Enhanced Security Administrative Environment

Wally Lee

Cybersecurity Architect

Cybersecurity Global Practice

Britain targeted by 120,000

cyber attacks every DAY

INTERNATIONAL HEADLINES

Defense Secretary

Panetta warns next

Pearl Harbor could

be cyber attack

GANT DAILY

Washington, DC, United States (4E) –

Defense Secretary Leon Panetta repeated

his warning that the next Pearl Harbor

could be a cyber attack after a speech at

Georgetown University ….

Sophisticated cyber-

attack hits Energy

Department, China

possible suspect

FOX NEWS

The Energy Department has been hit by a

major cyber-attack, which resulted in the

personal information of several hundred

employees being compromised and could

have been aimed at obtaining ….

As Attacks Mount,

Governments

Grapple With

Cyber Security Policies

AP

CNET

Anonymous intends

to block Webcasts of

State of the Union

Cyber attack on

Twitter, 250,000

accounts hacked

AP

'Cyber-attack' strikes

Japan govt again

ASIA ONE

Threats, Attacks and Reality

• IT environments not designed

for credential-theft class of

attacks

• IT security resources trying to

defend every system equally

• Reputation impact concerns

hamper defender

collaboration

Change In Approach

从前 现在

Business

Challenges

6

• IT Environments not designed for credential theft class of attacks

• IT Security resources trying to defend every system equally

• Reputation impact concerns hamper defender collaboration

• Emergence of well-resourced and determined adversaries

• Attack tooling and automation improving drastically

• Specific targeting of organizations, people, data ATTACKER

DEFENDER

Attack

Scenarios

7

Builds the software much of the info

ecosystem runs on

Operates one of the world’s largest

commercial networks and has resources like

the Microsoft Security Response Center and

the Microsoft Malware Protection Center

Operates major online and cloud services

Operates a global network of research and

response labs

Has unparalleled visibility into the threat

environment

We have a wide range

of security services capabilities across Microsoft

We are building additional local and regional

security capabilities that can be deliver through

MCS and Premier.

Billions 600 million

20 billion

100 million

30 million

millions

Millions

Tier 2: Users and

Workstations

Tier 0: Domain

Controllers

Tier 1: Servers and

Applications

1. Attacker targets workstations en masse

2. User running as local admin is

compromised, attacker harvests

credentials

3. Attacker uses credentials for lateral

movement or privilege escalation

4. Attacker acquires domain admin

credentials

5. Attacker starts exercising this full

control of data and systems in the

environment

Pass-The-Hash Demo

Eason Lai

Microsoft Services – Technical Account Manager

DC01

Win7Hack

Win7

Step 1: Obtaining the local administrator hash

Step 2: Modify the sticky-

key feature

Step 3: Create a new local

administrator account

Step 4: Pass the hash -

wave 1

Step 5: Obtaining the

domain administrator hash

Step 6: Pass the Hash –

wave 2 – Fishing

Step 7: Prepare Take

control of the forest

Wo

rkst

ati

on

A

dm

inis

trato

r

User Access

Patient Zero

Thinking like an attacker

User Access Servers

Acc

ess

Data

Server Administrator

User

Credential

SYSTEM or Administrator

Server Admin

All Local Data

All

Workstation

s

Domain Admin Access

All Data

All AD Data

(Full Control)

All Credentials

(NT Hashes)

Domain

Controllers

Domain Admin

Domain Admin Domain

Admin Logon

User Action

SAM: NT Hashes

Active User

Credentials

Malware Install

Beacon, C&C

• Vuln & Exploit

• User = Admin

All Local

Data

Active User

Credentials

SAM: NT

Hashes

All Local Data

Active User

Credentials

SAM: NT Hashes

All AD Data

(Read) User’s

Data &

Keystrokes

PtH

Whitepaper

Assume Breach

15

Pass-the-Hash Mitigations

Architect a credential theft and reuse

defense

Establish a containment model for account privileges

17

Tier 0 – Forest admins: Direct or indirect administrative control of the Active Directory forest, domains, or domain controllers

Tier 1 – Server admins: Direct or indirect administrative control over a single or multiple servers

Tier 2 – Workstation Admins: Direct or indirect administrative control over a single or multiple devices

Tier 2

Tier 1

Tier 0

Same Tier

Logon

Higher Tier

Logon

Lower Tier

Logon

Blocked

Credential

Theft

Mitigation

Strategy

1. Privilege elevation

• Credential Theft

• Application Agents

• Service Accounts

2. Lateral traversal

• Credential Theft

• Application Agents

• Service Accounts

Tier 2 Users and

Workstations

Tier 0 Domain

Controllers

Tier 1 Servers and

Applications

1. Credential Partitioning

2. Mitigate local account traversal

3. Mitigate domain account traversal

Lo

go

n

Lo

go

n

Keep in mind that:

A. Applications and service accounts may pose

credential theft and re-use risks

B. Bad guys can target individual computers and

users, but these mitigations make it much

harder to:

• Steal powerful credentials

• Do anything with stolen credentials

4. Application and Service Risks

Access: Users and

Workstations

Admin Environment

Production

Power: Domain

Controllers

Management and

Monitoring

Domain Admins

IPsec Credential Partitioning

Hardened Admin Environment

Known Good Media

Network security

Hardened Workstations

Accounts and smartcards

Auto-Patching

Security Alerting

Tamper-resistant audit

Offline Administration

(enforces governance)

Assist with mitigating risks

Services and applications

Lateral traversal

Break Glass

Account(s) Red Card

Admins

Data: Servers and

Applications

Enhanced Security Administrative Environment

ESAE (Enhanced Security Administrator Environment)

Technologies

PKI & Smartcards

IPSec network isolation

Bitlocker & Applocker

SCM

SCOM

Mitigation for ‘Pass the Hash’ style of

attacks.

Builds a separate mini AD forest

which is locked down and used to

administer production Active

Directory forests.

Uses a range of built in technology

and features to enable a secure

administrator environment.

It is the strategic mitigation for

customers with compromised AD

environments.

Mitigate Theft Limit Usefulness

Additional Reco. Automated

Maintenance

Makes secure practices easier and insecure harder

http://aka.ms/SVC233

Session Evaluation