BASIC SECURITY PRINCIPLES

BASIC SECURITY PRINCIPLES

Ondřej Ševeček | GOPAS a.s. |

MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com |

Outline

 User Identity and Access Tokens

 Local User Accounts

 Domain User Accounts

 Authentication Mechanisms

 User Rights

 User Account Control

 Group Policy Security Settings

 Computer Environment

 Groups and Group Scopes

USER IDENTITY AND ACCESS TOKENS

Advanced Windows Security

Windows Processes

 Everything runs as a process

 some code runs in Kernel mode, but mostly under identity of the calling process

 interrupts, DPCs and file cache are executing without user context

 Every process runs under a user identity

 SYSTEM, Network Service, Local Service, local user, domain user

 Access permissions are always checked

 there is no root superuser as in unix

User Identity

 User identity is represented as a SID

 NT Authority\SYSTEM = S-1-5-18

 NT Authority\Local Service = S-1-5-19

 NT Authority\Network Service = S-1-5-20

 BUILTIN\Administrators = S-1-5-32-544

 BUILTIN\Users = S-1-5-32-545

 local user = S-1-5-21-LocalSID-RID

 domain user = S-1-5-21-DomainSID-RID

 Every process gets its own copy of an Access Token

 list of user’s SID and SIDs of his groups

 created by LSASS.exe (Local Security Authority)

Access Token

 Memory structure that contains user SID and the SIDs of his groups

 identified by its Logon Session ID

 Inherited by child processes

 Cached after a successful interactive logon in registry

 HKLM\Security\Cache

 Policy: Number of Previous Logons to Cache

 Limitted to 1025 SIDs

Access Token Cache Limit

Access token limit to 1025 SIDs

Lab: indirect group membership in access token

Tools for Access Token

 WHOAMI /ALL

 built into Vista/2008 and newer

 member of Support Tools for 2003/xp and older

 PROCEXP

 Process Explorer

 download from http://live.sysinternals.com

 PSEXEC

 download from http://live.sysinternals.com

 ADUC Attribute Editor

 Active Directory Users and Computers console

 Select View – Advanced Features

 Can show user and group SIDs in AD

Lab: Access Token

 Log on to GPS-WKS as Kamil

 use WHOAMI /ALL to investigate his access token

 verify that he is member of Administratos and Employees groups

 note his SID and the SIDs of his groups

 Use PSEXEC -D -S -I CMD to start command line under SYSTEM account

 use WHOAMI /ALL to verify its access token

 Use PSEXEC -D -I -U “NT Authority\Network Service” CMD to start command line under Network Service account

 use WHOAMI /ALL to verify its access token

 Start PROCEXP and verify contents of the access tokens of some processes

 Start ADUC and use Attribute Editor tab to verify user SIDs in Active Directory

System SIDs

 Some SIDs are added automatically

 INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON

 Everyone, Authenticated Users, This Organization, NTLM Authentication

Lab: SERVICE SID

 On GPS-DC create a service account for SNMPTRAP service

 user: svc-snmp

 options: password never expires, user cannot change password

 On GPS-WKS reconfigure SNMP TRAP service to run under GPS\svc-snmp account

 Using PROCEXP verify SERVICE SID injected into the processes access token

Translating SIDs with PowerShell

'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object

System.Security.Principal.SecurityIdentifier

$_).Translate([System.Type]::GetType('System.Security.Principa l.NTAccount')).Value } }

'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n

= 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object Security.Principal.NTAccount

$_).Translate([Security.Principal.SecurityIdentifier]).Value } }

$rxSID = '[Ss]-1(?:-\d+){1,}'

[regex]::Match('This SID S-1-5-80-3964583643-2633443559- 2834438935-3739664028-1580655619 has been detected',

$rxSID).Value

All BUILTIN SIDs

(1..1000) | % {

$user = New-Object

Security.Principal.SecurityIdentifier S-1-5-32-$_

$errorActionPreference = 'SilentlyContinue' write-host ("{0,35} = S-1-5-32-{1}" -f

$user.Translate([Type]::GetType('System.Security.Princi pal.NTAccount')).Value.Replace('BUILTIN\', ''), $_)

$errorActionPreference = 'Continue' }

Everyone vs. Authenticated Users

 Windows 2000-

 Everyone = Authenticated Users + Anonymous Logon

 Windows XP+

 Everyone = Authenticated Users

 can be changed back in security policy

 Let Everyone permissions apply to Anonymous Users

Everyone vs. Authenticated Users

Default Local Users Group and Domain User

 By default local Users group contains

 Authenticated Users

 Default security

 Everyone = Authenticated Users = Users = Domain Users

 Do not use any of the groups for securing resources

Default Local Users Group

Lab: Local Users on GPS-WKS

Lab: Verify (non)Access

 Verify that users can log on to GPS-WKS workstation

 [email protected] (Employee)

 [email protected] (Employee)

 [email protected] (account from ELEARNING domain)

 Verify that the following users cannot log on to GPS-WKS

 [email protected] (Contractor)

 BIKES\tanja (account from BIKES domain)

LOCAL USER ACCOUNTS

Advanced Windows Security

Local User Accounts

 Stored in local registry

 HKLM\SAM\Domains\Account

 Password hashed (MD4)

 can be stored in full

 Policy: Store passwords using reversible encryption

 Can enforce password complexity and history

 Policy: Password complexity requirements

 Policy: Enforce password history

 Single login: COMPUTER\username

Do not store clear-text passwords

LM Password Hashes

 Windows 2003/XP store LM password hashes

 extreme insecurity, only 7 uppercase characters

 remains in Default Domain Policy GPO if installed with Windows 2003 or older

 backward compatibility

 Windows 95, 3.1, MS-DOS

 Should be disabled as soon as possible

LM Password Hashes

Lab: Disable LM Hashes

 On GPS-DC open the GPMC console

 Create a new GPO for domain

 name: Security: LM Hashes Disabled

 link to: gopas.virtual

 enforced: yes

 Disable LM hashes

 Computer – Windows Settings – Local Policies - Security Options – Do not store LAN Manager hashes on next password change

Lab: Cracking Local Passwords with Cain

 Log on to GPS-WKS as gps\kamil

 Install Cain & Abel tool

 Switch to Cracker tab

 Import LM&NTLM hashes from local system

 Perform Brute-Force Attack on one of the hashes

http://hashcat.net performance (2016)

Brute-Force vs. Rainbow Tables

 Brute-force

 generate all the possible hashes

 taking time for the generation

 ca 80xper additional character

 Rainbow Tables

 use pre-generated, sorted list of hashes

 taking one-time for the generation

 taking space to store the database

 ca 40xper additional character

Local Password Policies

Password Policies

 Minimum recommended length:

 10 characters

 http://www.sevecek.com/Lists/Posts/Post.aspx?ID

=145

 Minimum password age

 the settings is necessary only to enforce password history

 Password complexity

 3of4: at least three from: a-z, A-Z, 0-9, #^%&*

 do not contain 3 or more chars from user’s login

Complex Passwords

 Simple examples

 September2012

 John-Lennon

 Buldo-zer56

 Login considered

 login: ondrej

 Invalid password: J@mES-BonD38

Local Account Lockout Policy

VOLATILE STATE VS. OFFLINE ATTACKS

Advanced Windows Security

Sensitive memory information

 LSASS.exe

 currently logged-on user hashes

 currently logged-on user plain-text passwords

 processes, services, jobs, IIS apppools

 Only local administrators can attack online

 debug privilege!

 Windows 8/2012 and older

 password + MD4 hash + LM hash (always)

 Windows 8.1/2012R2 and newer

 MD4 hash (+ password if RDP SSO)

 LM hash if enabled

Extract passwords/hashes

Pass-the-hash

Sensitive information stored permanently

 Only local administratorscan extract online

 local user password hashes from registry

 service, scheduled tasks, IIS apppools plaintext passwords

 Users can extract their own online

 IE stored passwords

 RDP stored passwords

 stored Windows credentials

 software keylogging

 Offlineextractions

 anything stored permanently except with SYSKEY

Permanently stored system-wide information

 HKLM\SAM

 local user account hashes(LM, MD4)

 non-salted = rainbow/brute-force

 HKLM\SECURITY\Cache

 domain user account hashcache (1000x SHA-1)

 salted with username = brute-force

 HKLM\SECURITY\Policy\Secrets

 LSA secret plain-textpasswords for services, DefaultPassword, VPN (dialup) passwords

 %windir%\System32\Config\SystemProfile\AppData

\Local\Microsoft\Credentials

 scheduled task plain-textpasswords protected with DPAPI

Permanently stored system-wide and per- user information

 IIS application pool accounts plain-text

 applicationHost.config (DPAPI protected)

 appcmd list apppool /text:*

 NPS RADIUS clients plain-text shared secrets

 netsh nps export exportpsk=yes

 Per user Windows Vault/Stored User Names and Passwords (DPAPI)

 %userprofile%\AppData\Roaming\Microsoft\Credentials

 %userprofile%\AppData\Local\Microsoft\Vault

Online fake password prompts

 Require CTRL-ALT-DEL

 Require secure desktop UAC confirmation

Require CTRL-ALT-DEL

Require secure UAC prompts

Do not allow "Stored user names and passwords“ (WKS only vs. scheduled jobs)

Do not allow IE caching passwords (basic/forms)

 IE 7,6,…

 HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings

 DisablePasswordCaching = 1

 IE 8,9,10

 disable Credential Manager

 IE 11

 HKCU\Software\Microsoft\Internet Explorer\Main

 FormSuggest Passwords = no

Do not allow browser caching passwords (basic/forms)

 Edge

 HKCU\SOFTWARE\Classes\Local

Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.

microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main

 FormSuggest Passwords = no

 Chrome for Business

 ADMX template

Protected Users – Kerberos tickets only (8.1, 2012 R2 and newer)

Other browser issues

 Block Flash in IE, Edge, Chrome

 Block other ActiveX plugins

 Email attachments, application white listing,

…

Password reveal button (Win8/IE)

Credential (Device) Guard

Credentials (Device) Guard (Isolated User Mode) (Secure Kernel)

 Separated credentials from LSASS memory

 LSAISO

 Isolated “VM”

 Requirements

 Windows 10 Enterprise/2016

 HW virtualization

 Hyper-V hypervisor enabled

 GPT boot disk + EFI system partition

 convert with MBR2GTP since Win10 1703

 UEFI firmware (BIOS)

 UEFI boot

 stores environment variables (UEFI lock)

 Secure Boot

 boot process digital signatures

 UEFI Secure Boot enabled during OS installation

MSINFO32 + UEFI Secure Boot

Disable Device Guard with UEFI lock

DOMAIN USER ACCOUNTS

Advanced Windows Security

Domain User Accounts

 Stored in Active Directory database

 Password Hashes (MD4)

 stores Digest (MD5) since Windows 2003

 Stores AES (SHA-1) since Windows 2008

 Two logins

 user principal name ([email protected])

 SAM account name (GPS\kamil)

 Can enforce password policies

 Domain-wide using Group Policy

 Per users/groups using Granular Password Policies

Logins

 User Principal Name ([email protected])

 userPrincipalName attribute

 up to 1023 characters

 recommended max64@max64

 configurable UPN suffixes

 must be unique forest-wide

 SAM Account Name (GPS\kamil)

 sAMAccountName attribute

 up to 20 characters

 always bound to NetBIOS domain name

Alternative UPN Suffixes

Lab: Alternative UPN Suffixes

 On GPS-DC open the Active Directory Domains and Trusts console

 Right-click at the root of the console

 Select Properties

 Verify the following alternative UPN suffixes

 gopas.cz

 Open ADUC console on ELRN-DC

 Modify UPN for ELEARNING\jan

 [email protected]

Listing all UPN logins from Global Catalogue (GC)

Domain Password Policies

 Group Policy based

 domain wide

 can be defined in any GPO attached to domain (you can use Default Domain Policy or create a new one)

 Granular (Fine-grained) Password Policies

 applied to users and/or groups

 require Windows 2008 Domain Functional Level (DFL)

Various user account types

Personal Admin Service

Typed frequently occasionally never

Remembered BFU Keepass on a

jump-server

nobody

Length 10+ 15+ 25+

Changing ?? months ???? months on request

Smart card ?? yes no

Lockout 5 250 500 / no

NTLM yes Kerberos only ??

Default Domain Policy

Granular Password Policies (DFL 2008)

Lab: GPO Password Policies

 On GPS-DC open the GPMC console

 Create a new GPO for domain

 name: Security: Common User Passwords

 link to: gopas.virtual

 enforced: yes

 Define password policies in the newly created GPO

 minimum password length: 8 (we want to keep Pa$$w0rd)

 minimum password age: 0

 password complexity requirements: enabled

 regular password change: 90 days

 account lockout threshold: 15 attempts

 account lockout duration: 3 minutes

Lab: Granular Password Policies

 On GPS-DC open the ADSI Edit console

 Create a new Granular Password Policies object in CN=Password

Policies,CN=System,DC=gopas,DC=virtual

 name: Admin Passwords

 Define password policies in the newly created PSO

 psoAppliesTo: Admin Accounts

 minimum password length: 8 (we want to keep Pa$$w0rd)

 minimum password age: 0

 password complexity requirements: enabled

 regular password change: 90 days

 account lockout threshold: 5 attempts

 account lockout duration: until manual unlock

Password Change vs. Reset

 Change password

 anybody who knows the original password

 all password policies apply

 Reset password

 only Domain Admins and Account Operators

 no history, no minimum age

Account vs. Password Expiration

 Password expiration

 after policy configured time

 User Must Change Password at Next Logon

 Cannot log on in fact

 may not be able to change password remotely over VPN or web applications

 Affects smart cards

 Account expiration

 Cannot log on after a specific time regardles of password validity

 Affects smart cards

Account vs. Password Expiration

pwdLastSet vs. unicodePwd replication metadata

Computer Account

 Just a special user account

 DOMAIN\COMPUTER$

 Password stored in registry

 HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC

 changed regularly every 30 days (is online)

Computer Account Password

Changes

Optional lab: Computer account password corrupted

 Use Hyper-V console to revert GPS-WKSback to a previous password

 Use NETDOM RESETPWD to enforce computer password change

NETDOM RESETPWD /Server:GPS-DC

/UserD:gps\domain-admin /PasswordD:Pa$$w0rd

Trust relationship between this workstation and the primary

domain failed

The target account name is incorrect

Test secure channel

nltest /sc_verify:gps

Test-ComputerSecureChannel

Lab: GPS-WKS$ network access

 On GPS-WKS start CMD under SYSTEM account

 psexec -s -i -d cmd

 Try accessing the \\GPS-DC\Public share

 On GPS-DC, change NTFS permissions of the C:\Service\Public folder to DENY access to the GPS-WKS$ account

 Verify that the GPS-WKS machine looses access

 Verify that the Kamil user account still have access

Password Policy Exceptions

 Computer, Managed Service Accounts, Trusts

 no password policies

 pwd never expire

 never lock out

 Built-in Administrator account (the -500 SID)

 never lock out

 when disabled, can log on in Safe Mode

 can log on with more than 1025 SIDs in Access Token (gets trimmed)

Lab: Computer account group

AUTHENTICATION MECHANISMS

Advanced Windows Security

Lab: Connect GPS-DATA to Domain

 On GPS-DC start ADUC console

 Create GPS-DATA computer account in OU=Computers

 name: GPS-DATA

 who can connect to domain: SRV Admins

 Log on to GPS-DATA and connect the machine to domain

 domain name: gopas.virtual

 user name: srv-admin

 Add SRV Admins group to local Administrators

Windows Authentication

 Basic

 clear-text, may be transfered over TLS/SSL

 RDP/TS, IIS, SMTP, POP3, Telnet, LDAP Simple Bind, PS Remoting CredSSP

 no SSO (single sign on)

 NTLM

 hashed, MD4 + MD5-MHAC

 fall-back method when Kerberos cannot be used

 Kerberos

 hashed, MD4 + RC4/DES/AES

 default authentication

 can use smart cards

 Schannel = TLS Client Certificate logon

 RSA/EC private key for TLS/SSL communications

 CHAP/Digest MD5 authentication

 RADIUS/IAS/NPS/IIS

Network Authentication Principle

Client

DC FS SQL Web

In-band Login + Identity Proof

Pass-through authentication with DC

Kerberos Requirements

 Domain user from a domain computer to a domain member server

 Forest trusts only

 NTLM is used on External Trusts

 Internet Explorer

 only in local intranet sites and trusted sites (since IE7)

 IP addresses always use NTLM

 Many other more complex requirements (GOC16)

 time, SPN, ...

NTLM and Schannel network logon

DC 2000+

Client 2000+

Server 2000+

App Traffic

DC 2000+

SMB D/COM

In-band NTLM hash

Pass-through NTLM hash

D/COM Dynamic TCP

Kerberos network logon (basic principle)

DC 2000+

Client 2000+

Kerberos

Server 2000+

App Traffic

TGT: User In-band TGS: Server

TGS: Server

Kerberos network logon (complete)

DC 2000+

Client 2000+

Kerberos

Server 2000+

App Traffic

DC 2000+

SMB D/COM

TGT: User In-band TGS: Server

Occasional PAC Validation TGS: Server

D/COM Dynamic TCP

Tools for Kerberos

 KLIST

 lists Kerberos tickets

 purges ticket cache

 built into Windows 7/2008 R2, member of AD RSAT in Windows Vista/2008

 KERBTRAY

 GUI version of the same for Windows 2003/XP

 member of Windows Resource Kit

 Auditing Account Logon Events

 Windows Vista/2008+ can use granular auditing

Logon auditing

 Account Logon Event

 "authentication event"

 when an account database validates credentials

 Logon Event

 "session event"

 every time an Access Token is created or closed

Auditing (2000+)

Granular auditing (2008/Vista+)

Auditing (Interactive Logon)

SQL FS WFE

DC Client

Account Logon 1

Logon 2

Logon types

Type Value

Interactive 2

Network 3

Batch 4

Service 5

Unlock 7

NetworkCleartext 8

NewCredentials 9

RemoteInteractive 10

CachedInteractive 11

CachedRemoteInteractive 12

CachedUnlock 13

Status codes

Status Value

STATUS_WRONG_PASSWORD 0xC000006A STATUS_PASSWORD_RESTRICTION 0xC000006C STATUS_LOGON_FAILURE 0xC000006D STATUS_ACCOUNT_RESTRICTION 0xC000006E STATUS_INVALID_LOGON_HOURS 0xC000006F STATUS_INVALID_WORKSTATION 0xC0000070 STATUS_PASSWORD_EXPIRED 0xC0000071 STATUS_ACCOUNT_DISABLED 0xC0000072 STATUS_LOGON_NOT_GRANTED 0xC0000155 STATUS_LOGON_TYPE_NOT_GRANTED 0xC000015B STATUS_ACCOUNT_EXPIRED 0xC0000193 STATUS_PASSWORD_MUST_CHANGE 0xC0000224 STATUS_ACCOUNT_LOCKED_OUT 0xC0000234

Download err.exe

 version 2008

 http://www.microsoft.com/en-us/download/details.aspx?id=985

 most up-to-date version

 SDK for Windows 8.1

 http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

Logon sessions

gwmi win32_LogonSession | select LogonId,

@{ n = 'LogonIdHex' ; e = { '0x{0:X}' -f ([int] $_.LogonId) } },

AuthenticationPackage, LogonType,

StartTime,

@{ n = 'Login' ; e = {

$_.GetRelated('Win32_Account') | select -f 1 | select -Expand Caption } },

@{ n = 'SID' ; e = {

$_.GetRelated('Win32_Account') | select -f 1 | select -Expand SID } }

Auditing (Network session)

SQL FS WFE

DC Client

Account Logon 1

Logon 2

Account lockout

SQL FS WFE

DC Client

Account Management 1

Account Lockout Mx

ID 4740 Account Lockout

Nx ID 4625

ID 4625

immediately at logoff

Auditing (Interactive logoff)

SQL FS WFE

DC Client

Logoff 1

SQL FS WFE

when TCP connection closed

Auditing (Network session)

DC Client

Logoff 1

Lab: Auditing Authentication

 On GPS-DC open the GPMC console

 Create a new GPO for domain

 name: Security: Authentication Auditing

 link to: gopas.virtual

 enforced: yes

 Enable auditing of Account Logon events

 Computer – Windows Settings – Local Policies - Security Settings – Advanced Audit Policy Configuration – Account Logon

 enable all audit subcategories

 Refresh policy on GPS-DC by using GPUPDATE

Lab: Kerberos

 On GPS-WKS open CMD

 Use KLIST /PURGE to purge Kerberos ticket cache

 Type DIR \\GPS-

DC\SYSVOL\gopas.virtual\Policies

 Use KLIST to list Kerberos tickets

 Note the KRBTGT user ticket with Initial flag

 Note the CIFS ticket for the shared files

 Note that AES is used as an encryption mechanism

Lab: NTLM

 On GPS-WKS open CMD

 Use KLIST /PURGE to purge Kerberos ticket cache

 Type DIR

\\10.10.0.11\SYSVOL\gopas.virtual\Policies

 Use KLIST to list that there are no Kerberos tickets

Lab: Verifying Audit Events

 On GPS-DC open Event Viewer console

 Open Security log

 Filter out all events except for the following:

 Event sources: Microsoft Windows Security Auditing

 Task category:

 Kerberos Authentication Service

 Kerberos Service Tickets

 Credentials Validation

Lab:

Audit process tracking

Auditing Examle

RADIUS NPS

DC Client

Account Logon 1

Logon 2

VPN

NPS 3

NTLM Versions

 LM

 obsolete insecure using LM hashes

 default on Windows XP SP3, should be disabled

 NTLM

 newer, MD4 + DES, still some security concerns

 default on Windows 2003, can be disabled

 NTLMv2

 newest, MD4 + MD5-HMAC

 supported by Windows 98 DSClient, NT4.0 SP4 and newer

Upgrading NTLM Version

Enforce NTLMv2 session security

Lab: Enforcing NTLMv2

 On GPS-DC open the GPMC console

 Create a new GPO for domain

 name: Security: NTLMv2

 link to: gopas.virtual

 enforced: yes

 Enforce NTLMv2

 Computer – Windows Settings – Local Policies - Security Options – LAN Manager authentication Level: Send NTLMv2 response only

Kerberos AES enforcement

lastLogon, lastLogonTimestamp

 Active Directory attribute of user accounts

 lastLogon

 precise time of the last identity validation

 not replicated

 lastLogonTimestamp

 DFL 2003+

 replicated

 updated only once per 14 days

Last interactive logon time

Alternative identities

 NET USE \\gps-data

 NET USE \\gps-data.gopas.virtual

 is different then \\gps-data, you can use other credentials

 NET USE \\10.10.0.21

 is still different from the previous two, you can use yet another user account

 RUNAS /user

 must have local logon

 RUNAS /netonly/user

 supplies different network credentials for current user

 does not need any local logon

LSASS caches alternate

identities during logon session

 NET USE \\gps-data /user:GPS\helena

 NET USE \\gps-data /user:GPS\leos

 error 1219

 Multiple connections to a server by the same user, using more than one user name, are not allowed

 Must log-off or NET USE /DELETE

USER RIGHTS

Advanced Windows Security

Permissions vs. Rights

 Permissions

 object based access control

 NTFS, registry, LDAP, printers, windows, desktops, SQL server, ...

 Rights (Privileges)

 not everything can be considered an object

 Restart/Shutdown, Logon, ...

Permissions

User Rights Assignment

Types of User Rights

 Logon

 logon locally, from network, as batch job

 Deny variant exists

 Actions

 shutdown the system, change system time, synchronize AD, manage auditing, impersonate, enable delegation, create pagefile, volume maintainance, ...

 Forcible Overrides

 take ownership, add workstation to domain, bypass traverse checking, backup (read all), restore (write all)

Granting and Enabling

 Users must be granted user rights in local policy (or GPO)

 Processes must enable the user right once they want to perform the action

 backup application enables the backup right only for the duration of the backup operation

 Event Viewer enables the security right to list Security event log

Tools for User Rights

 WHOAMI /ALL

 lists user rights and their state for the current command line process

 PROCEXP

 list user rights and their state for any process

Lab: User Rights

 Log on to GPS-WKS as Kamil

 the user is member of local Administrators

 Start CMD

 Start Event Viewer and browse the Security event log

 Start Notepad as Helena

 Helena is member of regular Users group only

 Start PROCEXP, open Properties of the processes and switch to the Security tab

 verify the list of user rights

 verify that some user rights are granted while some of them are also enabled

Lab: BATCH SID

 On GPS-DCcreate a service account for BACKUP job

 user: job-backup

 options: password never expires, user cannot change password

 On GPS-DATA create an empty scheduled task called BACKUP using the gps\job-backup account

 Troubleshoot the scheduled job startup with Event Viewer and/or T:\ERR tool

 Using PROCEXP verify BATCH SID injected into the processes access token

Lab: Allow Credential Manager on the server to store the scheduled task password

Lab: Log on as a batch job in GPO

Disk

Flow of Access Control

NTFS Permissions Access this Computer from Network

Authentication

Kerberos NTLM

Allow Logon Locally Authentication _Kerberos

NTLM

Access Token

Access Token

USER ACCOUNT CONTROL

Advanced Windows Security

UAC prompts – Run as administrator

Restricted Users

 Users often work as local Administrators

 users on workstations/notebooks

 local administrators on servers

 We may want restrict their default permissions and rights

 allow them to elevate if required

 Does not apply for remote (network) connections

UAC Options on Windows 7

UAC Options on Windows 8

 Only display settings

 You must use the policy

Restricting Local Administrators

 Windows XP and newer can restrict local Administrators

 enforced by default on Windows Vista+

 must use Run As on Windows XP

 LSASS can issue restricted access token

 Administrators and Domain Admins groups are marked as Deny

 Only basic user rights enabled

 LSASS maintains two separate Kerberos ticket caches

“Deny” Groups in Access Token

 User is not member of the group for Allow ACEs

 if something is granted to the group, it does not apply

 User is member of the group for Deny ACEs

 if something is explicitly denied to the group, it still applies

 not a common case for Administrators, but still good to know 

Deny Group in Access Token

Lab: User Account Control

 On GPS-WKS enable UAC and restart

 Log on as Kamil on GPS-WKS

 the user is member of local Administrator

 Start CMD and Notepad

 Start CMD and Notepad with Run as Administrator

 Use WHOAMI /ALL to see that the Administrators group is/isnot marked as Deny

 Use PROCEXP to see the same for Notepad

 Using the PROCEXP verify that the elevated processes are granted more use rights

 Use KLIST in both CMD windows to see two distinct Kerberos ticket caches

UAC on Windows XP and 2003

Disk

Flow of Access Control

NTFS Permissions Access this Computer from Network

Authentication

Kerberos NTLM

Allow Logon Locally Authentication _Kerberos

NTLM

Access Token

Access Token

UAC Restricted

Remote UAC

 Enabled over network for non-domain accounts

 HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System

 LocalAccountTokenFilterPolicy = DWORD = 1

Lab: UAC for Desktop computers

GROUP POLICY

Advanced Windows Security

Security in Group Policy

 Policies (always enforced)

 Passwords and Lockout

 Auditing

 User Rights

 Restricted Groups

 Services

 Preferences (may be one-time)

 local Users and Groups

 Files and Folders

 Services

Tools to Verify GP Application

 RSOP.MSC

 GPRESULT /V

 GPRESULT /H report.htm

 The only local tool to show Group Policy Preferences

 Group Policy Management (GPMC)

 Group Policy Results

 Group Policy Modeling

RSOP.MSC

RSOP.MSC

GPRESULT /H (includes GPO

Preferences)

WMI Filters

 Local filtering on the target machines

 Uses WMI tables

 Win32_OperatingSystem

 Win32_ComputerSystem

 Win32_Environment

 Win32_LogicalDisk

 Win32_Service

 Win32_Process

 Varying OS support, always GOOGLE for documentation

WMI Filters - Examples

 Win32_OperatingSystem

 ProductType = 1 = Workstation

 ProductType = 2 = DC

 ProductType = 3 = Server

 Version = 6.2 = Windows 8, Windows 2012

 Version = 6.1 = Windows 7, Windows 2008 R2

 Version = 6.0 = Windows Vista, Windows 2008

 Version = 5.2 = Windows XP 64bit, Windows 2003

 Version = 5.1 = Windows XP

 Version = 5.0 = Windows 2000

 OSArchitecture = 32-bit / 64-bit (2008/Vista+ only)

WMI Filters - Examples

 Win32_ComputerSystem

 SystemType = 64-bit / x86

 TotalPhysicalMemory

 DNSHostName

 Win32_Battery

 BatteryStatus <> 0 … laptop

 Win32_SystemEnclosure

 ChassesType … laptop vs. desktop

WMI Filters for Servers

Lab: Create Server and Workstation WMI Filters

 On GPS-DC start GPMC console

 Create new WMI filter:

 name: Server

 filter: SELECT * FROM Win32_OperatingSystem WHERE ProductType = 3

 Create new WMI filter:

 name: Workstation

 filter: SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1

 Create new WMI filter:

 name: Workstation or Server

 filter: SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1 OR ProductType = 3

COMPUTER ENVIRONMENT

Advanced Windows Security

ntb-admin wks-admin

fs-admin

domain-admin

Admin Role Separation

DC DC DC

FS1

FS2

FS3

WKS

WKS

WKS

NTB

NTB

NTB web-admin

WF1

WF2

sql-admin

DB1 DB2

is-admin

ntb-admin wks-admin

fs-admin

domain-admin

Admin Role Separation

DC DC DC

FS1 FS2

FS3

WKS

WKS

WKS

NTB

NTB

NTB

WF1 WF2

sql-admin

DB1 DB2

wks-admin

srv-admin

domain-admin

Admin Role Separation (tiering)

DC DC DC

SRV

SRV

SRV

WKS

WKS

WKS

NTB

NTB

NTB

Lab: Admin Groups

 On GPS-DC start ADUC console

 Create SRV Admins group in OU=Service

 Create WKS Admins group in OU=Service

 Create srv-admin account in OU=Service

 name: srv-admin

 options: Password never expires

 member of: Domain Users, Admin Accounts, SRV Admins

 Create wks-admin account in OU=Service

 name: wks-admin

 options: Password never expires

 member of: Domain Users, Admin Accounts, WKS Admins

Restricted Groups

 Group Policy setting

 supported since Windows 2000

 Can be used to grant local group membership to domain groups

 Is enforced

 if you want add/remove functionality, use Group Policy Preferences

SRV Admins Group in Local

Administrators

GPO Preferences and Local Groups

 Require optional update

 Windows XP, Windows 2003, Windows Vista

 Can be changed from local GUI

 reapply every GPO refresh (120 minuts)

 Are not removed with the GPO

 Restricted Groups return the local setting to their original

GPO Preferences and Groups

Lab: Make SRV Admins Group Member of Local Administrators

 On GPS-DC start GPMC console

 Create new GPO for the domain OU=Computers

 name: Security: SRV Accounts

 link to: gopas.virtual

 WMI filter: Servers

 enforced: yes

 Use Restricted Groups feature to add SRV Admins group as members of local Administrators group

 Computer – Windows Settings – Security Settings – Restricted Groups

 new group: SRV Admins

 is member of: Administrators

Lab: Make WKS Admins Group Member of Local Administrators

 On GPS-DC start GPMC console

 Create new GPO for the domain OU=Computers

 name: Security: WKS Accounts

 link to: gopas.virtual

 WMI filter: Workstations

 enforced yes

 Use Restricted Groups feature to add WKS Admins group as members of local Administrators group

 Computer – Windows Settings – Security Settings – Restricted Groups

 new group: WKS Admins

 is member of: Administrators

Lab: Connect GPS-WFE Securely to Domain

 On GPS-DC start ADUC console

 Create GPS-WFE computer account in OU=Computers

 name: GPS-WFE

 who can connect to domain: SRV Admins

 Log on to GPS-WFE and connect the machine to domain

 domain name: gopas.virtual

 user name: srv-admin

Disable -500 Admins

GROUPS AND GROUP SCOPES

Advanced Windows Security

Groups

 Security groups

 have SID

 evaluated during logon

 Distribution groups

 have SID

 are not evaluated during logon

 can be used by applications (such as Exchange)

Group Scopes and Usage

 Local

 can be used on individual computers

 Built-in Domain Local

 can be used on all DCs from a domain

 Domain Local

 can be used on all members of the domain

 Global

 can be used on all other domains

 the same forest or other domains over trusts

 Universal

 the same as global

Group Scopes and Membership

 Local

 from any domain

 Built-in Domain Local

 from any domain

 Domain Local

 from any domain or trusted domains

 Global

 from the same domain only

 Universal

 from the same forest

My membership (single forest)

C A

B

A \ DL A \ G A \ U

B \ DL B \ G B \ U

C \ DL C \ G C \ U U G

Jitka

My membership (single forest)

SK CZ

DE

Jitka

CZ \ DL CZ \ G CZ \ U

DE \ DL DE \ G DE \ U

SK \ DL SK \ G SK \ U German Sales

Czech Sales Slovak Sales DE SAP Access

SK Mkt Pictures

Access to my local server (single forest)

C A

DATA

B

Jitka

A \ DL A \ G A \ U

B \ DL B \ G B \ U

C \ DL C \ G C \ U

Access to my local server (single forest)

SK CZ

DATA

DE

Jitka

CZ \ DL CZ \ G CZ \ U

DE \ DL DE \ G DE \ U

SK \ DL SK \ G SK \ U German Sales

Czech Sales Slovak Sales DE SAP Access

SK Mkt Pictures

Access to a remote server (single forest)

C A

DATA B

Jitka

A \ DL A \ G A \ U

B \ DL B \ G B \ U

C \ DL C \ G C \ U

MS recommended philosophy

A

P DL

G A

A

U DL

DL A

U

DL G A

MS recommended philosophy

A

P DL

G A

A

U DL

DL A

U

DL G A

CZ Employees World Employees

SAP permissions

DE SAP Access

2012 FFL OK philosophy

Exchange 2010+ recommended

P U (Resource)

U (Organization)

A

Group Limits

 Access token

 maximum 1025 SIDs

 Kerberos ticket

 default 10500 B to store groups

 Global group = 8 B

 Domain local group = 40 B

 Universal group = 8/40 B

B

B \ DL B \ G B \ U

Different Forests

C A

Jitka

A \ DL A \ G A \ U

C \ DL C \ G C \ U

Different forest

F \ DL F \ G F \ U