service
Kerberos Service Tickets
Credentials Validation
Lab: Audit process tracking
Auditing Examle
RADIUSNPS
DC
Client
Account Logon1
Logon2
VPN
NPS3
NTLM Versions
LM obsolete insecure using LM hashes
default on Windows XP SP3, should be disabled
NTLM newer, MD4 + DES, still some security concerns
default on Windows 2003, can be disabled
NTLMv2 newest, MD4 + MD5-HMAC
supported by Windows 98 DSClient, NT4.0 SP4 and newer
Upgrading NTLM Version
Lab: Enforcing NTLMv2
On GPS-DC open the GPMC console
Create a new GPO for domain
name: Security: NTLMv2
link to: gopas.virtual
enforced: yes
Enforce NTLMv2
Computer – Windows Settings – Local Policies -Security Options – LAN Manager authentication Level: Send NTLMv2 response only
Kerberos AES enforcement
lastLogon, lastLogonTimestamp
Active Directory attribute of user accounts
lastLogon
precise time of the last identity validation
not replicated
lastLogonTimestamp
DFL 2003+
replicated
updated only once per 14 days
Last interactive logon time
Alternative identities
NET USE \\gps-data NET USE \\gps-data.gopas.virtual
is different then \\gps-data, you can use other credentials
NET USE \\10.10.0.21 is still different from the previous two, you can use yet
another user account
RUNAS /user must have local logon
RUNAS /netonly /user supplies different network credentials for current user does not need any local logon
LSASS caches alternate identities during logon session
NET USE \\gps-data /user:GPS\helena
NET USE \\gps-data /user:GPS\leos
error 1219
Multiple connections to a server by the same user, using more than one user name, are not allowed
Must log-off or NET USE /DELETE
USER RIGHTS
Advanced Windows Security
Permissions vs. Rights
Permissions
object based access control
NTFS, registry, LDAP, printers, windows, desktops, SQL server, ...
Rights (Privileges)
not everything can be considered an object
Restart/Shutdown, Logon, ...
Permissions
User Rights Assignment
Types of User Rights
Logon logon locally, from network, as batch job
Deny variant exists
Actions shutdown the system, change system time,
synchronize AD, manage auditing, impersonate, enable delegation, create pagefile, volume maintainance, ...
Forcible Overrides take ownership, add workstation to domain, bypass
traverse checking, backup (read all), restore (write all)
Granting and Enabling
Users must be granted user rights in local policy (or GPO)
Processes must enable the user right once they want to perform the action
backup application enables the backup right only for the duration of the backup operation
Event Viewer enables the security right to list Security event log
Tools for User Rights
WHOAMI /ALL
lists user rights and their state for the current command line process
PROCEXP
list user rights and their state for any process
Lab: User Rights
Log on to GPS-WKS as Kamil the user is member of local Administrators
Start CMD Start Event Viewer and browse the Security event
log Start Notepad as Helena
Helena is member of regular Users group only
Start PROCEXP, open Properties of the processes and switch to the Security tab verify the list of user rights verify that some user rights are granted while some of
them are also enabled
Lab: BATCH SID
On GPS-DC create a service account for BACKUP job user: job-backup options: password never expires, user cannot change
password
On GPS-DATA create an empty scheduled task called BACKUP using the gps\job-backup account
Troubleshoot the scheduled job startup with Event Viewer and/or T:\ERR tool
Using PROCEXP verify BATCH SID injected into the processes access token
Lab: Allow Credential Manager on the server to store the scheduled task password
Lab: Log on as a batch job in GPO
Disk
Flow of Access Control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Kerberos
NTLM
Allow Logon Locally
Authentication Kerberos
NTLM
Access Token
Access Token
USER ACCOUNT CONTROL
Advanced Windows Security
UAC prompts – Run as administrator
Restricted Users
Users often work as local Administrators
users on workstations/notebooks
local administrators on servers
We may want restrict their default permissions and rights
allow them to elevate if required
Does not apply for remote (network) connections
Restricting Local Administrators
Windows XP and newer can restrict local Administrators enforced by default on Windows Vista+
must use Run As on Windows XP
LSASS can issue restricted access token Administrators and Domain Admins groups are
marked as Deny
Only basic user rights enabled
LSASS maintains two separate Kerberos ticket caches
“Deny” Groups in Access Token
User is not member of the group for Allow ACEs
if something is granted to the group, it does not apply
User is member of the group for Deny ACEs
if something is explicitly denied to the group, it still applies
not a common case for Administrators, but still good to know
Deny Group in Access Token
Lab: User Account Control
On GPS-WKS enable UAC and restart Log on as Kamil on GPS-WKS
the user is member of local Administrator
Start CMD and Notepad Start CMD and Notepad with Run as Administrator Use WHOAMI /ALL to see that the Administrators
group is/isnot marked as Deny Use PROCEXP to see the same for Notepad Using the PROCEXP verify that the elevated
processes are granted more use rights Use KLIST in both CMD windows to see two distinct
Kerberos ticket caches
UAC on Windows XP and 2003
Disk
Flow of Access Control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Kerberos
NTLM
Allow Logon Locally
Authentication Kerberos
NTLM
Access Token
Access Token
UAC Restricted
Remote UAC
Enabled over network for non-domain accounts
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LocalAccountTokenFilterPolicy = DWORD = 1
Lab: UAC for Desktop computers
GROUP POLICY
Advanced Windows Security
Security in Group Policy
Policies (always enforced) Passwords and Lockout
Auditing
User Rights
Restricted Groups
Services
Preferences (may be one-time) local Users and Groups
Files and Folders
Services
Tools to Verify GP Application
RSOP.MSC
GPRESULT /V
GPRESULT /H report.htm
The only local tool to show Group Policy Preferences
Group Policy Management (GPMC)
Group Policy Results
Group Policy Modeling
RSOP.MSC
WMI Filters
Local filtering on the target machines
Uses WMI tables Win32_OperatingSystem
Win32_ComputerSystem
Win32_Environment
Win32_LogicalDisk
Win32_Service
Win32_Process
Varying OS support, always GOOGLE for documentation
WMI Filters - Examples
Win32_OperatingSystem ProductType = 1 = Workstation
ProductType = 2 = DC
ProductType = 3 = Server
Version = 6.2 = Windows 8, Windows 2012
Version = 6.1 = Windows 7, Windows 2008 R2
Version = 6.0 = Windows Vista, Windows 2008
Version = 5.2 = Windows XP 64bit, Windows 2003
Version = 5.1 = Windows XP
Version = 5.0 = Windows 2000
OSArchitecture = 32-bit / 64-bit (2008/Vista+ only)
WMI Filters - Examples
Win32_ComputerSystem
SystemType = 64-bit / x86
TotalPhysicalMemory
DNSHostName
WMI Filters for Servers
Lab: Create Server and Workstation WMI Filters On GPS-DC start GPMC console Create new WMI filter:
name: Server filter: SELECT * FROM Win32_OperatingSystem WHERE
ProductType = 3
Create new WMI filter: name: Workstation filter: SELECT * FROM Win32_OperatingSystem WHERE
ProductType = 1
Create new WMI filter: name: Workstation or Server filter: SELECT * FROM Win32_OperatingSystem WHERE
ProductType = 1 OR ProductType = 3
COMPUTER ENVIRONMENT
Advanced Windows Security
ntb-admin
wks-admin
fs-admin
domain-admin
Admin Role Separation
DC DC DC
FS1
FS2
FS3
WKS
WKS
WKS
NTB
NTB
NTB
web-admin
WF1
WF2
sql-admin
DB1 DB2
is-admin
ntb-adminwks-admin
fs-admin
domain-admin
Admin Role Separation
DC DC DC
FS1
FS2
FS3
WKS
WKS
WKS
NTB
NTB
NTB
WF1 WF2
sql-admin
DB1
DB2
wks-admin
srv-admin
domain-admin
Admin Role Separation
DC DC DC
SRV
SRV
SRV
WKS
WKS
WKS
NTB
NTB
NTB
Lab: Admin Groups
On GPS-DC start ADUC console
Create SRV Admins group in OU=Service
Create WKS Admins group in OU=Service
Create srv-admin account in OU=Service name: srv-admin
options: Password never expires
member of: Domain Users, Admin Accounts, SRV Admins
Create wks-admin account in OU=Service name: wks-admin
options: Password never expires
member of: Domain Users, Admin Accounts, WKS Admins
Restricted Groups
Group Policy setting
supported since Windows 2000
Can be used to grant local group membership to domain groups
Is enforced
if you want add/remove functionality, use Group Policy Preferences
SRV Admins Group in Local Administrators
GPO Preferences and Local Groups
Require optional update
Windows XP, Windows 2003, Windows Vista
Can be changed from local GUI
reapply every GPO refresh (120 minuts)
Are not removed with the GPO
Restricted Groups return the local setting to their original
GPO Preferences and Groups
Lab: Make SRV Admins Group Member of Local Administrators On GPS-DC start GPMC console
Create new GPO for the domain OU=Computers name: Security: SRV Accounts
link to: gopas.virtual
WMI filter: Servers
enforced: yes
Use Restricted Groups feature to add SRV Adminsgroup as members of local Administrators group Computer – Windows Settings – Security Settings –
Restricted Groups new group: SRV Admins
is member of: Administrators
Lab: Make WKS Admins Group Member of Local Administrators On GPS-DC start GPMC console
Create new GPO for the domain OU=Computers name: Security: WKS Accounts
link to: gopas.virtual
WMI filter: Workstations
enforced yes
Use Restricted Groups feature to add WKS Adminsgroup as members of local Administrators group Computer – Windows Settings – Security Settings –
Restricted Groups new group: WKS Admins
is member of: Administrators
Lab: Connect GPS-WFE Securely to Domain
On GPS-DC start ADUC console
Create GPS-WFE computer account in OU=Computers
name: GPS-WFE
who can connect to domain: SRV Admins
Log on to GPS-WFE and connect the machine to domain
domain name: gopas.virtual
user name: srv-admin
Disable -500 Admins
GROUPS AND GROUP SCOPES
Advanced Windows Security
Groups
Security groups
have SID
evaluated during logon
Distribution groups
have SID
are not evaluated during logon
can be used by applications (such as Exchange)
Group Scopes and Usage
Local can be used on individual computers
Built-in Domain Local can be used on all DCs from a domain
Domain Local can be used on all members of the domain
Global can be used on all other domains the same forest or other domains over trusts
Universal the same as global
Group Scopes and Membership
Local from any domain
Built-in Domain Local from any domain
Domain Local from any domain or trusted domains
Global from the same domain only
Universal from the same forest
My membership (single forest)
C
A
B
Jitka
A \ DL
A \ G
A \ U
B \ DL
B \ G
B \ U
C \ DL
C \ G
C \ U
My membership (single forest)
SK
CZ
DE
Jitka
CZ \ DL
CZ \ G
CZ \ U
DE \ DL
DE \ G
DE \ U
SK \ DL
SK \ G
SK \ U
German Sales
Czech SalesSlovak Sales
DE SAP Access
SK Mkt Pictures
Access to my local server(single forest)
C
A
DATA
B
Jitka
A \ DL
A \ G
A \ U
B \ DL
B \ G
B \ U
C \ DL
C \ G
C \ U
Access to a remote server(single forest)
C
A
DATA
B
Jitka
A \ DL
A \ G
A \ U
B \ DL
B \ G
B \ U
C \ DL
C \ G
C \ U
MS recommended philosophy
A
P DL
G
A
A
U
DL
DL A
UDL AG
MS recommended philosophy
A
P DL
G
A
A
U
DL
DL A
UDL AG
CZ EmployeesWorld Employees
SAP permissions
DE SAP Access
2012 FFL OK philosophyExchange 2010+ recommended
P U (Resource)
U (Organization)
A
Group Limits
Access token
maximum 1025 SIDs
Kerberos ticket
default 10500 B to store groups
Global group = 8 B
Domain local group = 40 B
Universal group = 8/40 B
B
B \ DL
B \ G
B \ U
Different Forests
C
A
Jitka
A \ DL
A \ G
A \ U
C \ DL
C \ G
C \ U
Different forest
F \ DL
F \ G
F \ U
Lab: Groups
Try adding ELEARNING\Employees and BIKES\Bikers into GPS\Employees this should not work, because GPS\Employees is a
global group
Create universal group GPS\IS Access Try adding ELEARNING\Employees and
BIKES\Bikers into GPS\IS Access BIKES\Bikers cannot be members of a universal group
from different forest
Switch GPS\IS Access to domain local group Add BIKES\Bikers into the GPS\IS Access
Lab: IS Access result
domainB.local
Disk
Flow of Access Control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Kerberos
NTLM
Allow Logon Locally
Authentication Kerberos
NTLM
Access Token
Access Token
UAC Restricted
domainB\Domain local
accountDomain\Global*\Universal
domainB\Domain local
accountDomain\Global*\Universal
Temporary AD group membership (FFL 2003)
Realgroup
Proxygroup
with TTL
Useraccount
standard TGT lifetime
Temporary AD objects (since FFL 2003)
dynamicObject class entryTTL = seconds
CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration ms-DS-Other-Settings:
DynamicObjectDefaultTTLSecondsDynamicObjectMinTTLSeconds
Privileged Access Management feature (FFL 2016)
New AD optional feature Privileged Access Management Feature Get-ADOptionalFeature
Add-ADGroupMember -MemberTimeToLive lowest lifetime propagates to Kerberos TGT tickets
Get-ADGroup -Properties Member -ShowMemberTimeToLive
LDP LDAP_SERVER_LINK_TTL_OID 1.2.840.113556.1.4.2309
Lab: SAP Access for 40 minutes
Create SAP Access group
Add gps\kamil with 40 minutes TTL
Note: Autodelete groups
$ou = [ADSI] 'LDAP://OU=Company,DC=gopas,DC=virtual'
$user = [ADSI] 'LDAP://CN=Kamil,OU=People,OU=Company,DC=gopas,DC=virtual'
[int] $ttl = 20
$baseGroup = $ou.Create('group', 'CN=IS Access')
$baseGroup.Put('sAMAccountName', 'IS Access')
$baseGroup.SetInfo()
$expiringGroup = $ou.Create('group', "CN=IS Access Expiring in $ttl minutes")
$expiringGroup.PutEx(2, 'objectClass', @('dynamicObject', 'group'))
$expiringGroup.Put('entryTTL', ($ttl * 60))
$expiringGroup.Put('sAMAccountName', "IS Access Expiring in $ttl minutes")
$expiringGroup.SetInfo()
$baseGroup.Add($expiringGroup.Path)
$expiringGroup.Add($user.Path)