Future Forests: Realistic Strategies for AD Security & Red Forest Architecture

Similar documents
Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Course Outline. Course Outline :: 20744A::

Course Outline 20744B

Critical Hygiene for Preventing Major Breaches

[MS20744]: Securing Windows Server 2016

Securing Windows Server 2016

"Charting the Course... MOC C: Securing Windows Server Course Summary

Securing Windows Server 2016

20744: Securing Windows Server Sobre o curso. Microsoft. Nível: Avançado Duração: 35h

Securing Windows Server 2016 (20744)

Securing Windows Server 2016

Microsoft Securing Windows Server 2016

Exam Questions Demo Microsoft. Exam Questions Securing Windows Server 2016.

Securing Windows Server 2016 (20744)

Microsoft Exam

microsoft. Number: Passing Score: 800 Time Limit: 120 min.

Securing Windows Server 2016

microsoft. Number: Passing Score: 800 Time Limit: 120 min.

Identity & Access Management

Securing Active Directory Administration

Security Fundamentals for your Privileged Account Security Deployment

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

[ Sean TrimarcSecurity.com ]

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

Cyber Defense Operations Center

exam.72q.

HAROLD BAELE MICROSOFT CLOUD TECHNICAL CONSULTANT MICROSOFT CERTIFIED TRAINER. New protection capabilities in Windows Server 2016

ALL ROADS LEAD TO DOMAIN ADMIN BREACH TO CDE A SECTOR CONFERENCE PRESENTATION OCTOBER 2016

K12 Cybersecurity Roadmap

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Microsoft Azure Integration and Security. Course Code: AZ-101; Duration: 4 days; Instructorled

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

Vision deliver a fast, easy to deploy and operate, economical solution that can provide high availability solution for exchange server

10 FOCUS AREAS FOR BREACH PREVENTION

Incident Response Table Tops

Securing ArcGIS Services

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Privileged Identity App Launcher and Session Recording

Feature Comparison Summary

News and Updates June 1, 2017

Independent DeltaV Domain Controller

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

RastaLabs Red Team Simulation Lab

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Modern Realities of Securing Active Directory & the Need for AI

10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

Comodo Endpoint Manager Software Version 6.25

Comodo Endpoint Manager Software Version 6.26

Minfy-Magnaquest Migration Use Case

the SWIFT Customer Security

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Duration: 5 Days Course Code: M20764 Version: B Delivery Method: Elearning (Self-paced)

Microsoft EXAM Securing Windows Server 2016 (beta) m/ Product: Demo. For More Information:

Transforming Security Part 2: From the Device to the Data Center

Comodo Endpoint Manager Software Version 6.25

Identity as the core of enterprise mobility

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Canadian Access Federation: Trust Assertion Document (TAD)

CS 356 Operating System Security. Fall 2013

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Feature Comparison Summary

From Workstation to Domain. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.com

Cybersecurity The Evolving Landscape

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

Windows. Not just for houses

MODERN DESKTOP SECURITY

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Expert Webinar: Hacking Your Windows IT Environment

Securing the New Perimeter:

IT Needs More Control

Canadian Access Federation: Trust Assertion Document (TAD)

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Information Security Policy

Canadian Access Federation: Trust Assertion Document (TAD)

Securing Active Directory Administration. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

QuickBooks Online Security White Paper July 2017

Secure access to your enterprise. Enforce risk-based conditional access in real time

IPM Secure Hardening Guidelines

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

CompTIA SY CompTIA Security+

Canadian Access Federation: Trust Assertion Document (TAD)

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Training: Hardening Microsoft Environments

Endpoint Security webrh

GUIDE. MetaDefender Kiosk Deployment Guide

"Charting the Course... MOC C: Administering an SQL Database Infrastructure. Course Summary

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

ArcGIS for Server: Security

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Windows Server Security Guide

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Administering a SQL Database Infrastructure

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Transcription:

SESSION ID: STR-R02 Future Forests: Realistic Strategies for AD Security & Red Forest Architecture Katie Knowles Security Consultant MWR InfoSecurity @_sigil

Introduction: Why AD Matters How AD is Targeted Preventing Compromise: 1. Local Credentials 2. Administrative Systems Reducing Impact: What s a Red Forest? 3. Administrative Forest 4. Administrative Permissions 5. Tiered Architecture Takeaways & Applications

Why AD Matters Used by 90% of organizations Tools allow quick mapping to high-value targets Compromise of domain = Compromise of forest Game Over : Domain Administrator (DA) access to Domain Controller (DC) 3

How AD is Compromised Recover Administrator Hash Administrator access to IT Recover DA Hash Compromised Access DC as DA User Helpdesk Admin. Password in Memory Access DC: Limited Administrator 4

NotPetya Backdoor in tax software allows attackers to deploy wiper disguised as ransomware NotPetya spreads EternalBlue (MS17-010) Dumping credentials Maersk Estimated Impact: $250-300 million in earnings 45k+ PCs + 4k servers rebuilt over 10 days WIRED, The Untold Story of NotPetya : https://www.wired.com/story/notpetya-cyberattackukraine-russia-code-crashed-the-world/ 5

Detection vs. Prevention Fire Tower: Identify fires Monitor spread of fires Alert base to dispatch firefighters Incident Detection Fire Break: Separate risky environments Prevent spread of fire Increase difficulty to burn Incident Prevention 6

Resilient AD Architecture 1. Secure Local Credentials 2. Isolate Administrative Systems 3. Create Administrative Forest * 4. Limit Administrative Permissions & Duration * 5. Adopt Tiered Architecture * *Red Forest/ESAE Core Concepts 7

Piecing it All Together 1. Unique Administrator Credentials Recover Administrator Hash Administrator access to IT Recover DA Hash 2. Separate Administrative s 3. Separate Administrative Forest Compromised Access DC as DA User (Credential Guard) Helpdesk Admin. Password in Memory Access DC: Limited Administrator 4. Limit Administrative Permissions & Duration 5. Create Tiered Architecture

Secure Local Credentials 1. Unique Administrator Credentials Recover Administrator Hash Administrator access to IT Recover DA Hash Compromised Access DC as DA User Helpdesk Admin. Password in Memory Access DC: Limited Administrator

Secure Local Credentials Each local system contains a built-in Administrator account Credential reuse allows attackers to pivot & Pass the Hash Generate unique passwords for the Administrator account Microsoft s Local Administrative Password Solution (LAPS) randomizes Administrator passwords 10

Suggestions Credentials (passwords, hashes) can still be recovered from memory without Credential Guard Implement for Win10/Server 2016 Disable or remove remote access from the Administrator account 11

Isolate Administrative Systems Compromised Recover Administrator Hash Administrator access to IT Recover DA Hash 2. Separate Administrative s Access DC as DA User Helpdesk Admin. Password in Memory Access DC: Limited Administrator

Isolate Administrative Systems Same workstation for user and admin functions User workstation compromise leads to administrative session compromise Separate user and administrator tasks to separate systems Microsoft s Privileged Access (PAW) architecture separates Admin & User functions 13

Suggestions Environments relying on cloud solutions may require administrative access to external URLs Consider a hardened administrative system with access to only specific domains 14

Create Administrative Forest Recover Administrator Hash Administrator access to IT Recover DA Hash 3. Separate Administrative Forest Compromised Access DC as DA User Helpdesk Admin. Password in Memory Access DC: Limited Administrator 15

Why a Separate Forest? Forest 1 Forest 1 Forest 2 Parent Domain Parent Domain Child 1 Child 2 Child 1 Child 2 Forest 3 Transitive trust exists between all domains in a forest All trust relationships are two-way Compromise of Child 1 = Compromise of Child 2 & Parent Nontransitive trust between forests allows creation of external trusts Two-way or one-way trust possible Compromise of Forest 1 =/= Compromise of Forest 2 16

What s a Red Forest? 17

What s a Red Forest? 18

What s a Red Forest? Tier 0 Enhanced Security Administrative Environment (ESAE, aka Red Forest ) AD architecture by Microsoft to maximize resiliency Forest/ Domain Admins Tier 1 Admin Domain Controller Architecture based on: 1. Separation of systems by risk 2. Restriction of highest risk accounts to highest risk systems Tier 2 Server Admins Admin Server https://docs.microsoft.com/en-us/windowsserver/identity/securing-privileged-access/securingprivileged-access-reference-material Admins Admin 19

Resilient AD Architecture 1. Secure Local Credentials 2. Isolate Administrative Systems 3. Create Administrative Forest * 4. Limit Administrative Permissions & Duration * 5. Adopt Tiered Architecture * *Red Forest/ESAE Core Concepts 20

Separate Administrative Forest Compromising users can lead to compromising DAs Compromise of domain = Compromise of forest Production Forest Management Forest Isolate administrative accounts in a separate forest Microsoft s Privileged Access Management (PAM) tools isolate administrators in a separate forest 21

Suggestions Changes can be reversed by breaking production & management forest trust Make notes on tier separation as changes progress There will likely be a balance between cost, risk, and overhead: e.g. Logging in multiple tiers 22

Permissions & Tiers Recover Administrator Hash Administrator access to IT Recover DA Hash Compromised Helpdesk Admin. Password in Memory Access DC: Limited Administrator Access DC as DA User 4. Limit Administrative Permissions & Duration 5. Create Tiered Architecture 23

The Implementation: MIM POLICY Bastion\ Jen MFA MIM Portal Bastion\ HRAdmins Corp\ Jen Corp\ HRAdmins HR Database https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identitymanagement-for-active-directory-domain-services 24

Limit Administrative Availability Administrators frequently require (or request) Domain Admin for one-time tasks More Domain Admins create more paths to compromise Limit permissions, and only grant them for the time required Microsoft s Just Enough Administration (JEA) & Just in Time (JIT) tools limit permissions and availability 25

Suggestions Once authenticated, a session will maintain its privileges Set session timeout on critical systems JEA does not require MIM Consider testing JEA before administrative tiers if MIM is not on the roadmap 26

Reduce Breach Impact Different devices have different risk levels & needs, e.g.: User workstation needs external web access Domain Controller does not Separate devices into Tiers based on risk & needs Microsoft s Red Forest separates devices by tier, with suggested devices and hardening requirements for Tier 0 systems 27

Suggestions Microsoft recommends 3 tiers: Tier 0: Domain Controllers Tier 1: Servers & sensitive applications Tier 2: User systems, workstations, etc. Consider whether this works for the environment that will be changed Be realistic about what can and cannot be duplicated within tiers 28

As A Process: 1. Secure Local Credentials + Credential Guard 2. Isolate Administrative Systems Reduce Chance of Compromise 3. Create Administrative Forest * 4. Limit Administrative Permissions & Duration * Reduce Impact of Compromise 5. Adopt Tiered Architecture * *Red Forest/ESAE Core Concepts 29

Software Compatibility Feature Description Domain Level OS Credential Guard LAPS JEA MIM PAM ESAE Protect credentials in memory from attackers with administrative access. Configure unique passwords for local Administrator account on each system. Powershell tools to limit permissions a user can request, and for how long requested permissions are granted. Allows simple creation of a separate management forest. Contains JIT functionality. Implemented using MIM. Separation of devices into tiers. Management via MIM, PAM, JEA, & JIT. N/A Server 2016 / Windows 10 2003 SP1 Server 2003 SP2 / Vista N/A Server 2012 / Windows 8 2003* N/A N/A Server 2012 R2 / Windows 8 See above. * Forest created for management must be 2012+ 30 See above.

Takeaways Securing Active Directory is critical to avoiding large-scale incidents Microsoft s Red Forest prevents the major methods attackers use against AD Each step towards Red Forest significantly improves AD security * * Even if full Red Forest is not currently feasible 31

Get Started: Quick Wins (1-3 months) Implement Local Administrative Password Solution (LAPS) Configure Credential Guard on applicable systems Feasibility Assessment (2-5 months, Proof of Concept ) Test hardened administrative workstations (PAWs) Create an isolated administrative forest to test common tasks Decisions (3-6 months) Determine if Red Forest implementation makes sense based on: o Proof of Concept findings o Business priorities 32

Questions? Or reach out any time: katie.knowles@mwrinfosecurity.com @_sigil Article: www.mwrinfosecurity.com/our-thinking/plantingthe-red-forest-improving-ad-on-the-road-to-esae/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback