Active Directory Best Practices That Frustrate Pentesters

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I am Sierra for those of you just joining us yep Kent and Jordan here two of our testers who also do the sentences so pleasure happy to be here happy to have you all indeed so really what this is based out of is Black Hills informations efforts toward building configuring maintaining and being better at just about everything we do right it's something we have to do on a daily basis so we're asked to come up with some training modules so we come up with a wireless training module and then we all tie that back into domains and our customers operate right so we walk into a network and we can review your wireless but it really all comes down to and boils back into Active Directory right and how that infrastructure is configured and how its deployed and how its managed so what we're trying to do today is talk about the things our customers do in Active Directory that work that slow us down as pen testers so and probably not making friends with our co-workers today majority of what we do is and you'll find on our blog post our webcasts are it's really red team engagements it's you know trying to be the attacker and trying to exploit all the things and this is just the opposite of that so it's a little bit outside of the typical niche for bis but at the same time yeah throughout the slides most like mostly what Kent says is we are going to be talking about the blue side of things however we talk about where our standard attacks come into play like Jon's attack tactics series we use some of those things to demonstrate how to fix and solve those problems in Active Directory as he says easy to make things hard not hard to make things easy so there's a lot of things you can do to solve some of these problems some of them you deal with the politics of law and passwords right I mean that's a huge one and it more than anything slows down pentesters if I'm approaching the outside of your network if I'm approaching the inside here Network all these things are based on credentials and if you make it hard for me to guess the password your user population has then well we're frustrated so and you know is it's also another side of that is when you get into an engagement with a pen test there are some things that we do very quickly within the first hour of the engagement and it's not uncommon to get wins immediately following that and we call that kind of low-hanging fruit it's stuff that it's helpful for us because it allows us to get a quick win but at the same time is stuff that we kind of expect anymore and it's something that's relatively easy to mitigate and because caught the low-hanging fruit and if we can get it out of the way you know it's stuff that you turn off we're not talking about a million dollar solution to give it so slow slide show today all right so we are not going to sell you a security solution today we are going to frustrate our co-workers right the attackers that's it if you would like to invest the address break from those consulting a black belt information security that you speak up so yeah as we say here almost everything we do in this slide deck is based on things you can do now today in your Active Directory whether it's Server 2008 4s thousand twelve florists and like we deploy in the next couple slides Server 2016 so a ground how much you talked about how you set the infrastructure for doing this webcast and kind of set up a log an environment that we could test some things out and how much you talk about that sure absolutely we have a lab that we maintain physically that we can't even begin to compete with Amazon's layers of protection so we deployed an AWS QuickStart for this which is a one-click one our deployment thing asks you for a couple of passwords restore mode new admin user and you click and then in an hour voila we have a view beautiful brand-new shiny which you'll see throughout here multi availability zone deployment of Windows Server 2016 domain controllers Remote Desktop gateway and that is the environment we configure for these best practices right we got to go test play with learn and then try to exploit so you kind of talked about that Active Directory inside of Amazon obviously most environments come when we set that way for their enterprise environment there might be I think that your point here is that you can do this but more importantly maybe for your blue team is that they can go develop this in an hour and they can deploy and then modify these things we're going to talk about and see what the result is right oh absolutely how many domain migrations have you successfully executed in your time as the systems that meant right I think taking a step back if you're going to upgrade your domains and your functional levels and your forests I almost at this point recommend starting clean yeah no like Amazon offers so many layers of protections and so many advantages over the standard on-prem deployment of hardware of monitoring of physical security of compliance and all those things that with a couple clicks if I can spin up a new domain set up a VPN and link my workstations to this environment it's hard for me to keep recommending that people build their own on-premise solutions so now I did I think I didn't mention that we're not gonna sell a million dollar product right but I should we should also mention here that your environment that you set up wasn't necessarily cheap right yeah it's running hot for sure I think Jon told me I've got a week to burn it to the ground this is definitely the Cadillac of base deployments but depending on budgets and size of environments this might make sense I think I think we're looking at a four or $500 a month spend with this we've got single Remote Desktop gateway multi availability zones we've got the elastic load balancing in front of stuff we've got we've got a lot of these products but anyway this one runs a little hot yes but it's secure for for this deployment just to talk about Tobias question like for this deployment this is a as quick on line as possible and then tear down as quick as possible so we haven't managed custom configuration files we haven't implemented things like OS sec or ansible things like that but that's what we do for our production systems that we use so basically Amazon hates pen testers and there's a lot of reasons for that they run so many multi tenant models of firewall protections of load balancing that they really are nervous when people come in and start breaking things or attacking things and they don't know about it not that there aren't people all over the internet who attack systems on AWS it's just as a pen tester representing a firm that could be sued by Amazon you need to be careful when you approach these things and definitely not skip pen test authorization forms or not skip even if you're testing yourself right so there's a lot of dangerous situations you can get in on Amazon if you're testing so I think the idea there is if you've got a web app and you're testing it your own web app you're testing it from Amazon to the web that posted Amazon if you if you find it in that web app that maybe you designed Amazon is very concerned about how that WAF for that CDN reacted to your ability to manipulate and exploit that so as much as it is you know in your application and you built it they're also very concerned about how their applications are securing those and if you were able to get a nice plate they're curious about whether or not that exploit is available everywhere in a similar fashion or if it's just on your application because of a certain thing and that's why they are very curious about those authorization forms and they want those filled out because they want to know when something they something gets exploited they want to know how and why yes absolutely right so that's where that pen test form covers your organization you entity from potential legal liability with Amazon we do have a couple questions yeah so when we talk about XSS that's fine if you are testing your own application and you aren't identifying an XSS flaw in Amazon's load balancer or Amazon's web app firewalls or or some layer of that process where they go multi-tenant right we have an application but we put a woof in front of it and in front of that woof is a load balancer and if I hit something along that chain where I have identified a flaw in Amazon's load balancer that is a big problem across all the tenants of that service so that's what that's what we're saying here that's why Amazon is gonna be really concerned about including not just on web applications but in the deployment of Active Directory as well x-play something they don't want to know why how so so yeah let's cover yourself so that's I that was kind of how we configured our baseline environment in Amazon and we're going to talk about some of the stuff in Active Directory that you can do to really slow down an attacker and this list is not necessarily comprehensive there's a lot of things can do out there but these are things that you can start from the beginning of a deployment or you can add to a deployment you've already had you know a very mature environment could still benefit from some of these things you know you're gonna have some change processes that you have to worry about there but things that will we'll go through today are going to be naming conventions some of the group policies attack tactics that are out there we've discussed so application whitelisting some interesting things with system on and also some some laps we'll get into and rich does have an an interesting question which we address during our pre-show banter and we talked about even this morning before finishing the slide deck and that is what are we actually addressing here what are we talking about so we are talking about Active Directory best practices that we know as pen testers and attackers that work in customer environments to slow us down so we are saying Active Directory best practices maybe not for Microsoft standards but per pentester standards yeah so how do we frustrate ourselves as we wander through networks and just for clarification Don would like to know why you're showing a dead horse this is the same stuff we preach in all our webcasts across all environments across all our reports we say the same things you have a weak password policy why because we guest passwords on your networks we use the same attack tactics almost universally in order designs like you're beating a dead horse [Laughter] they're definitely beating all right back ok so let's talk about Active Directory domains you've got an Active Directory domain set up you've got yours is in it and the key thing that I want to point out here is you know inside the Forester you have multiple domains you're gonna have functional levels inside that forest and you're not schema that has different attributes for users computers policies all that's gonna be stored in the schema and you've got the domains that you may maybe need to migrate need to upgrade them and these are things that you need to all the I guess mostly still of and the idea behind that is that never do anything in Active Directory that you didn't think about because ultimately anything that you do that you don't think about is going to snowball into something that you'll have to think about later and it can definitely be problematic I'm a good example of that is if you've got a file share and you put a single user on that file share a decade from now you're going to have that file share with two or three hundred SSRS IDs in there that don't relate to a user name anymore and you have a hard time seeing all that up so we're gonna kind of go through some ideas there that might help that out from an administrative perspective but the idea here is just that the overview on domains is don't do anything without at least considering the goods the bads you know what it looks like in five years where looks like tomorrow so getting right on with that naming conventions now naming conventions I'm not going to give you a this is how you should do it because it's going to vary in every single circumstance what I will say about it though is that you need to think about how you're going to do it and you need to be consistent with it now from a attackers perspective right we're going to say why could this be painful for an attacker well they give you a really good example from a helpdesk perspective this needs to be simple you want to cut down the administrative overhead however from the attackers perspective if you can do something like making the upm username that's logged on yeah typical one rate was like first name dot last name but wonderful his first name dot last name - and then a four digit random code now that sounds really complicated from maybe an attackers perspective because now they have to guess what that four digit code is but that would be actually part of the username not the password and the idea there is to make us that you can't just guess what a username is based off the context of knowing someone similarly with with groups you know it's useful to have groups that have a consistent name the example of that or you know security groups could be SEC underscore and then what the context of the security group is but you could also make sure that those groups could be obscured to mean something other than what they say but still have an obvious meaning to the helpdesk there are some really great applications out there as well that basically put a database front-end in front of a held that back-end and it allows you to have group names in Active Directory that are completely meaningless just cooking to arbitrary but then the database front-end now gives like a web app view to the groups can actually drive that and make it more meaningful from the from the web front-end perspective and those are things that can be devised that really help out with that so we just got an awesome question yeah John is asking why not deploy a bastion Forest in AD and I said I am reading about it now I I have literally zero experience deploying advanced AD forests absolutely and bear in mind that we did kind of talk about things we're going to be talking about things here that are like quick things that you can do either now obviously sometimes I can be quick if you're ten years in the church in the environment they're going to be things that if you were setting up a new environment you could set these up relatively easily without too much risk I'll be that's an excellent point there are a ton of things that you could do to make life just miserable for attackers and the whole reason we as pen testers we don't want them to be miserable for for us but at the same time we do because it is kind of boring if we just pulled the low-hanging fruit and that's all you know our results you must be much more difficult than that and it's also a lot more fun when we get to look at things that are not just looking for get in there and actually get to exploit things and write code and that type of stuff at the same time though you know is things that we get in here and we're gonna look at it and there's things you can say we just we can't do that that we're there's no way we could give the change management processes for that and you have to balance that right there's that risk and payoff your word that you'd have to definitely cannot look at yes Gordon we're gonna address some of those questions with laughs in a little bit right so naming conventions and users again login and UPN they don't have to be tied to a specific person my unit is knackered Kent dot i clear it could be Kent - five two three one seven nine I will remember that five two three one seven nine and that's a lot of left remember for my username because it's chaotic there dot but a Ben Chester now is going to have a really difficult time trying to numerate all those user accounts especially when we go to use things like recon oMG now we're gonna go check out LinkedIn try find email addresses of users that are on the website if you make it so that your email address is not your log on and bear in mind this is M CST 2003 they would have told you no no no make it all the same make sure your email address is the same as your user account because that's going to be wonderful for employees they're just wonderful fun employees it's excellent it's not wonderful for security though so if you kind of think about that 15 years later and now we're looking at and saying okay we want to publish this this email address on the website but we don't want that email address also to be the username that user is just walking with and that's where that context between that UPN comes in in Active Directory you know make sure that administrators you want to be able to identify what new administrator account is for they helpdesk say for the administrative overhead but at that same time the key piece here is the last Bowl on this page which is the admin does not equal the standard user so if I were in Active Directory admin over the entire environment I would want to have a user account that I check my email with that I run my helpdesk tickets with that I you know work with HR with that absolutely is not going to be the same account that has any sort of administrative privileges and then pick your other platform right any platform on on earth now right if you're looking at box we're looking at box you're looking at Google you're looking at us you're all these right I will pay for the extra license every single time to have an obscured admin user absolutely so yes and someone's gonna say well wait does that mean you can have a shared account that is the administrator yes no I mean there's things you could deal with password management's solutions that can help with that but the key thing there is that standard user is not equal to admin user and vice versa also be able to identify for your contractors are your vendor accounts and service accounts you want to be able to identify those for the helpdesk perspective now there's that question does that really help or hinder the pen tester um it really doesn't I don't think help or hurt too much really what you're going to gain in the help desk being able to have a better environment for them to work in is going to help and allow them to focus on the security aspects of their job as well okay well said sir yeah so we're kind of working on our own container of honey data right because if you're gonna go and execute a pen test or you're gonna go execute a training or something else you need this giant chunk of data and rarely on customer environments do we find cleanly laid out data so we want to build our own and basically the the convention here is file shares are applied via ACL right so we want ACLs to flow down and ken is exceptionally well versed in the management of user ACLs security ACLs and even file migrations but this is file shares can be so messy so we are even working on our own chunk of data that people can come and try to pen test down the chain and in bear in mind so you should be able to look in your environment and look at a piece of data that's on your file as your insight you should be able to answer who owns it who's the primary point of contact for it and who needs access to it and if you can answer those things and not so much terms of a person like a name like Jordan but if you can put it into the context so this data is owned by the HR department its point of contact is the HR department director and if I need to make changes to this document I need to contact Ex person who might be the liaison for the IT department in the HR department then we take a step back and we go back to our previous slide where we talked about users and we say so we had a user who goes into an ACL for marketing that's all we have to do this person is marketing he is marketing he gets all the file privileges flowing downward as soon as we disable his account we don't have to go trace where he may have been individually applied permissions on a file or a file share its and we're gonna kind of get into that and there's something I called job functional security rules which is for better for worse a huge platform but we're gonna get into that I'm still on naming conventions we're gonna talk about groups now so you get user groups security groups distribution groups of mail and enabled security groups and then this weird like quasi thing that Mike stuff has non domains called domain local groups - global groups um Universal groups and I think the majority of people they understand the top four pretty easily right they they know what those are for user groups hold users security groups are used for security and distribution routes are used for email but when you come down to what's the difference between domain and local global and universal again I'll talk about MCFC 2003 because that's what I am I haven't updated my cert since then which is 20x its 15 years old back in 2003 there was a maximum number of objects you could put in the Active Directory environment and the number was relatively small so it meant if you had a very large number of users in your organization you had to have multiple domains and East remaining could have a set number objects so if you had a lot of employees you had a lot of domains and inside that all those two manger lived together inside that forest it's not so much that much anyway so now when we see domain forest with more than one domain it's typically the result of a couple things one is legacy so that's something that came back in 2003 and they're still fighting this process of multiple domains that is one possibility there was some best practices back in the day for having multiple domains based off geographic locations and it kind of helped with replication strategies and that type of thing of Active Directory those two exists the other place that we see it now is in a lot of acquisitions is you're gonna have a large firm that acquires a smaller entity and the way they incorporate that into their existing Active Directory environment is to build a forest trust and then bring that domain into their into their forest all that really doesn't they exist so much anymore in 2018 just because the way actor director works you can put billions of objects in there and it doesn't matter you know if you hit that 25 2014 you have to create a new domain which is what it used to mean so what difference okay so that last client said go for the jugular so the jugular is something that needs to be really clever and so it's alright you created it you told me yes so I think what we need to the point here is I did not create this this was a very low key idea that I had in school that my instructor told me about and I can't remember who when where what so props to him for creating it I can't remember but the idea is if you look at your group replication strategy and your group nesting strategy and the form of juggler the J is just to remember it so that's all it is and then you've got users and global groups Universal groups and local access to resources so at the very top you're going to have users okay and those users should be in we're gonna talk about job functional security roles right so a new employee should have access to what they need to do their job but nothing more so the idea here is that a user group or user account is in a user group that user group is about a job functional level something like the marketing department supervisor right and then that global group could be inside of another global group called the marketing department and so on so forth but the idea here and the really key piece of this is the very bottom it says resources and those are ECL so the final shares printers remote desktop VPN etc the idea here is that you never ever put a user account into an ACL now there's several reasons for that but one of them is that if you have a user that employment is terminated the account remote from Active Directory you've now going to Sid listed inside that ACL that is forever gone it's always wouldn't be a pain in the butt but if you look at from this perspective you put user accounts in the group so you put the groups into security groups which are domain local then you can now Pylos them in local groups to the security context to the ACLs and you never again have to go to the scenario that you're giving a single person access to a single file it's always going to be justified by some sort of HR mandate such as the marketing department needs access to marketing files they don't need access to accounting files or if they do need access to accounting files it's already been prescribed because they're working on a project together and it gets away from the perspective of one person having access to a single file because because and I will have to have a huge blogpost on this because it's much more involved in that the juggler actually came from how replication strategies worked in Active Directory where you would replicate only the minimal amount of data across a low bandwidth traffic on a low bandwidth link to still utilize forest trust so that's kind of where it all started in today's environment you can use it if you have a single demand just like this where you're playing access control lists to users through groups so a best practice helps with the help desk and from the pentest perspective if we can find a user name on a file and kind of helps us but if we have to go start looking through groups it just becomes a pain in the butt even if they're well named it really starts to make pain for us so if we leave an Active Directory account disabled permanently do we strip group membership does that remove them from the ACL if the account is compromised and re-enabled in some way I'm sure well it wouldn't you in strict they're the physical acts in strips are access because the accounts disabled and that correcting Active Directory wouldn't be able to authorize them access to the account but at the same time more importantly what that does is it removes all the replication traffic from having to push that ACL and all those groups around so you know disabling and the cam works I think the big point there's a best practice about when you disable a user account due to employment termination you remove all their your user groups and security groups and the reason for that was if someone accidentally re-enable that account for whatever reason it would get real in a very minimal security context where the user might be able to access my bill login that's it the idea there is do one have access to files because their account got enabled so there's definitely something that and that's usually listed in like policies procedures for HR and IT department how they handle offloading okay we're about halfway through on time question if there's a single domain would it be better to use agdlp and just discard Universal groups altogether you can discard Universal groups um there is a caveat there the big caveat is exchanged so if you've got on-prem exchange where you or if you're not using a DFS to sync your as your ad and your on-prem ID you're gonna run into some problems I'm acting the exchange works with the gal the gal store is all accurate or all Universal groups so if you've got a group membership that's nested inside of Universal groups you're good in exchange but if you're using exchanging you try to love like a domain local group for a security context it won't work the reason it won't work is it's because exchange references legality don't reference action directory directly muscle language oh this one's me again isn't it yeah absolutely tear it out man okay okay but I might have to speed up your policies so this is a really great one that I lost do you it's funny because it has LSD in it I don't know so the idea here is local site domain whole you and the idea is when you apply a group policy this is the way they're going to flow down and the way the third one can be applied and reiterated and replaced so if you apply a group policy a local group policy at the local level that can be replaced or overridden by a group policy it's listed at the site and then the domain and then the oh you and then any other ill-used that are nested inside that so it's just a really quick way to remember how those group policies are applied they apply at the start which is the local machine and then the sites in Active Directory or the domain or you and the nested OU's so LS do you health the else do you is really important when you start making computer policies and user policies and how those apply in Active Directory especially for group policies and then things like look look back processing mode and how passwords policy is Oliver all together and things like that so it's just a really great way if you're able to apply your group membership or your group policies at the highest level that is appropriate it cuts down on administrative overhead and you know from the attackers perspective it's really not going to slows down that much but we don't spend too much time looking at group policies with exception to one thing I'm gonna let you come in so yeah default domain policy this this should be very skinny right we configure this to only cover our password and account lockouts that's all that matters in this policy that's all this policy should cover you can do a lot more in here but Microsoft's best practices here are what is stated here and I would keep going we're going to cover this more and we've got a lot of slides early so Chicopee group policy preferences free 2014 - no 25 from Microsoft those passwords are storing Group Policy preferences in a very insecure layer very insecure insecure so an attacker could look at a group policy and if you had a password specified there to do a certain action like run a script or create a user account we could essentially go and grab that password in a win for us was a little hanging fruit so if those preferences existed prior to this with the passwords you could still apply the patch and not solve the problem this is something you should go do as a system administrator if you have old legacy domains things that have been migrated updated over time make sure you don't have GPP lying around it's the first thing I mean first or second thing we check on your network absolutely generally what we launched a lemon are and then go look for GPB yes - - very easy wins a third there and with those good policies if you have legacy ones that have good policy preference passwords in them I think the best idea there is to delete them and create the new policy after Ms 1425 I always get you a more secure way of storing that password in Active Directory off of your policies on the lower right hand that window there is Metasploit and to give you an idea how easily we just pull passwords out of there we just run that missplay command in jozin looks at sysvol in the environment yeah so again this is where we deployed Windows Server 2016 brand-new and the defaults are still not good enough they're not they're just not I think we get to a slide that covers the password policies that are on by default not good enough Windows Defender okay not good enough no application whitelisting in place though there's all kinds of awesome new protection since early 2016 l-lemon are still on by default across the board multi-factor authentication not enforced not forced so I mean this is the latest domain controller offering we've got still not good enough it's times getting there yeah it's getting there it's getting better so this is I love this it's the new device is being protected and oh really is it good enough or is that default that you've got that set up so bear in mind default settings are not enough and we definitely wanna take a look at that any time you try to deploy something make sure you look at those settings and make sure they're confirmed and built for the way you want I love this screen shot because it's the Windows Firewall from XP full sides are the screen shot from XP in fact and it's kind of interesting Windows Firewall better for worse right it's actually a lot better than it used to be I think now even at the default deployment it's still it's pretty useful I think the key piece though is that it's not as user friendly as other products out there so you know it prompts up and says hey you're on a network what should I do and then you have to like forced users to like read it and figure out what they're supposed to do try to figure out what the best answer is you look your policy around the domain say hey you're in a Starbucks coffee shop I'm not going to let you on the wireless network and that's ok or you know for some VPN that process as well so there are non host-based firewalls is that bright here is like the point here is turn on your host-based firewall it needs to be on everywhere needs to be on your servers without ports that you expect communication to occur on we do have a question here that's worth addressing right why is defender just not quite good enough and really it's not quite good enough because it's like any other AV product you turn it on but are you capturing alerts are they going to your central repositories do you have audit enabled on the system are you doing it the things that make antivirus important to help desk yes right are you good I will say that defender can be enough if it's configured properly so the key thing here is you can't just turn it on and forget about it I mean that might work in certain environments but it's not going to be very strong we're talking about turning it on go look through and make sure that you've got it configured for how your environment needs it to be configured securely so jazz report that said to a sim so that you can have someone look at that later on by default you know defender is not going to do that it's not gonna have anywhere to send those to so have them enabled and you know do things like that that can fear defender to be more useful obviously there's hundreds of other products out there very large new product that can do very similar things that are more trunky right and they're more tricky and that's why they're additional third party products defender is okay it's as good as anything else theoretically some things that you pay lots of money for can be shinier and better I think we can invoke John's it's a commodity to have it so minimum password requirements this is out of the box so where can you find a dark about proper defender config awesome no yeah we'll find something might write a blog for it yeah really good all right okay so yeah again brand new server 2016 out of the box open the default domain policy go look at the password setting and what do we have they're still recommending well I don't know if this is a recommendation of Microsoft or just a decision they've made to leave things in a state where it's easy to guess domain passwords seven it's not enough it's just it's not enough so I've included a screenshot there of the hash cat cheat sheet that I wrote a couple months ago and one of the interesting things here this is key saw key space exhaustion at 229 Giga hash a second big terms right but the point here is that seven characters it's going to take us 35 seconds to generate all different hashes based off all lowercase characters and that's pretty impressive that means if your password is seven lower case letters we're gonna guess it in less than 35 seconds the same thing said though if it's 20 alphanumeric characters this is 2.2 trillion solar orbits around the center of the Milky Way which is a really big number and it's interesting particularly that because of how that progresses into something that is so awfully huge obviously we wouldn't build a crack in in 35 seconds right there's a Monty Python reference galaxy song in there so the point here is that 7 character is not enough if someone asked what is enough we will typically say 2020 alpha numerics so here's the great thing is if you say 20 alphanumerics and someone makes it 20 lowercase characters yeah this 20 characters long it'd be really grabs me I'm the one that's really gonna confuse you all over again so absolutely someone asked this 23 still considered the borderline friend credible presently I think 15 you're into the subtil Ian's right if you're looking at key space right and you take 15 characters and all of them could be any of the four are lower offer number numeric and specials that key space at 15 is septillion z-- yeah and uncrackable means a lot of different things right so the way passwords are typically stories with the hash value and when you've entered your password into Windows it's going to take the passwords that you entered and create a hash from it and then it's going to compare those two hashes to make sure they're the same so the way most password cracking techniques works is they just create all we have possible hashes and once they find one that matches they know what the password is that said what we're really talking about here is offsetting the limited security context that's in the low-low seven character password and we're going to try to offset that by making really long but then the next low hanging fruit piece for password becomes where passwords are stored in plain text or if I know someone really likes certain football team I can make a word list based off that football team dictionaries are everything when we correct now I mean that's just so we're talking about you know 20 alphanumeric characters are it's impossible to break if it's truly randomized characters but on the case if it's a word list and all the words are more than you know seven characters long we're talking about three words and we might have a list of 400 words to work out you know we're gonna do it really quickly and that kind of comes in - then you have to take your word list and you got to make sure that you have word you're spelled wrong and that type of stuff just be a big caution of that and this is the staple horse something something xkcd all right so yes they have definitely upgraded the minimum the maximum value for minimum password length right you can now force at Server 2016 forest functional level across the board 20 character minimum you can do 15 character minimum right and then you can also go disable the land man storage thing because if you're less than 15 or at it's stored in LM now LEM is easy and so there's all kinds of other fun features in Server 2016 worth investigating some of them are mentioned here the code and integrity check policies also allow you to or force integrity checks on the code that runs in your environment so that Windows doesn't trust code that isn't signed generally speaking across the board and you just use Windows Fred you don't need like a third party product absolutely not Group Policy go ahead it's super awesome so we're gonna talk about some of the key terms here like land map you're not familiar with that check out our blog search land men on our blog post you're gonna find a lot of that and all the detail you need to know about why it's bad things moving forward so we talked about the pasture policy you know and why those need to be longer passwords you've got a blog post there talking about more detail for pre 2016 first levels so that's out there as well and complicity blah blah horse here two trillion orbits around something something there we go so I do not throw away my talk about that one yeah absolutely don't do that and I just show that location of that salami what if you have weak passwords but the ability to to detect abuse is good enough to pick this up Quincy for example if you run that proc dump it can be quickly picked up or if you run out I'm in our yes sounds like a reactive policy that's very reactive oh absolutely you know better would be not to allow someone to guess that password as opposed to allow them to guess it and then react to them having guessed it on which i think is pretty you know it's kind of obvious but so running ll M&R isn't really the thing it's running a tool that exploits l-lemon are so if you leave systems on your network at default they will communicate with all lemon arm and their cameras all names then we jump in and say poison so you need to catch the execution of off you skated power shells that run things like inve or responder these are the things you need to trigger on on your network so newell-fonda can you enforce multiple password policies based on oh you yes you can yes 2008 plus functional levels can I believe that it's called fine-grained password policies you will find them in the actor directory but it's definitely there it's not done in the typical group policy structure management console you have to do it in a separate section of Active Directory but they could do it in 2008 so pre 2008 yeah you could have one group policy or sorry one password policy for the entire domain it is much different now based off all use and also based off your memberships you can do it difficult I sent that privately unintentionally so some of these different things that attacker will typically use things like email sniper Hydra you know one of you a proof force the idea here is that you want to limit the exposure to that and something that I will still say it's you know you can have your email behind the VPN and that will freak some people out but so you need to access email remotely post behind a VPN how do I get it on my phone if it's behind a VPN okay there's solutions for that you can install you know a bpn certificate on the phone so that that mail application on the phone utilizes the VPN but the key thing here is user on the internet can't scan your network and fund you to be a portal and start passwords bringing all of your user accounts so it's kind of a key thing there and these are things that attackers look for and if we find them as OWA portal we're going to try to brute-force again say whether or not that is password to be found in public breaches or our passwords that we've been able to build from a word list all these things and integrate like and take the attempt of ntlm and gather domain information how do you expose that portal to the internet we can go learn about your internal domain just by you exposing anyway so yeah i mean you definitely want to have some knowledge of what's happening here someone tries to do a password spray you want to be able identify that but ultimately you're able to mitigate a lot of that just by putting your services behind a VPN obviously again that is painful but there's ways around it yeah so just the password policy has slowed every single one of these attacks down that we do every single test depending on the test one of these tools will be in play against your network right so extending your password policy will make it much less likely that we capture Kretz like on the next slide I think mike says no it's moving out there in the future but anyway creds are king as pen testers as attackers if you make your passwords longer it is factors more difficult for us John wants to know is there a checkbox to disallow the use of the same password for one's regular domain account and their privileged well it wouldn't be a checkbox because there's no association between user and admin you wouldn't want there to be a link between the two either fact your admin account could just be random character admin those four random characters that's meaningful to the helpdesk because it could be a six digit random string it could be anything so no there's not now whether or not that's like that sounds like okay where's the dice at they're going into policy for that we also failed to mention cred defense which is a tool Brian Furman is working on which is a brilliant piece of software that you install on your domain controllers right nobody likes to install things on their domain controllers but it does protect your environment from passwords that you don't like you define the list you don't like they can also analyze passwords and compare user passwords how many people are reusing ashes how many people are but this again that would go back to land man because land man hashes aren't salted they're all stored exactly the same if I use password and he uses password the hash is exactly the same and the ad dictionary unless salted yes in land man it would be absolutely the same so you know you might be able to find that the characters your lesson or if it's less than 14 characters long but ultimately you know it's gonna be one of those things what you could do then might help is make your use different password policies one with that has a longer length requirement and that'd be okay and that would be a quick way to probably make it badly ultimately if they're using the same password I don't think that's necessarily such a bad deal as long as you've got passwords the password policy that make sure those are long enough that they're really insignificant that the risk is mitigated so absolutely great you know how are we doing on sides do you have time for questions do I wait till the end yeah we better keep going we'll run through these so element Armour is kind of talked about it I'm disabling it's a super easy thing to disable typically doesn't break any thing but if you've got a 10 year old legacy environment you want look into it first but if you're setting up a new environment first step shutting off on your domain we've got a blog post there that tells you how to do that and some screenshots super super easy to do and journalist stuff my lips actually love this tool this is something that you should deploy now there's no reason not to and whether you whether or not your environment is ready for this basically you run a PowerShell script that extends your schema by these two attributes we are going to in the next slide go ahead and go we are going to deploy that installer by group policy which we saw in the previous we're gonna extend the schema by two attributes we're going to allow systems in a container we like whatever container we're applying laps to - right back into those attributes and then we are going to limit access to the attributes make them confidential right - everyone except our privileged group so that's what we're doing here then we can go to our labs UI and say I need the ad password for or I apologize the administrator password local administrator password for this computer boom emeritus problem solved the other side of that is you have a group policy that's a local administrative password and user name for all the workstations in the environment right and then the attacker only needs to find that one password they immediately have local admin on all of those workstations I'm what lapse does instead is increase look to user accounts and those passwords it allows those pastors to rotate all the time no longer can attacker get one password and potentially have a tax on all the systems across the entire domain a based off local security access so an application whitelisting is somewhat controversial but it's still coming more mainstream the really cool part is you don't need extra products to do it but extra products might make it and more helpful or easier to use user friendly so there's practice out there that already exists in Windows you know ad blockers out there you can also do things like hash based signatures and code signing from it from Windows itself without other products to give more on that oh well yeah no I don't think so I did sup T's - good - like let this slide roll by without mentioning yes we know you can gain execution in about 3,000 different contexts I think he's probably figured out how to use calc to like run code so regardless our point here is it's time to think about application whitelisting it's time to layer our defenses which is required there there's some more slides coming up I think the next slide go ahead where we talked about actually identifying the executables we don't want to run and not necessarily by the name and location which is easily by passable but by the publisher so these are rules we configured it makes it so much more difficult on a pen test or as an attacker to gain a foothold if I can't get the command dot exe if I can't get this sis well 64 PowerShell ISE exe which is nice when it's there but if you're restricting it in this way you know its factors more difficult yeah and the idea here is to apply multiple multiple attributes for your white listing so that an example is a lot of NFS software and they're looking for malware if they find you know PowerShell inside of an application like oh that could be bad but if you make it power and then you'll break it till the next line and then shell it allows them right through breaks it doesn't recognize it as PowerShell so things like that you want to use the multiple attributes to identify your waitlisting and I have renamed PowerShell you exited bypassed I think it's yeah the restrictions software restrictions or something so just depends on how its configured and deployed so you had a recent engagement where system on was used and oh my gosh there wasn't a single thing we executed on this environment that the customer wasn't like hey I see you running long PowerShell scripts hey I see you attempting to bypass our firewall with SSH and I mean it was it's amazing so we're mentioning sis montt because it can provide a layer visibility to your workstations in your environment that you may not have now so the script or the configuration file link at the bottom of the slide covers almost everything is well maintained and is very interesting curious what's the quota on this one about how much how many thousands of I assume this is a joke you're being sarcastic hi again I think we're at zero dollars so far besides the AWS Paul bake the licensing for Windows baked into their solutions so that's kind of covers user Cal's covers remote access covers windows license tank everything alright moving on sessions left lying around and this is really cool and I kind of breathed back to the Bloodhound and how that all works Bella - you sure yeah I mean the goal defense Esther the goal is of an attacker is to extend access in any possible direction they can write if I find a user I'm gonna use bloodhound to see if that user can see other things in the environment yes as the user I'm generally handed on a pivot I have domain context so I can go use bloodhound to identify interesting sessions that may be around the environment and where even my account might have administrative access but something mike says creds are king right we want more creds we want to be able to get further we want to find systems where I'm a local administrator where there's a DEA session so we can mimic and local administrators and obviously so yeah so we're talking about the inactivity timer group policy right that's what is that we're talking about here no we are not it's hard to log out in active domain admin accounts it's it's hard to log out any account that is inactive on a system where the system is still on yep so I think I've seen environments where you have to like have an application running that looks for user input and if it doesn't have it even if the session is already locked after an additional set of time finally actively logs that session out and that's like not super easy yeah so Martin's asking an interesting question is MFA a good mitigation against password Spring if we went back to the attack tactic slide where we show burp I'm going to send credentials and intercept them with burp to your authentication portal then I'm going to run an entire list of users against a password that I've chosen I can tell the accounts that I have valid credentials for based on response so the response changes on an account I go look it's a successful authentication now MFA we have valid credentials but we don't have access yet it just and also definitely have mail sniper will bypass MFA on assuming you leave EWS lying or miss thank you there's two pieces to that yes I was the key thing here just layer it like an onion right yes so the so the slide we have here talks about hackery four systems so you deploy an application on all your systems that monitors inactive sessions and yes then they get logged off so to address your question Tim all right so this is our last line to you and I've got some last-minute things to bring up get a pen desk and clean up repeat consulting a black hose information screen you know awesome but again the point here is get a pen test scan yourself clean up and do it over again and do it over again and do it over again and do it over again that will make your security posture just continuing to get better and better don't disclose internal never acknowledged externally so if you've got waa set up if you've got a web server set up that's your hosting on the Internet run that through but make sure that you're not having your local IP used in there or your local domain names anything like that you don't want to expose that exchange is a horror basket of low-hanging fruit and cough mail sniper bill after all the things empower your support team and help desk so my background is I ran a helped us for quite a while empower them you know give them in touch with HR let them work with HR let them understand and work through the business policies and procedures let them make your security posture better don't just think they're dared answer the phone calls they are your eyes and ears on the ground in security context and they're gonna be the ones that are there first so make sure you utilize them and empower them yeah don't expose EWS I I might not understand all the technical back-end of exchange but I don't believe it needs to be exposed for exchange to function properly on the internet and the process that requires confirm password resets from direct reports so examples that hey I forgot my password the next thing should be I need to go talk to my supervisor and the supervisor needs to talk to you lie to your HR or whatever it should not be that I just call helpdesk you my password reset there's a lot of products out there that actually utilize multiple forms of authentication and identification to allow a single user to reset their own password it can work but ultimately if you have that stopgap in there where you requiring a supervisor to do it to do two things increase your security posture and it might help your employees remember their passwords because they don't want to have to go their supervisor and ask that's never fun all right I think there are some questions well they're aware and I'm not sure if you just answered part of this because I was responding somebody but uh Robert was wondering obviously any suggestion on securing AWS and is there any real difference with EWS and Emmas cloud versus an on-prem client access sir um so you don't need AWS exposed for typical mail flow right you need uws for web services on like your phone two years what waa things like that but just to receive mail to your mail server and to be able to send a mail you don't need those services turned on or at least not exposed to the external internet that's it if you tell someone hey yeah you can't actually check your email on your phone or on your laptop because you're not inside the premise network that's kind of changeable right and it's not conducted to business but look at setting up the VPN looking at set up a mobile device management some mobile device management applications will allow you to take the like Outlook application on the phone and say this application must use this VPN right so then you're allowing to basically shut off uws entirely and you're going to utilize that VPN for that application to access those mail services and get email that way you could technically in that way completely remove your exposure mail to the Internet and just utilize those VPNs for those applications so then I guess just a wrap right there's gonna be some more questions but what we're saying here is the basis of everything we do as pen testers can be slowed down are we red teaming your organization improve your password policy do things like don't expose OWA are we doing a wireless pen test how long are your passwords are we going to be able to crack them assuming we do trick one of your users in connecting to our evil ap are we doing an internal pen test we scan everything and you give us access improve your password policy right everything we do generally boils down to the length of the passwords on your network and whether we can extend our access easily or not look like John asked if domain advocates can domain user passwords hashes and compared them to pain admin password hashes land man yes however if you're not storing land man password hashes no because Active Directory assaults those user account those patches so you wouldn't be able to do that they wouldn't match right left to right you'd have to have to be able to salt them and compare the salts so all right where you have to insult them or salt yes the voice guard has some probably so I just want to swim out winners of cubicles and compromise and the t-shirts so our first winner is Derek Burt if you are here let us know in the comments Derek Burke is our first winner and then for our second winner we have Ken Mick furan I hope I pronounced that correctly so let us know if you hear in the comments Derrick Burke can run and then in the meantime we do have a question from Martin let me go back up and find this here we also had someone named I don't want to register please block with a very good question so well okay absolutely so device guard again is the server 2016 base deployment it includes things like hypervisor monitoring so you can now install Windows Server on virtualization platform of your choice and still have it monitor boot kernel processes in a meaningful way right if I'm running malware and I have an opportunity to inject through the heap some kind of nasty thing into boot device guard can help right are we going to deploy code integrity policy yes check please do this this is a huge step forward for Windows now I can't run malware that I don't sign on your environment this is amazing I think this is a huge step and yes you can force this down your windows 10 systems I haven't read enough about it to know if it goes backwards in time to Windows 7 but now if I'm looking at an upgraded domain I definitely want to get to 2016 functional level across board I mean yes it's hard but it's worth it Jason had a quick question here he said if currently passed when you're less than 15 characters and they made them more than 15 characters what happens to the Landman hashes god they while they stay I believe and they will be no no you Windows lived on the next password change yes if you change your previously stored land man hash to a password afraid is 14 which is 15 or better it will not be stored as Landman and correct but the key thing there they stay in the history that's super interesting though there was one more question about eliminar I wanted to talk about where somebody asked about the implications of say I run ipv6 on an internal network and I disabled eliminar now I don't know the answer to that question but it is a very interesting one right if I'm using anycast to resolve my router find routers on my network I don't necessarily need LM in or to do that but the advertisements of dhcpv6 are LM an are mi I think like if I understand so I don't know that's a very interesting question worth sometimes we did have one winner so I'm gonna pick one more and give them another chance to win here we've got Ryan Tucker let us know if you're here in the comments and I don't know if this was the exact question that you just answered but what about if you have a legacy stuff like an S 400 that needs LL so thank thank you again if any of you have to leave thank you so much for coming and joining us and listening we want to share we're going to continue sharing it's just what the ethos of the edge is well be recorded so you can what is the status the status that's tough I have no clue yeah I mean I know as foreigners are still around another still used everywhere else people still use green screens on them whether or not that correlates to using them as legacy and how they can work with Windows 2016 it's a great question ultimately if you have to use element all right - excuse me if you haven't used the s400 and you have to use lamb man hashes - okay with it that's kind of a pickle it really is free talk I mean what I can say about that is you're dealing with legacy and this is easy to set up you're setting up the first time it's a lot more difficult if you're looking at legacy stuff and so with the mask for under-eye wouldn't that wouldn't deactivate lanman hash is because you could potentially destroy your authentication mechanism for the s400 but try it you know get a get a development environment set up and try and see what happens I suspect it would probably fail if its reliance on it but there also might be middle tier services that you can put in there that allow military authentication service as a stopgap until you get that million dollar project pushed out to contagion Bernie there's still a lot of people here if you guys have more questions we have time definitely we did get both of our winners um so thank you to those who let us know that you're here and also there's always next time we do have stickers I don't know for some of those who aren't here at the beginning yeah be a China stickers for those who didn't win any prizes it's got a like Hilton classic calm slash stickers and then enter your laughs that we can tackle some cycles okay so that cool cycles my cackles what I would suggest is doing an all free command line because you can and you can essentially enumerate all permissions for my cackles and bear with me I'm thinking about seven eight years ago write a loop inside of the batch file export all of that to a CSV import the CSV into access so you can definitely do that it's really interesting you haven't heard anybody say those words in seven years yeah I used to use I remember our last time a migration i cackles and what all that magic yes absolutely look at I know it's silly but look at command line stuff right a loop that goes out and looks at every file sure every file don't that all those all those ACLs to a Maxis database and then we run queries off of them and maybe put an intern on that Noel appreciate you oh thanks for joining really and if you guys have any more questions go ahead and email us go ahead and email Sierra at bjs echo and we will get your questions answered so thank you Jordan thank you Ken at first thank you thank you so much you've been awesome have a great afternoon Thanks you
Info
Channel: Black Hills Information Security
Views: 21,184
Rating: 4.8376384 out of 5
Keywords: Active Directory, Black Hills Information Security, Infosec, AWS, Pentesting, Blue Team
Id: SdNPUhzYTUc
Channel Id: undefined
Length: 63min 51sec (3831 seconds)
Published: Mon Aug 13 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.