Click to edit Master title style

Protecting Windows Passwords

2

• Derek Melber, MCSE & MVP (Group Policy and AD)• derek@manageengine.com• www.auditingwindowsexpert.com

• Online Resources• ManageEngine Active Directory Blog• Group Policy Resource Kit – MSPress

• Windows Security Audit Package Consulting• Active Directory/Windows Audit Program• Training for efficient auditing

• Administration Consultant• Active Directory and Server Design/Security• Active Directory and Group Policy Design

About Your Speaker

3

• Malicious applications• Viruses• Worms• Malware

• Phishing attacks• Ransomware attacks• Password attacks• Brute Force• Rainbow Tables• Pass the Hash

Windows Computer Attacks

4

• Deleting SAM• Dual Boot Scenarios• Social Engineering• Impersonate another person or company• Barter

• Guessing• Cracking• Captured challenge-response pairs• Locally-stored hashes

Password Attacks

5

Access: Users and Workstations

Power: Domain Controllers

Data: Servers andApplications

Pass The Hash (PtH) Attack1. Bad guy targets workstations en

masse 2. User running as local admin

compromised, Bad guy harvests credentials.

3. Bad guy starts “credentials crabwalk”

4. Bad guy finds host with domain privileged credentials, steals, and elevates privileges

5. Bad guy owns network, can harvest what he wants.

6

•Attacker must gain local admin privileges

•Attacker must have a connection to the computer

• The attack can’t be 100% prohibited!

PtH Attack

7

• Restrict and protect high privileged domain accounts

• Configure with long, strong, complex password

• Use dual accounts

• Restrict User Rights

• Restrict where these accounts can logon

• Configure “Sensitive and cannot be delegated”

• Do not use as service accounts or scheduled tasks

Mitigation #1

8

• Remove standard users from the local Administrators group

• Ensure all applications run as standard user

• Deploy new software and updates without administrative rights

• Obtain software to allow apps/features to run, even though user is standard user (Viewfinity)

Mitigation #2

9

• Restrict and protect local accounts with administrative privileges

• Disable the local Administrator account

• Do not use the same password on multiple computers

• Configure User Rights• Restrict from remote administration

• Restrict from network access

Mitigation #3

10

•Don’t use the same password on workstations, servers, domain

• Don’t allow every workstation to use the same local admin password

• Reset passwords often (even Admins)

• Don’t use the same password for workstations and servers

• Use password vault and change passwords often for domain admin behavior

Mitigation #4

11

• Restrict inbound traffic using the Windows Firewall

• Restrict all inbound connections to all workstations except for those with expected traffic

• Configure trusted sources• Help desk

• Workstations

• Scanners

• Management servers

Mitigation #5

12

•Do not allow browsing the Internet with highly privileged accounts

• Configure User Account Control at highest level

• Configure outbound proxies to deny Internet access to privileged accounts

• Ensure administrative accounts do not have email accounts or mailboxes associated with them

Mitigation #6

13

•Update applications and operating systems

• Use Microsoft WSUS

• Use Microsoft SCCM

• Obtain software to verify current vulnerabilities

Mitigation #7

14

• Limit the number of privileged domain accounts• Restrict access to default groups with elevated privileges• Enterprise Admins• Schema Admins• Domain Admins• Administrators• DNS Admins• DHCP Admins• Group Policy Creator Owners• Backup Operators• Account Operators

Mitigation #8

15

• Secure Domain Controllers

• Reduce number of applications installed

• Physical security

• Ensure User Rights are configured properly

• Restrict Anonymous access

Mitigation #9

16

• Remove LM Hashes

• Will not store LM hash with user account• Local SAM

• Active Directory

• If user DB is compromised, LM hash is not there

Mitigation #10

17

•Disabled LM and NTLM

• Will deny these authentication protocols from being used

• Will deny interception of the LM and NTLM hashes

Mitigation #11

18

•Workstations Setting Configured for Service Accounts

• Limits which computers user can logon to

• Restricts from logging on to any other computer

• Set in user account properties

Mitigation #12

19

•Don’t Allow Service Accounts to Reset Own Password

• Only an administrator can reset the password

• Denies the user (or attacker) from resetting password

• Set in user account properties

Mitigation #13

20

• Reset Passwords for ALL User Accounts

• Normal users should change password every 60 to 180 days• Depends on compliance regulations

• Depends on password structure

• Administrators should change password every 60 to 180 days

• Service Accounts should have password changed every 180 to 360 days

Mitigation #14

Click to edit Master title style

Questions?

Thank you!