Sie sind auf Seite 1von 14

00:00:05 Hi, welcome back.

00:00:06 We are looking at tactic two,


00:00:08 protecting privileged identities in the defending
00:00:11 Active Directory against cyber attacks series.
00:00:14 Here, we're in Part II,
00:00:15 protecting privileged identities.
00:00:20 So, pretty much there are three components to securing privilege
00:00:23 access or protecting these identities.
00:00:25 They're broken down into separating identities,
00:00:28 randomizing localadmin passwords,
00:00:31 as well as separatingthe workstations.
00:00:32 And Josh will take us througheach one of these components.
00:00:36 >> Thanks, Claire.
00:00:37 Yeah, when we talk aboutseparating identities,
00:00:40 I think this is somethingthat a lot of customers,
00:00:42 at least ones that I workedwith, tend to very well.
00:00:45 They've been doing it fora long time.
00:00:48 Similar to like what we talkedabout in the previous section
00:00:53 here going back many, many,many years in security.
00:00:58 People thought it was simplyenough that if I have an admin
00:01:02 account and a normal useraccount I'm good to go.
00:01:05 And in more recent yearswe've figured out that
00:01:08 we need to take ita level beyond that.
00:01:11 Because as you sawin our demo earlier,
00:01:14 even if I used twodifferent accounts,
00:01:17 if I'm using them on the samework station, I'm still exposing
00:01:20 my privileged credentialsto that work station.
00:01:24 So we really needto get into having
00:01:28 not only a separate account forprivileged activities, but
00:01:32 a completely separatework station.
00:01:34 And we're gonna go cover thatin a little bit more detail
00:01:37 here, shortly.
00:01:38 And then the third pillarthat we have here is
00:01:42 randomizing that local adminpassword on all of our systems.
00:01:47 And we're gonna cover a toolthat you can use to do that, and
00:01:50 also why that is important.
00:01:53 >> So going back tothe different ways that
00:02:00 threat actors can geta hold in the environment,
00:02:04 move laterally andthen escalate.
00:02:07 These components,separating work stations,
00:02:08 randomizing local adminpasswords, which part is that
00:02:11 really addressing interms of the controls?
00:02:14 Is it focusing more onthe lateral, or elevation or
00:02:18 actually both?
00:02:19 >> So the randomizing localpasswords, or local admin
00:02:23 passwords, is focusing on thatpreventing lateral movement.
00:02:30 The other two are morein that realm
00:02:34 of preventingprivilege escalation.
00:02:37 >> Okay.>> Now, you gotta do them
00:02:39 together, though, because as Imentioned, if you only separate
00:02:44 the accounts but you're stillputting them both in to that
00:02:46 same system, and that systemhappens to be compromised,
00:02:50 it doesn't really matter thatyou separated the accounts.
00:02:53 So we have to add thatextra layer on there and
00:02:56 have that separate work station.
00:03:03 So if you are out walking about,one thing you probably don't
00:03:08 do is carry a large sumof money on you, right?
00:03:11 So, if I came up andsnatched your purse,
00:03:14 I'm not gonna get yourlife savings, right?
00:03:16 >> Yeah.
00:03:18 >> Should really applythat same concept, right?
00:03:21 I'm not going to take all of myvaluables with me everywhere I
00:03:24 go, so why would Icarry my most sensitive
00:03:27 privileges with meeverywhere I go?
00:03:28 I need to limit where Iexpose those credentials to.
00:03:31 And that's what these mitigationstrategies are all about.
00:03:34 They are all aboutlimiting the exposure
00:03:38 of your privileged credentials.
00:03:40 And that is the bestthing that you can do
00:03:43 to protect thoseprivileged identities.
00:03:45 >> Applying the common senseof life to technology.
00:03:49 >> Yes, exactly.
00:03:51 So, really, again startingwith that separating
00:03:55 our accounts here, we need tohave two separate accounts.
00:03:58 One for doing our normalday to day activities,
00:04:03 all of our businessproductivity type work.
00:04:06 Anything that is high risk.
00:04:08 And we consider high riskactivities to be things like
00:04:12 browsing the Internet orchecking your e-mail.
00:04:16 We talked earlierabout phishing being
00:04:19 the number one entry point,right?
00:04:23 That's what attackersuse the most.
00:04:24 They phish people to get in.
00:04:26 Well, if I am entering my
00:04:30 privilege credentials intothe same system or using the,
00:04:35 in this case we're talking aboutseparating our accounts here.
00:04:37 If I check my e-mail with myprivileged credentials and
00:04:43 that e-mail is infected, right?
00:04:47 I have some malware thatexecutes from opening the e-mail
00:04:50 or opening an attachmentfrom it, or
00:04:52 following a link that Ireceived in that e-mail.
00:04:54 I have just given away myprivileged credentials to my
00:04:57 adversary, and they may noteven need to bother with doing
00:05:03 the lateral movement and passingthe hash and doing the privilege
00:05:06 escalation because I justhanded it over to begin with.
00:05:09 >> Got it, yeah.>> So,
00:05:09 that's why we really gotta startwith this basic step here.
00:05:13 So, you really have to changeyour mindset and the way
00:05:18 that you work, and say that whenI'm doing these activities,
00:05:22 when I am doing my normalbusiness productivity,
00:05:26 and maybe I'm taking careof some training, everybody
00:05:32 maybe does a little bit ofshopping at work here and there.
00:05:34 Don't do that stuff usingyour privileged account, or
00:05:36 I'm checking my e-mail,
00:05:38 we're doing whateverpurposes I have there.
00:05:41 I have one account for
00:05:42 that, and I force myself toonly use that account for it.
00:05:45 And I never log in with myprivileged account to do those
00:05:48 types of activities.
00:05:49 And then, when it comes time to,I need to administer this
00:05:52 server, or in the contextof our series here,
00:05:56 we're really focusing onprotecting Active Directory.
00:06:00 I'm only logging in withan account that has domain admin
00:06:04 privileges, or Enterprise adminprivileges, or any of those
00:06:07 other high privilegedactive directory groups.
00:06:12 I'm only using that account whenit's necessary to perform a task
00:06:17 that requires thatlevel of privileges.
00:06:19 And that kinda ties back intothat least privilege concept
00:06:22 that talked about earlier.
00:06:28 So as I was mentioning,really, with standard user
00:06:31 accounts we're just doingthose high risk activities and
00:06:34 normal day-to-day stuff.
00:06:36 And when we get into ourprivilege accounts, if I need to
00:06:39 install some software ona system that might require
00:06:43 higher level of privileges, orif I need to install maybe some
00:06:47 patches, anything that requiresthose administrative privileges.
00:06:54 So one thing that's reallyhelpful when you're trying to
00:06:59 split out your accounts,
00:07:02 and then also as we move intothe next phase we're gonna talk
00:07:05 about with the splitting outto separate work stations,
00:07:08 is finding where are theseaccounts being used at.
00:07:12 They could be being usedall over the place.
00:07:14 One day I might log into thissystem with this account, and
00:07:19 tomorrow I have to administerfive different servers and
00:07:22 log into five different servers.
00:07:25 It could be hardto keep track of
00:07:28 where I've usedthese accounts at.
00:07:30 So we're gonna rollinto a demo here.
00:07:32 I'm gonna show you a brand newscript that we just posted out
00:07:36 on the TechNet Gallery that Iwrote called Get-LogonLocations.
00:07:40 >> Awesome.
00:07:47 >> I'm gonna go ahead andrun the script here.
00:07:53 And what this is gonna do isit is going to show me, and
00:07:57 I want to sort thisby unique entries,
00:08:00 because I want to filterout some of the noise here.
00:08:04 If I don't sort it,
00:08:05 it's gonna show me all the logins that happened anywhere.
00:08:09 But specifically, I wannalook at our Tier-0 groups.
00:08:14 I wanna find out wheremembers of these Tier-0
00:08:17 groups are logging into.
00:08:19 So then I could find outwhere these credentials have
00:08:21 been exposed to.
00:08:24 So I'm gonna sort this by user,
00:08:27 computer and IP address.
00:08:34 And I'm doing bothcomputer name and
00:08:35 IP address because there'sa possibility that
00:08:40 a log entry might have onlyone or the other and not both.
00:08:44 But this is gonna give mesome unique results here.
00:08:48 This'll take a second to run,and
00:08:50 while this is bringingback some results here,
00:08:53 I'm just gonna talk aboutthis a little bit more.
00:08:55 So what's happening rightnow is it's going out and
00:09:00 trying to connect to everydomain controller in
00:09:03 the environments andlook for a specific event.
00:09:06 And that event that youcan see up in the top here
00:09:11 on some of the codeis a 4624 event.
00:09:16 And if you're auditing this, andit's usually audited by default
00:09:19 on domain controllers, butyou can turn this auditing on.
00:09:22 And we'll talk moreabout auditing and
00:09:24 event log monitoringin a later session.
00:09:26 But if you're looking for
00:09:27 this one, it shows youwhen somebody logs in.
00:09:32 So by searching through this,once I find these logins,
00:09:37 it's gonna show meeither the IP address or
00:09:40 the computer name of wherethat account logged in to.
00:09:46 The built in functionthat I have here,
00:09:48 since I didn't specifywhat user I'm looking for,
00:09:51 or a group of usersthat I'm looking for,
00:09:54 it's looking for members of allof our standard Tier-0 groups.
00:09:58 So, all the default ones,
00:10:00 your domain admins, enterpriseadmins, schema admins,
00:10:04 the Account operators andbackup operators, and all those
00:10:07 things that we learned about inthat session earlier with Zaid.
00:10:12 And, it's looking in
00:10:17 the data for each one of theseevents that it finds that
00:10:20 matches our search query fora match for one of those names.
00:10:24 So anybody that'sa member of any single or
00:10:26 one of those groups we're gonnaget some data returned here in
00:10:29 just a moment showingwhere they logged in.
00:10:31 >> How do you setthe subset of machines that
00:10:36 you're searching runningthis query again?
00:10:41 How do you set thaton this script?
00:10:43 >> So if I wanted to lookat either a specific domain
00:10:46 controller rather than searchingfor events across all of it, or
00:10:49 let's say that I've set upsome central monitoring,
00:10:53 like Windows event forwarding,
00:10:54 which we're gonna discussin a later session as well.
00:10:58 I could specifythe computer name.
00:11:01 Now, if I specifya computer name that's
00:11:06 a Windows EventForwarding Collector,
00:11:08 I'm probably gonna wanna changewhat log I'm looking at too.
00:11:11 By default, we're lookingat the security log,
00:11:13 because that's wherethese events live.
00:11:15 But when we're doingevent forwarding
00:11:17 it goes into a different eventlog called Forwarded Events.
00:11:20 And I would specify that,
00:11:21 and that could actually giveme a much broader set of data.
00:11:25 It might be a littlebit more inclusive than
00:11:28 if I'm just hitting mydomain controllers.
00:11:31 So what I'll get backin that case is,
00:11:34 if I'm forwarding thistype of event from,
00:11:37 let's say, every system thatI have in the environment,
00:11:40 not just showing the onesthat hit the DC.
00:11:43 I'll see logins for accountsthat match our query across all
00:11:47 systems, and that's probablygonna give me a little bit more
00:11:51 valuable information thanif I'm just looking at DCs.
00:11:55 The DCs should catchthe majority of it.
00:11:58 But, I'll catch that last littlebit if I'm looking across
00:12:02 a wider set of them.
00:12:03 And using this script,I can specify as many computers
00:12:08 as I want,I'll just comma delineate them.
00:12:12 So, I could even use this forother purposes.
00:12:18 But, what we're using it forhere is we're trying to identify
00:12:22 where privileged accountsare being exposed to.
00:12:24 If I just wanted to findout where one specific
00:12:27 person logged into, or if theyhad logged into a system, I can
00:12:31 specify the username in additionwith some switches and stuff.
00:12:34 >> A lot of parametersyou can use.
00:12:36 >> There are quite a fewdifferent parameters
00:12:37 in here, yeah.
00:12:38 >> And what would a companyout there who wants to use
00:12:41 this script, what wouldthey do with the output?
00:12:44 Or what would you recommendthat they do with the output?
00:12:47 >> So I would recommendoutputting it exactly like I
00:12:50 am here.
00:12:51 I'm having it sort onlyunique entries, and then
00:12:55 that's gonna tell me where thesecredentials have been exposed.
00:13:00 And if I see that they'rebeing exposed on some of
00:13:06 those normal user workstationswhere I'm doing my higher risk
00:13:09 activities, I know that I needto prevent that from happening.
00:13:14 As we get along inhere further and
00:13:17 start talking aboutthe separate workstations,
00:13:19 one of the things that we dowhen we implement a dedicated,
00:13:24 or we call a privilegedaccess workstation,
00:13:27 is we set up some policies andcontrols that limit our
00:13:30 privileged log-insto that system.
00:13:33 So I could use thisscript to see if I have
00:13:36 properly implementedthose controls.
00:13:39 Have I successfullyprevented people from
00:13:42 accidentally using thosecredentials on another system
00:13:45 outside of where I expectthem to be used at?
00:13:49 Could also be really useful if
00:13:53 you're in what we call thattactical recovery phase and
00:13:58 you know that you'vebeen compromised.
00:14:00 You've had a team on sitedoing some incident response.
00:14:04 And they wanna use this andfigure out where
00:14:11 the credentials that they knowwere compromised have been used
00:14:15 at, because those systemshave also been compromised?
00:14:19 Cuz we know they've been usedall over the place here.
00:14:23 All right, so here you can seethat we got our results back.
00:14:27 I have only,in my lab environment really,
00:14:29 only been usingthe administrator account at
00:14:33 least that's the only one thatis part of the tier 0 groups.
00:14:36 So you can see thatadministrator has logged on to
00:14:39 DC1.
00:14:42 And I am seeing DC1twice because I
00:14:45 have two different IPs for it.
00:14:46 One the login was loggedwith the loopback address,
00:14:50 another was the actual IPof that domain controller,
00:14:54 same thing for logins to DC2.
00:14:56 And then, here,we can see there's
00:15:00 one where it couldn't resolvethe host name from it, but, if I
00:15:03 were to get to go back throughand look at these results
00:15:06 it looks like I've got an IPv6address that was logged in here.
00:15:09 And then I've also loggedin to the WEF01 computer,
00:15:16 the Windows 10 computer, andthen there was a login from
00:15:20 quite a ways back on a computerthat hadn't been renamed yet.
00:15:25 We also include In herewhat the login type was.
00:15:31 And I could filter outthese results using
00:15:35 some differentPowerShell commandlets,
00:15:37 piping it into kind of like Idid with how I sorted it here.
00:15:41 I could filter it to a Wherestatement if I wanted to, and
00:15:44 maybe filter outmy network logins.
00:15:46 The main thing I'm looking forwhen I'm looking for
00:15:51 where credentials have beenexposed are Interactive logins.
00:15:56 And then here, we have anotherone that's RemoteInteractive,
00:16:00 and then you can alsosee some Unlocks.
00:16:02 We don't necessarilycare about Unlocks or
00:16:07 Network, but I kinda like toinclude them all just to get
00:16:10 a better sense of wherethey're being used period.
00:16:13 Right, just anywhereon the network there.
00:16:17 >> So going back to what wehad in the beginning about how
00:16:19 tactic one and two canreally be used together or
00:16:22 done in parallel.
00:16:24 This tool not onlyshows our customers
00:16:29 what accounts are loggingonto what machines.
00:16:33 But by having that information,they can also continue their
00:16:37 privilege reduction exercise,going back to tactic one.
00:16:41 >> Yes, so
00:16:42 we can determine exactly wherethese are being used at, and
00:16:50 by finding that information, wecan reduce our attack surface.
00:16:55 So okay,I see that administrator
00:17:00 logged in to thisWindows 10 box.
00:17:06 Well, as you saw in our earlierdemo, that exposed those
00:17:09 credentials to that normaluser workstation and
00:17:13 I was able to stealthose credentials.
00:17:16 If this account hadnever been used there,
00:17:20 I wouldn't have beenable to steal them.
00:17:21 >> Right, so that's limitingaccounts to least privileged,
00:17:26 only those who need it.
00:17:27 Let's go intoseparating machines,
00:17:29 because that's really thatsecond component where
00:17:33 those credentials wouldn'thave been exposed.
00:17:37 If the machines were separated,even if that one person needed
00:17:40 both a privileged account anda user account.
00:17:42 >> Yep.
00:17:44 Right, so
00:17:45 let's talk about the separationof work stations there.
00:17:49 Like I said,
00:17:50 we like to call them privilegedaccess work stations.
00:17:55 We have a very nice article thatwe provide as a resource at
00:17:59 the end of the deck here thatyou folks watching at home can
00:18:02 download andhave a read through.
00:18:06 Internally at Microsoft,
00:18:07 they've also referred to themas secure admin work stations.
00:18:11 You might hear them by a fewdifferent names depending on
00:18:15 what vendors you talk to.
00:18:16 But the concept isreally the same.
00:18:20 We have one machine that's ouruser machine, and that's where,
00:18:23 earlier where we talked aboutseparating our user accounts and
00:18:27 our privileged accounts.
00:18:29 Our user machine is onlyused to login with our user
00:18:32 account that'scompletely unprivileged,
00:18:35 doesn't have accessto anything else.
00:18:37 >> So a tier two account.
00:18:38 >> Tier two account.
00:18:39 And that's what we're gonna use,for
00:18:41 doing all of ourhigh-risk activities.
00:18:44 We're gonna do our Internetaccess, our web browsing,
00:18:48 our email access,our normal productivity stuff.
00:18:51 Anything that is Internet facingis done from this workstation.
00:18:56 And then if we take a lookhere at the admin workstation,
00:19:00 this one is used exclusively foradministrative tasks.
00:19:05 And we can onlyuse our privileged
00:19:08 credentials on this workstation.
00:19:13 We would actually put controlsin place that prevent us
00:19:16 from logging intoa user machine.
00:19:18 So we're trying to take someof the human error out of it,
00:19:24 and make it so
00:19:24 that if I accidentally forgetwhich workstation I'm logging
00:19:28 into, I still don't end upunintentionally exposing my
00:19:32 credentials to a machinethat may be compromised.
00:19:39 We should never ever accessthe Internet or do any of those
00:19:42 high-risk activities from thisworkstation be tailored for
00:19:46 the type of managementthat we need to perform.
00:19:50 So in the context of ourdiscussions here around
00:19:53 defending Active Directory,
00:19:56 this would include allof our AD tools in it.
00:20:00 So we'll have the remote.
00:20:01 Admin tools for
00:20:02 active directory on thereare active directory users and
00:20:05 computers, the active directorymodule for Power Shell.
00:20:09 Anything that we mightneed to use to administer
00:20:14 a domain controller we wouldput on this tier zero privilege
00:20:18 access workstation, orwe call them PAW for short.
00:20:21 >> Mm-hm, going back to thatside by side comparison,
00:20:24 I wanna highlight the exposureversus the impact
00:20:28 from a risk perspective.
00:20:29 So the user machine,tier two, it's high exposure,
00:20:33 right, that's doingall the risky stuff.
00:20:35 >> Yep.
00:20:35 >> But will impact, soif those credentials are stolen
00:20:39 there's not much thatsomeone could do with them,
00:20:41 a threat actor can do with them.
00:20:43 >> Right, it's kinda going intothat containerization that
00:20:47 Zaid talked about.
00:20:49 So I'm limiting what the impactthat stolen credential has.
00:20:56 >> Mm-hm.
00:20:58 My normal user account mighthave access to some information
00:21:02 that's interesting.
00:21:04 I might have some emailsthat are valuable.
00:21:07 >> Right.>> Maybe had
00:21:08 some trade secrets in it.
00:21:09 Or allow somebody that got
00:21:13 a hold of my normal credentialsand got into my mailbox,
00:21:15 they could maybe dosome insider trading.
00:21:18 Because they found out froman email that I sent that
00:21:21 my company's about toacquire this other company.
00:21:23 So that's juicy.
00:21:25 I'm gonna go buysome stocks here.
00:21:27 But, we're limiting it to onlywhat that one person knows, and
00:21:32 what that one personhas access to.
00:21:34 And if we're implementing thoseleast privilege concepts that
00:21:39 you guys talked about earlier.
00:21:41 We're limiting access that that
00:21:44 user has only to the data thatthey need to do their job.
00:21:48 So if I am, let's say I'm
00:21:53 gonna pick on IT, cuz we'reall IT professionals here.
00:21:57 If I'm working at the help desk,I probably don't need to
00:22:02 have access to the same type ofdata that somebody that works in
00:22:08 payroll in our financedepartment has.
00:22:11 Right?
00:22:11 So, if you get my normal userhelp desk credentials, the most
00:22:17 interesting thing you might findfor me, is emails regarding
00:22:21 status of trouble ticketsthat I have open right now.
00:22:25 And because I'm using thesemitigation techniques and
00:22:29 using separate machines,
00:22:32 I've not exposed my admincredentials to you.
00:22:34 So you're not gonna beable to use them to go and
00:22:37 access the more valuableinformation in the environment.
00:22:40 >> And then looking at thatadmin machine that has
00:22:43 low exposure, buthigh impact activities.
00:22:46 So that's exactlywhat we're after and
00:22:49 what we're trying to limit,keep in that compartment
00:22:55 of being an admin,of having low exposure to
00:22:59 the internet to threat actors,whatever it may be.
00:23:03 But, high impact on the kindof work that we do.
00:23:06 So let's look at kind ofthe options, I guess,
00:23:08 on how we can separateout the machines and
00:23:10 make this really real forour customers.
00:23:14 >> Yeah.
00:23:15 So we have a couple differentways that we can go about it.
00:23:19 And one is actually is havingtwo separate physical machines.
00:23:23 Now, when you tellthat to people they go.
00:23:26 Man you're making me go out andbuy all this new hardware and
00:23:30 we just don't havethe budget for right now.
00:23:32 And it can kind of becomean excuse not to do this.
00:23:35 But as you can see, this isreally one of our most impactful
00:23:39 mitigation strategies thatwe have available,by,
00:23:44 if we limit wherethe credentials are entered.
00:23:46 We make it extremely difficult,if not impossible,
00:23:51 for a attacker to stealthose credentials, and
00:23:55 we're really achieving the goalsthat we're talking about and
00:23:58 this tactic here and protectingour privileged identities.
00:24:02 So if we take a look atthe options that we have here
00:24:09 there's some pros andcons to each one of them.
00:24:11 If we have Separatephysical machines.
00:24:15 We are least likelylikely to have
00:24:18 human errors becauseI actually have to
00:24:21 move from one computer toanother to do different tasks.
00:24:25 And it's pretty easy forme to tell where I'm working.
00:24:31 Some of the down sides tothat is, obviously, the cost.
00:24:34 We talked about that.
00:24:35 I have to buy an additionalsystem to act as my paw, and
00:24:40 the other one is dev space,you know?
00:24:45 I know when I used to beon the customer side,
00:24:49 I had a pretty decentsized desk and
00:24:51 I used to have three monitorsand stuff like that.
00:24:53 And I had multiple computers,so it wasn't a big deal for me.
00:24:55 But, I've also worked otherplaces and I've worked with
00:24:58 a lot of customers that don'thave as much desk real estate,
00:25:02 and you really would bepushing things to have them,
00:25:06 have multiple system.
00:25:07 >> RIght.>> That do
00:25:08 these types of things.
00:25:09 >> And for that user, the waitmight come into account also.
00:25:12 Especially, they may not be.
00:25:12 >> RIght, especially ifthey're a remote worker, yeah.
00:25:14 >> Exactly,right at their desk, but
00:25:15 they're carrying aroundtheir machines, and
00:25:16 they don't want to carryaround two machines.
00:25:18 I definitely wouldn't.
00:25:19 I can tell you my backpackthat I carry around,
00:25:23 I've got a very large laptopin it, and that thing weighs
00:25:26 about 50 pounds with all thegear that I have in it already.
00:25:29 If I had to add a second systemto that, I'd probably be going
00:25:33 to the doctor forsome back surgery very soon.
00:25:36 [LAUGH]>> So what are our
00:25:37 other options?
00:25:38 So the other options thatwe have are to virtualize.
00:25:43 Now you, especially if youhave some more recent and more
00:25:48 modern hardware, can probablydo this on existing hardware.
00:25:52 Especially now Well, it reallystarted back with Windows 8, but
00:25:57 it's gotten even better movinginto Windows 10, is that we have
00:26:02 some virtualization built rightinto the operating system.
00:26:04 So I can run my standarduser environment
00:26:09 inside of my admin environmentas a virtual machine.
00:26:14 So that I got one place to doall my work and I just need to
00:26:18 make sure that when I'mswitching back and forth between
00:26:22 my admin environment andmy user environment.
00:26:25 I'm not trying to entermy credentials into
00:26:29 the normal user environment.
00:26:30 >> But, I see here,
00:26:31 one thing I want to point outunder the virtual machine
00:26:34 >> The admin environment,
00:26:36 that has to bethe base image right?
00:26:38 >> Absolutely.
00:26:39 >> On the hardware.
00:26:40 >> Yes.
00:26:40 >> Andcan you elaborate on that?
00:26:42 >> Right.So again it's all about
00:26:43 controlling wherethe credentials are entered.
00:26:47 If I enter the credentials intothe untrusted system, that high
00:26:52 risk system, where I'm supposedto be doing my normal user
00:26:54 activities, then I can do theattacks that we showed earlier.
00:27:00 If I enter my normal usercredentials into my highly
00:27:03 protected admin workstation, Idon't have those same concerns. Right?
00:27:09 I'm exposing
00:27:10 lesser trusted credentials toa more trusted system, but
00:27:14 the attackers don't have accessto that, they only have access.
00:27:18 Potentially have access tomy guest virtual machine,
00:27:22 that's the userenvironment in there.
00:27:24 So it's very important that theadmin is always the host, and
00:27:29 the normal user,a standard user environment,
00:27:32 is always the guest ifyou're going to virtualize.
00:27:34 >> Right.And
00:27:35 that's consistent withthe third option, right.
00:27:37 >> Yeah, and the third option,
00:27:41 you can do it a fewdifferent ways.
00:27:42 Or, we have an externaladmin interface.
00:27:44 So, I could have a,actually, we're
00:27:51 showing something differentin the third option, here.
00:27:53 I'm sorry, I thought we,
00:27:54 I guess we lumped that inwith the virtual machine.
00:27:57 So, the third option here isthat you had actually reboot
00:28:00 the system andto an admin environment.
00:28:03 So this is using a USB
00:28:06 drive that has your adminenvironment installed on it, and
00:28:10 I would reboot into that andwhen I'm done using it.
00:28:13 I pull that USB stick out,
00:28:14 and I reboot back into mynormal user environment.
00:28:17 Which I kind of
00:28:22 can be a little bit more towardthe best of both worlds where
00:28:26 we're blending the abilityto have two machines,
00:28:30 but not two separate physicalmachines, same physical machine.
00:28:34 But I'm less likelyto enter accidentally
00:28:39 enter my credentials intothe standard user environment
00:28:43 because I have to do that rebootto get from one to the other.
00:28:47 Although that couldbe a little bit more
00:28:50 cumbersome in my dayto day activities.
00:28:53 Because I might need to be ableto switch quickly back and
00:28:56 forth between them and
00:28:57 having to wait between rebootscan be a little bit annoying.
00:29:01 But at least there's severaldifferent options out there.
00:29:03 Another that I wanna point out
00:29:06 that kinda falls into the middleon there, the virtual machine,
00:29:09 is the virtual machine doesn'tnecessarily have to be running.
00:29:12 On that adminworkstation I could
00:29:19 connect to a virtual machinethat's running in a, like a VDI.
00:29:23 All right, so I've got a virtualdesktop that runs on a dedicated
00:29:28 server farm, that's mynormal user environment.
00:29:31 And then my Admin machineis my host that I'm just
00:29:35 remotely connecting tothe other one from.
00:29:41 Right, so
00:29:42 now let's talk about randomizingthe local admin password.
00:29:48 We have a solution called theLocal Admin Password Solution.
00:29:52 [LAUGH] Or LAPs for sure.
00:29:54 >> Happy title.
00:29:55 >> Yeah.
00:29:56 This is a free tool.
00:29:58 And it's very easy to use.
00:30:01 To set it up, all there is isthere's a very quick schema
00:30:03 extension, andyou get these two values here.
00:30:06 One of them stores the passwordin it, the other one stores
00:30:11 an expiration time, and all ofthis is controlled by a GPO.
00:30:15 So there is a veryquick script to run.
00:30:19 It's actuallya one-liner command, and
00:30:21 it's a very detailed guidethat comes with this for
00:30:24 setting it up.
00:30:25 You execute the script, and thatsets up the schema extensions.
00:30:28 And then you go into the GPO andyou configure your settings.
00:30:33 And it pushes outthe DLL that tells
00:30:38 every computer that youapply this GPO to, that
00:30:41 I'm going to set the passwordfor the local admin account
00:30:46 on this computer to somethingthat's completely random.
00:30:49 And we do this, because ifI have the same password,
00:30:54 same local admin passwordon all of my systems,
00:30:58 it's very easy forme to do that lateral movement.
00:31:02 Because I can just use thatlocal account to go from machine
00:31:05 to machine to machine,and eventually,
00:31:07 I'm gonna find thosedomain credentials and
00:31:10 get that escalation ofprivilege by doing this.
00:31:13 So this is a verybig step towards
00:31:18 eliminating the ability todo that lateral traversal.
00:31:20 >> Now, question,
00:31:21 why is it okay that it's storingthe password in clear text?
00:31:25 >> Very good question,
00:31:27 because I get asked thisone a lot by customers.
00:31:30 And it's okay because it'sstored in Active Directory
00:31:33 in a secure value
00:31:36 that you lock down withan access control list.
00:31:39 So only people that you want tobe able to read this password
00:31:42 can read the password.
00:31:44 So, for example, I
00:31:47 would give my helpdesk staff the ability
00:31:52 to read the passwords onmy tier-2 workstations.
00:31:55 So that if you were to call meup, and I'm working on the help
00:31:59 desk, and you say I'm havingthis problem with my computer,
00:32:04 and I need to remoteinto your computer.
00:32:06 Well, just like wewere talking about with
00:32:09 separating our accounts andseparating workstations,
00:32:12 I don't want to expose a domainaccount that is highly
00:32:17 privileged to youruntrusted workstation.
00:32:20 I wanna use a local accountthat is privileged,
00:32:23 just the local admin accounton your workstation so
00:32:27 that I can fix your computer foryou.
00:32:29 So I'm gonna first go intoActive Directory, and
00:32:32 I'm gonna look at yourcomputer account.
00:32:34 And actually,why don't I just show you?
00:32:37 Let's hop into a demo here, and
00:32:39 we'll show you howthis actually works.
00:32:42 All right, so as I wastalking about, this is all
00:32:45 controlled by GPO, and here'swhat the GPO settings look like.
00:32:49 When you install this localadmin password, or LAPS
00:32:53 solution here, you'll get a GPOwith a few different settings.
00:32:56 The first one I have hereare the password settings.
00:33:04 For my demo here in the labI went with the defaults,
00:33:07 and it sets the password tosomething completely random
00:33:12 that's 14 characters long, and
00:33:13 then it sets the expirationon it for 30 days.
00:33:17 Now, I could make that more orless however I want.
00:33:22 Every time this computerreboots, that password is going
00:33:27 to get reset to somethingcompletely random.
00:33:32 When it happens,
00:33:34 we write to those values thatwe saw on the slides there.
00:33:36 We write that password, and Igo over and find this computer.
00:33:44 So this was the computerthat I logged into.
00:33:47 And if I havepermissions to do this,
00:33:50 which you should verytightly control, and
00:33:53 we want specific people tohave permissions on it.
00:34:01 I can go andlook up what the password is for
00:34:04 this workstation,and here we have it.
00:34:08 So you see this14 character long
00:34:10 random password was generated.
00:34:13 Now, if I wanted toremote into this machine,
00:34:17 I could copy this out of here.
00:34:19 And then there'sactually a couple
00:34:20 different ways youcan get to it.
00:34:22 So I'm showing howto look at this
00:34:24 through the Attribute Editorin AD Users and Computers, but
00:34:27 it actually comeswith a thick client
00:34:30 that you can give to whoeverneeds to have this capability of
00:34:34 looking up a system'slocal admin password.
00:34:36 Or they could just type in thename of the computer that they
00:34:39 need the password for,and it will query it.
00:34:41 And as long as they havethe proper permissions to
00:34:44 access this attribute, it willreturn the password form.
00:34:47 There's also a PowerShell
00:34:50 tool that you could dothe same thing with, so
00:34:52 you've got a couple differentoptions for retrieving it there.
00:34:55 So I get the password, andthen I remote into the system,
00:35:01 and I log in with whatever thelocal administrator account is.
00:35:04 It doesn't matter if it's beenrenamed, the tool is looking for
00:35:07 the well-known SID forthat account.
00:35:10 So if my local adminaccount was renamed Claire,
00:35:14 it would set the passwordon Claire, right?
00:35:17 But if it's administrator,administrator, you get the idea.
00:35:19 And so
00:35:21 I would just copy this passwordand paste it in to log in.
00:35:25 And when I'm done doing that,I can go back and
00:35:29 force the password to change sothat the next time somebody
00:35:33 needs to do it, they haveto look up a new password.
00:35:35 >> Andthe end user really never gets?
00:35:38 >> The end user never knows,because they shouldn't, right?
00:35:40 They shouldn't know whatthat local password is,
00:35:43 they don't need that levelof privileges on it.
00:35:47 So only the people that you givepermissions to retrieve this
00:35:51 information are ableto access it.
00:35:53 >> Great, andall part of the free tool.
00:35:57 >> All part of the free tool.
00:35:59 And it's soeasy to implement, and
00:36:02 because you can controleverything from the GPO,
00:36:07 one of the other settingsthat was in there was you can
00:36:11 enable and disable whether ornot you're setting the password.
00:36:14 So you can set everything up inadvance and get it ready to go
00:36:18 and then roll it out during yournext change management window or
00:36:22 whatever the processes are foryour organization, and
00:36:26 you can even test it first,right?
00:36:29 I can link the GPO andenable it just for
00:36:31 a small subset of computers,make sure it's doing what I
00:36:35 expect it to do before I rollit out to the rest of them.
00:36:38 And we should do this onboth our workstations and
00:36:43 our servers.
00:36:44 The exception, obviously, beingdomain controllers, because
00:36:49 domain controllers don't reallyhave a local admin account,
00:36:52 it's the built inadministrator account.
00:36:54 We don't wanna try andset that there, but all of our
00:36:56 other Window's systems, whetherthey're server or workstations,
00:37:00 gotta use this tool on.
00:37:01 >> That's great.
00:37:03 >> So let's take a look atsome additional controls.
00:37:09 One thing that youcan do to strengthen.
00:37:12 So we talked about the topthree here in protecting your
00:37:15 privilege identities, butthere's some additional controls
00:37:19 as you move along thatyou wanna implement here.
00:37:23 One of them beingmulti-factor authentication.
00:37:25 That could be anythinglike a smart card,
00:37:29 a one time use password token.
00:37:32 We have this thing in allof our online properties,
00:37:35 like Office 365 and Azure,called phonefactor or
00:37:38 phone authentication where youcan have it send you a text
00:37:41 message orgive you a phone call and
00:37:43 ask you to put in a PIN asanother form of authentication.
00:37:47 So always something you have and
00:37:50 something you know todo that multi-factor.
00:37:53 Now, you should always start outwith those privileged accounts,
00:37:57 you wanna make it mandatory forthose privileged accounts.
00:38:00 So when I log into my PA, I haveto have a second, or if there
00:38:04 are more than one factor ofauthentication to get into it.
00:38:08 And then,it's also very recommended for
00:38:11 all of the other accounts thatyou have in the environment,
00:38:15 all your normal user accounts.
00:38:17 It doesn't stop the pass tohash, but it does stop you from
00:38:22 if you don't have my additionalfactor of authentication,
00:38:26 it stops you from usingmy credentials remotely.
00:38:29 So if you phished me andgot my password,
00:38:31 maybe you're not gonna be ableto log into my system now
00:38:35 if all you have is my password.
00:38:37 In that scenario where youask me for my password, and
00:38:40 I give it to you,it doesn't stop the attacker if
00:38:45 you click on something anddownload some malware.
00:38:48 At that point,they don't need your password,
00:38:49 because they couldjust use the hasher.
00:38:52 But still,
00:38:53 a lot of value out of doing thatmulti-factor authentication.
00:38:57 The next thing, andI combine these together,
00:39:00 you might hear people separatethem from time to time,
00:39:04 but is Just In Time andJust Enough Administration,
00:39:08 and they're the most powerfulwhen combined together.
00:39:12 And when I use those,what I'm doing is making it so
00:39:16 that I only have privilegeswhen I need them.
00:39:20 So we already reduced where ourprivileges are being exposed by
00:39:23 having those privilege accessworkstations, and I can reduce
00:39:28 the exposure even further bymaking my privilege temporary.
00:39:33 So if I know that I'm gonna needto be a domain admin to work on
00:39:38 a domain controller anddo some maintenance on it, and
00:39:41 it's gonna take me threehours to do this maintenance.
00:39:45 I can apply thisJust In Time approach, and
00:39:48 there are different solutionsout there that'll help you
00:39:52 with that,
00:39:53 where it puts my privilegedaccount into domain admins.
00:39:57 On a timer for that threehours or however long it's
00:40:00 gonna take me to completemy work and my tasks.
00:40:02 And as soon asthat timer's up or
00:40:04 as soon as I'm done doing mywork, it pulls it out and
00:40:08 that account no longerhas those privileges.
00:40:10 So that makes it so that even ifsomebody managed to get it past
00:40:13 our mitigations and defenses,the account may still be useless
00:40:18 to them because right now I'mnot doing anything with it,
00:40:22 it's unprivileged andI can't access things.
00:40:25 >> One offering that we havearound that is MARS, right?
00:40:28 So we have an offering calledManage Access Request System.
00:40:32 MARS was built on PHIMin the past, right?
00:40:36 Or it is built on PHIM and
00:40:38 now with MIM coming outwe're building MARS on MIM.
00:40:42 So one of the credentialtheft mitigations that
00:40:45 we offer as part ofMicrosoft s Services.
00:40:47 >> Yeah, that's that MicrosoftIdentity Management Solution.
00:40:51 >> Yes.
00:40:52 >> Yeah, and I know they'rebuilding some things in another
00:40:55 tool called the PrivilegedAccess Management,
00:40:58 the PAM tool that kind ofgoes along with this as well.
00:41:02 And then you tie that in to thejust enough administration which
00:41:07 goes back to the leastprivileges that you and
00:41:09 Zade talked about earlier.
00:41:11 So I only have
00:41:14 enough privileges to completethe tasks that I need.
00:41:17 If I don't need to be a domainadmin to do something
00:41:20 I don't get thatlevel of privileges.
00:41:22 I get something less than it.
00:41:24 And like I said,
00:41:26 it really ties back into thoseprinciples of least privileges.
00:41:30 Then the last control that youwould look at is a separate
00:41:35 forest for administeringyour production forest for
00:41:39 Active Directory.
00:41:42 Now we have a solutioncalled the Enhanced Security
00:41:45 Administration Environment forthis and
00:41:48 we set up what we call a RedForest and our tier 0 pause and
00:41:53 all our tier 0 accounts liveinside of this Red Forest.
00:41:57 And we use that tomanage our tier 0
00:42:00 assets in our production forest.
00:42:03 Sometimes you might hear peoplerefer to it as a Blue Forest,
00:42:07 Red versus Blue there.
00:42:08 And with that if my productionforest gets compromised,
00:42:15 they don't have a way backin to my admin forest.
00:42:20 And they can never get a holdof my admin credentials there.
00:42:23 So that's just another thingto do to reduce the exposure.
00:42:28 That's really what allof this is about and
00:42:30 all these mitigations are aboutis minimizing the exposure of
00:42:34 the credentials.
00:42:35 Because if I was an attacker,never have an opportunity to
00:42:38 see those credentials andI'm stuck and
00:42:41 hopefully you're gonna findme before I can ever get to
00:42:44 that privileged escalation stepthat we talked about earlier.
00:42:51 >> All right, so coming up nextwe are moving into Tactic 3,
00:42:54 Defending your Directory.
00:42:57 And I will be workingwith Josh on that one.
00:43:01 And finally, the resources thatwe have available as part of
00:43:04 this session,there's a whole list of them.
00:43:07 There's securing privilegeaccess by Microsoft,
00:43:11 at these aka.ms links.
00:43:14 There's more informationabout our PAW offering under
00:43:16 Privileged Access Workstations,something that you can also take
00:43:19 and do on your own atyour organization.
00:43:24 The script that Josh showed us,demoed here today,
00:43:27 that's available on the technetgallery there at that link.
00:43:32 LAPS, again a free solution,also demoed today.
00:43:37 Pass-the-hash demo, the thirddemo that we went through today.
00:43:43 >> Actually, that wasthe first one that we did, but
00:43:45 there is a recordingthat's actually
00:43:48 probably a little bit shorterthan the one that we did here,
00:43:51 that's out on YouTube that youcan watch, very well done.
00:43:56 It's put in a way that you couldeven show this to your business
00:44:01 leaders and
00:44:02 not necessarily just limit thataudience to IT professionals.
00:44:07 It's very impactful,
00:44:08 I find, so again a bunchof great, free resources.
00:44:13 Everything that we're showinghere in this session today you
00:44:16 can do on your own.
00:44:18 Of course there are lots ofservices that we have available
00:44:22 from Microsoft to help you outhere and help you implement
00:44:26 these mitigations andhelp you defend and
00:44:30 secure your Active Directoryagainst cyberattacks.
00:44:34 We hope to see you againin the next section.
00:44:36 >> Thank you.