When the admin fails on security Christoph Falta ITSECX

Transcription

1 When the admin fails on security Christoph Falta ITSECX

2 What s this all about? Point out common vulnerabilities in a windows environmnet Point out attack scenarios that leverage these vulnerabilities No admin bashing 2

3 Have you met Ted? Ted, the Sysadmin Ted is Sysadmin at Contoso Corp We will go with him and see what he encounters at work today Maybe find some security problems 3

4 Meet Ted Ted at Work 4

5 Ted, the Sysadmin Later this day, Ted examines different servers due to performance issues and discovers: that his account is being used on multiple servers that his workstation is running suspicious software (malware?) 5

6 Fail 1 Trusting the Client Client should not be seen as a fully trusted device (Low security, like DMZ) Especially in BYOD environments You should never use high privilege Accounts to work on low security devices Never, Never, Never use Domain Admins for Client Administration 6

7 Fail 2 Rely on weak Protocols Windows relies on Kerberos or MS-NLMP for Authentication. Will be negotiated between Server and Client during Authentication Process. MS-NLMP is a Suite of Protocols. Consists of LM, NTLMv1 and NTLMv2. LM should be dead by now, but is still found in XP/2003 environments. NTLMv1 suffers from replay vulnerabilities and is widely supported in most environments today 7

8 Fail 2 Rely on weak Protocols NTLMv1 in a Nutshell: Client encrypts server challenge with the password hash to authenticate NTLM Hash contains no salt -> the hash is always the same Hash is as good as the password itself 8

9 Fail 2 Rely on weak Protocols Where to get the hash? From Local SAM From Network Traffic (eg. PPTP / MSCHAPv2) From Memory 9

10 Meet Ted PTH 10

11 Malicious Intent Malware Accidents Fail 3 Users have high privileges Users should never have one of the following permissions: Local Administrator Power User - Dump Hashes - Reset local Accounts - Work around Corporate Policies - Disable Security Software - Run arbitrary Software - Manipulate Network Traffic - User installs malicious software - User is victim of phishing attacks 11

12 Meet Ted What about this security check? 12

13 Fail 4 Exchange Default Settings Exchange Receive Connectors allow unauthenticated sending as internal user Network Settings on the Connector define possible attack source Easily missed because it is not exposed in the UI 13

14 Fail 4 Exchange Default Settings Basically documented in TechNet but you have to find the link yourself 14

15 Fail 4 Exchange Default Settings Usually not discovered because Anti Spam Appliances block external Attacks Can only be remediated via Exchange Management Shell (= Powershell) Remove-ADPermission <ReceiveConnector Name> user NT AUTHORITY\Anonymous Logon ExtendedRights ms-exch-smtp-accept-authoritative-domain-sender 15

16 Fail 5 - Patchmanagement Patchmanagement Windows Updates often neglected due to Uptime restrictions or Compatibility problems However Windows Updates are usually monitored and controlled by technical means (WSUS, SCCM, ) Real Problem: Third Party 16

17 Fail 5 - Patchmanagement Windows Update can only patch 22% of the vulnerabilities 78% of the vulnerabilities are are left for the administrator to deal with 17

18 Fail 5 - Patchmanagement Implement Patch Management Solution Many of the big players now support Third Party Products SCCM Dell Case Altiris Or use specialised software Secunia CSI What about Anti- Virus? 18

19 Putting it all together Strengthen Client Security Get rid of weak protocols (LM,NTLMv1) Restrict User Permissions Check Mail Security Implement Patchmanagement Strategy 21

20 Questions? Q & A Questions & Answers 22