Architectural Changes

LAPS - Local Administrator Password Solution

  • Centralized storage of passwords in AD with periodic randomizing where read permissions are access controlled

  • Computer objects have two new attributes ms mcs AdmPwd attribute stores the clear text password and ms mcs AdmPwdExpirationTime controls the password change

  • Storage in clear text, transmission is encrypted

  • With careful enumeration, it is possible to retrieve which users can access the clear text password providing a list of attractive targets!

Credential Guard

  • Now called, Windows Defender Credential Guard, it "uses virtualization based security to isolate secrets so that only privileges system software can access them"

  • Effective in stopping PTH and Over PTH attacks by restricting access to NTLM hashes and TGTs

  • As of Windows 10 1709, it is not possible to write Kerberos tickets to memory even if we have credentials.

  • https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

  • Credentials for local accounts in SAM and Service account credentials from LSA secrets are NOT protected

  • Credential Guard cannot be enabled on a domain contorller as it breaks authentication there

  • Only available on the Windows 10 Enterprise edition and Server 2016

  • Possible to replay service account credenttials for lateral movement even if credential guard is enabled

Device Guard

  • Now called, Windows Defender Device Guard, it is a group of features "designed to harden a system against malware attacks. Its focus is preventing malicious code from running by ensuring only known good code can run."

  • Three primary components:

    • Configurable Code Integrity (CCI) Configure only trusted code to run

    • Virtual Secure Mode Protected Code Integirty Enforces CCI with Kernerl Mode (KMCI) and User Mode (UMCI)

    • Platform and UEFI Secure Boot Ensures boot binaries and firmware integrity

  • https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control

  • UMCI is something which interferes with most of the lateral movement attacks we have seen

  • While it depends on the deployment (discussing which will be too lengthy), many well known application whitelisting bypasses signed binaries like csc.exe, MSBuild.exe etc. are useful for bypassing UMCI as well

Protected Users Group

  • Introduced in Server 2012 R2 for "better protection against credential theft" by not caching credentials in insecure ways

  • A user added to this group:

    • Cannot use CredSSP and WDigest No more cleartext credentials caching

    • NTLM hash is not cached

    • Kerberos does not use DES or RC4 keys. No caching of clear text cred or long term keys.

  • If the domain functional level is Server 2012 R2:

    • No NTLM authentication No DES or RC4 keys in Kerberos pre auth

    • No delegation (constrained or unconstrained)

    • No renewal of TGT beyond initial for hour lifetime Hardcoded, unconfigurable "Maximum lifetime for user ticket" and "Maximum lifetime for user ticket

  • Needs all domain control to be at least Server 2008 or later (because AES keys)

  • Not recommended by MS to add DAs and EAs to this group without testing "the potential impact" of lock out

  • No cached logon ie.e no offline sign on

  • Having computer and service accounts in this group is useless as their credentials will always be present on the host machine

Privileged Administrative Workstations (PAWs)

  • A hardened workstation for performing sensitive tasks like

    • administration of domain controllers

    • cloud infrastructure

    • sensitive business functions etc.

  • Can provide protection from

    • phishing attacks

    • OS vulnerabilities

    • credential replay attacks

  • Admin Jump servers to be accessed only from a PAW, multiple strategies

    • Separate privilege and hardware for administrative and normal tasks

    • Having a VM on a PAW for user tasks

Active Directory Administrative Tier Model

  • Composed of three levels only for administrative accounts

  • Control restrictions: what admins control

  • Logon restrictions: where admins can log-on to

Tier 0

Accounts, Groups and computers which have privileges across the enterprise like domain controllers, domain admins, enterprise admins

Tier 1

  • Accounts, Groups and computers which have access to resources having significant amount of business value

  • A common example role is server administrators who maintain these operating systems with the ability to impact all enterprise services

Tier 2

  • Administrator accounts which have administrative control of a significant amount of business value that is hosted on user workstations and devices

  • Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data

ESAE (Enhanced Security Admin Environment)

  • Dedicated administrative forest for managing critical assets like

    • administrative users

    • groups

    • computers

  • Since a forest is considered a security boundary rather than a domain, this model provides enhanced security controls

  • The administrative forest is also called the Red Forest

  • Administrative users in a production forest are used as standard non privileged users in the administrative forest

  • Selective Authentication to the Red Forest enables stricter security controls on logon of users from non-administrative forests

Further Reading

Last updated