How to Prevent Attackers from Sensitive Accounts and Tasks

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys and welcome to the show today we're going to talk about privileged access workstation scenarios and just ignore the shark hey guys and welcome to the show today we have John Rodriguez with us John say hi hi there everybody Wow he's got more enthusiasm than I do today that's pretty rare so hey John man tell us what your title is I am a cyber security architect on what used to be the u.s. national practice in MCS Microsoft consulting services and now we are the worldwide practice at the stroke of a pen we didn't actually get any headcount we just now cover the entire world oh yeah a couple of my teammates are over in Dubai right now yeah I'm just gonna call you Sherman Williams because you're covering the entire planet it's funny I've actually done work for Sherwin Williams yeah cool yeah so we're gonna talk about pause today can you give us a little background what is pause sure a pause a privileged access workstation and it's a mechanism that we use to try to help avoid the exposure of privileged credentials to attackers or unwanted parties within your network it's kind of a standard piece of our credential theft mitigation suite and it builds very much on some of the work that viewers long-term viewers have tasted premiere will have seen in the past some of the things that Jessica Payne and Mark Simoes have talked about in previous editions yeah awesome so that sounds great I understand you have a presentation for us just to kind of get everybody acclimated I sure do it's it's a short presentation I'm not going to bore anybody to death with PowerPoint today but it just helps set the tone and helps explain some of the basic ideas behind it it also gives a very important website where we published this guidance publicly which is really the reason I'm here today it's to get people aware of this public presentation is public guidance that they themselves can use without any further help from Mike Rizzo after any other third party they can use this to build paw these workstations in their own environments and then use that to further secure their privileged access so yeah let's switch to the PowerPoint hey before you get started tell us about your relationship with mark and Jessica so it's kind of funny because mark Simoes is an architect he was actually the person who recruited me into the architect role a couple of years ago and so mark is one of my mentors and I started working with Jessica and her second or third week at Microsoft we went to an incident response together here in in the central region and so I became her mentor so mark is my mentor I'm Jessica's mentor so you've got this like grand mentor chain but but it doesn't end there does it Lex no it doesn't and that's actually kind of funny because I was an FST trainer here in Charlotte for a long time when when Mark came in so I guess technically I helped train mark so that's this grand mentor chain from Lex to mark to me to Jessica although in fairness I should say for all of Jessica's loyal viewers out there I learned just as much from her as she does for me and in fact I probably learned more from her brilliant lady and a lot of fun to work with so yeah don't take is this like Jessica yeah know Jessica's awesome she's she's she's just phenomenal and so is Mark so you've got and you've got kind of a high bar here John I do try to I'm gonna try to sidle up to it so they don't notice them trying to break their records for views but in this presentation it's a relatively short when I just want to kind of set the stage here this this slide in one of the upcoming slides are from the securing privileged access deck that Andrew and Mark are going to present an upcoming program the idea is that identity is the security perimeter because identities are used not just within the corporate network but outside the corporate network you may have a cloud identity whether it's your social media like Twitter or Facebook you may have a a juror or Amazon Web Services subscription that your identity connects to all of these different things and it's used to manage all sorts of different resources whether they're internal external so we say that identity is the new security perimeter but more than that oops it's the security perimeter under attack an administrator is often doing multiple things at once and they're using often the same machine to do those things so if I'm connecting to the web and I manage Active Directory I'm actually putting my organization at risk this is the standard credential theft spiel for those that have heard it before if I visit the wrong website an attacker has planted malware malvert izing cross-site scripting you name it if there's something on one of those websites that is that can compromise my workstation and then I use that same workstation to administer Active Directory I potentially have lost control of my Active Directory to the adversary and one small mistake can lead to attacker control I don't want to make it seem like the only attack vector is browsing the Internet of course there's there's spam I click the wrong email and download something to my workstation or I connect the wrong USB I find a USB in the parking lot I want to see what's on it takes control of my workstation and so on many many different attack vectors all of which ultimately have the same goal of trying to wrest control of the directory and the resources in the company away from the administrator as defenders we have a tendency to think about all of our assets and lists we're protecting the perimeter we're protecting X number of things but attackers don't think that way attackers will take a small advantage and parlay that by looking for the connections between different objects they compromised one thing which leads to the compromise and the next which leads to the compromise of the next and ultimately they get to the thing that they really find a value whether it's control of Active Directory a sequel database with credit card information what-have-you and this is summed up fantastically well in this quote from John Latour I don't know that he came up with it if he did it's an awesome quote if he didn't the other people should get credit either way it's defenders thinking lists attackers thinking graphs and as long as this is true the attackers win and there's a great blog entry from John from last April but it's still just as relevant today as it was nearly a year ago this to be really really important and we need to think about the true graph it's not just the workstations it's the identities that use those workstations the identities may be the commonalities and unfortunately enterprises are not smiling I stole this screenshot from the presentation that we just released on a Windows Defender advanced threat protection which comes out later this year and this is just a common Enterprise look at all of these connections you can see that there are literally hundreds if not thousands of workstations computer objects on this screen and you can see the little green lines emanating from them but if you notice there are certain systems that kind of are that this is the choke points whether that's a jump server remote desktop system or maybe it's a helpdesk PC that's used to connect to all these systems attackers look for and exploit those common points to almost acts as a bridgehead almost to serve as that point allows them to get anywhere else think of the MIS hubs and train stations or Airport hubs or choose your you know choose your metaphor here yeah yeah you mentioned something earlier and I didn't want to say anything then because I didn't want to interrupt you cuz you work sir you were doing so great but but you said you said people picking up USB drives in the parking lot that's a real scenario isn't it it's a very real scenario I can just go out on your web search engine of choice and find literally dozens of examples where penetration testers and security researchers have actually posted blog entries talking about how they were able to compromise kanto so or would grow thanked by simply seeding the parking lot with USB drives I remember reading one research paper that said of the twenty drives that he dropped in a particular organizations parking lot which was the size of a football field apparently 13 of them were activated within the hour that's just it's an awful statistic that also goes to the idea we have to assume breach we have to assume that the end users will do something that will potentially invite the attackers in and now assume breach does not mean we assume that the organization has been completely pwned it means that we assume that there's going to be those those tiny little incursions and the idea is that we to minimize the scope that the scale of the actual compromise if it's like welcoming the attacker into the United States saying hi welcome to Guam by the way there are no flights to the mainland right yeah you know I tried that trick with five and a quarter inch floppies but nobody picked them up yeah probably three and a half inch floppies it's going to be likewise a fail actually the laptop that I'm using to talk to you now doesn't even have a cd-rom no either does mind it's funny we were talking so so this really has nothing to do with this topic right so we were we were there's a video going around right now on on the internet about kids trying to use Windows 95 like Millennials trying to use Windows 95 and you know how do you connect to the internet you know what's this is this a Moute modem you know what's a modem you know yeah yeah and it's it it's just hilarious how far we've come in such a short period of time well it's it's no different than trying to show somebody a rotary dial phone or are no Wi-Fi it's just it's progress I find it funny that we find it funny that people from a later generation doesn't understand these things it's just like we don't understand some of the things our grandparents went through yeah exactly all right so back to the presentation back to the presentation now because mark and others have talked about lateral traversal and credential theft in previous editions I'm not going to go through a demo or belabor the point I just want to kind of highlight lateral traversal in a nutshell basically the ideas at a workstation contains a process it's called alsace local security agents and it essentially has the identities of the sorry it has representations of the identities that have logged into the system it takes their password information turns it into a hash and they can use that hash to connect to other systems so there's a local administrator account potentially there's the antivirus service account there's the person who's actually locked on there's a computer account all of these are stored in alsace but there are tools WCE windows credential editor mini katz and others that can take those identities and reuse them in unexpected ways if I'm logged in as a system or on the system is Alice an attacker can hijack my session and use it to look at other sessions that are simultaneously logged on maybe the local administrator account a little while ago to do some installation maybe they used run ads or connected using remote desktop or maybe there's a servicer service that's running under the specific context of a service accountant so the attacker can take that and basically change his or her network identity when he connects to another system he pretends to be somebody else he takes the information from Alsace and becomes temporarily the local administrator or the antivirus service account and used that to connect it to another system this is kind of following the nodes on that graph that I showed earlier and then the idea is that he or she is looking for those privileged identities in this example the attacker uses a local administrator to go from the first workstation to the second workstation well he can't go from the second workstation to the third one using the local administrator account because the password hashes are different but there's that common antivirus service account that exists and works on both boxes so the attacker switches contexts takes that one gets to the third system and now has access to domain admin now the attacker doesn't have access to the username and password has access to basically a representation of that and you can think of it kind of as one-time use the attacker you know from this workstation to another system using that domain admin hash but of course because it's domain admin the destination is going to be a domain controller the attacker is able to do things like run invoke ninja copy to copy the database offline can put persistence mechanisms in place by changing the properties of services and so on and so forth so once the attacker gets his or her hands on domain admin it's essentially game over I'll sinner I fill in aliens I'm sure yeah so in the past Jessica's talked about some of the mitigations for this we can put rules in place firewall rules in place to prevents workstation one workstation 2 from being able to speak to one another we can do things like segment the service accounts so that service accounts are not common to large groups of machines but then it still leaves the problem of that third workstation the third workstation is used by a general user and by an administrator and if you combine those two activities if you have internet access or line of business application access and you're doing things on privileged systems you're connecting to domain controllers then you run the risk that in your internet browsing you pick something up in this the example on screen we'll just say you visit the wrong website you go out to your daily news websites and unbeknownst to you and attackers compromised it there's a cross-site scripting attack and he redirects you to a nasty site where you pick up all sorts of malware even though your system is running antivirus even though your system is running anti-malware even though you have a firewall because you went to the website it's allowed so you pick up this this thing malware credential theft program what-have-you and then you connect to a domain controller to do your work afterwards because you're privileged identity was is now visible to the attacker he can grab that and off to the races he goes so we try to focus on as part of securing privileged access we try to focus on the things that are going to provide the most value and again referring back to some of the things we did others have talked about we want a separate administrator account for those administrative tasks so we wouldn't want Alice to have we would not want Alice's account to be in a member of the domain admins group Alice should have an account where she does email and internet browsing but she is not a domain admin that's the first step right the second step in our roadmap is the privileged access workstations that I'm talking about today and you can see right there we've got the link aka MS cyber paw P aww this is our public guidance we've made this guidance freely available to anyone you don't have to be a premier customer to access the URL it's just on the regular internet and a privileged access workstation is essentially a second system that you use to do administrative work you never log into that system with your regular end user credentials you only ever login with your domain admin credentials we'll talk about what this looks like and a little bit more detail in a moment just want to finish up with the rest of the recommended immediate two to four week recommendations unique local admin passwords for workstations using the Lapps tool that Jessica talked about in the previous edition and if possible extend that same protection to your member servers whether they're exchange servers or sequel servers or whatever they will all have that a local a built-in local administrator account we want them to have separate passwords so that an attacker can simply compromise one workstation and use that local administrator account to move from system to system to system to system cool so yeah yep got a question there no I did that just makes good sense right we'd like to think it makes a lot of sense unfortunately we're still trying to convince people that this is a necessary necessary and critical thing to do that's one of the reasons we actually published the guidance it's funny that people say are you crazy Microsoft sells a pod a liver able we actually have an mcs offering where we will come in and help you build pause deploy pause identify who needs pause and so on and we're giving you the instructions to build these things look yes it's this important we feel it's so important we want as many people to have pause as possible if your organization has the operational maturity has the availability time and resources and the expertise to do this we want you to do it on your own if you can't if you don't have the time if you don't have the resources etc and you want us to do it we can come in and get it done very quickly for you but the idea is that we want everybody to be doing using a palm model we want every organization on the planet to segment their administration from their daily use right so people people need to need to understand that we don't want to be in the news any more than you want to be in the news right right we want you to have a great experience with our products just like you want to have a great experience with our products and and if you get breached it's not just your name that gets you know kind of kind of out there publicized it's our name as well right we wrote the OS we're the guys that that you know had that created the software that got exploited so we don't we don't want that any more than you want that no absolutely not and I had a customer asked me recently why should we look to you for security expertise why not look to one of the security boutique firms and my answer is very simple we're the factory team in fact you can look at this as sort of the split between mechanics and the dealership if you get your car repaired by a mechanic they're somewhat agnostic their goal is to repair cars so their focus is uninsured that you come back and you have your car repaired there the dealership has a different incentive the reason that they have service centers because they want you to buy another one of their cars they don't want you to buy another car from a different competitor later they want you to continue buying from the man so the incentive is extremely different that's our incentive where the factory team where the dealership we want you to continue buying Microsoft software as opposed to going to another operating system right yeah absolutely and you mentioned you mentioned using the same local admin password across multiple boxes I think I think one of the things that we're battling here is just kind of human nature right it's yeah it's very easy for somebody to do that because then they don't have to remember what the password for this box was what the password for that box was but there there's a you know something that that you're probably not thinking about when you do that and that is the fact that you know how many boxes get exploited because you use the same password over and over again having a common administrator password it creates the links between the nodes in the graph that I displayed before and what we're trying to do it's sort of a form of the Lockheed Martin kill chain we're trying to sever the kill chain in multiple points if you think back to the slide where I had the multiple workstations there are numerous ways that we can sever communications between that we can have randomized local administrator passwords we could have separate service accounts for all of the services running on those systems we can put firewall rules in place that prevent them so we can make the system more and more secure by taking these very specific actions but ultimately the thing that's going to have the greatest overall value the greatest overall impact is ensuring that the privileged credentials are never exposed to an attacker that the attacker never gets the chance to see those privileged credentials there we can see them let alone steal them and that's what this pardons is all about it's it's actually it's a subcategory of the securing privileged access piece up on TechNet it's the URL is on screen it's a KA dot M s cyber PAH there is also a kam s slash Prive SEC priv SEC and that takes it to the parent page that's on screen if you look in the navigation pane in the screenshot you can see security securing privileged access pretty sick is the securing privileged access right now we only have two subcategories privileged access workstations and the securing privileged access reference material but in the future we're going to put more on online we're going to make more of our security content freely available again because we're trying to get our customers secure help them get secure and stay secure because we're their factory team because we're the factory team we want you to buy more Microsoft software basically now the privileged access workstations that the central tenets for the pause number one we want to make sure that they're built securely that these systems are basically hardened against attack from the very very beginning we use the clean source principle so that we want to make sure that you're using known good Hardware bought directly from a trusted manufacturer with good control of their supply chain we want to make sure that you're using a clean image so we actually recommend things that people think are incredibly paranoid almost we recommend that you actually download the ISO the the DVD for Windows 10 Enterprise 4 via two separate internet connections and then compare the hashes to make sure that the two of them match so that there's no question that they weren't intercepted or tampered with in any way and then you build that at your operating system image for the PAS in a clean room separate from the internet you do all of these different things on trusted hardware with TPM 2.0 that's capable of UEFI elem secure boot all of the wonderful things that are built into the our more recent operating systems we specifically want Windows 10 enterprise because that enables credential guard and device guard upon which we build a lot of our foundational security pieces in the PAH model and then building on that we also try to reduce the attack surface as much as possible which means we have the bare minimum of applications on the system no internet explorer no browser unless of course it's for cloud administration we'll talk about that in a minute what we lock down the browser we prevent the installation of additional applications using a blocker we ensure that the that the workstation is not configured using the same security pieces the same so what I'm looking for here service accounts it doesn't use the same service accounts as other systems do so that the attacker wouldn't be able to parlay compromise of the the SCCM service account to attack the PHA we make sure that there are no line of business applications it's kind of like Joe Friday from dragnet just the facts ma'am try to reduce the surface as much as humanly possible and then last but not least access restrictions I mentioned before that the only people that log on to paws are privileged admins and the and those people cannot log on to other systems you can't use your domain admin account on a regular workstation and you can't use your regular account on a domain admin workstation on a PHA overall we kind of characterized that last bit as make it hard to do the wrong thing but easy to do the right thing yeah yeah and I have customers that do that pretty pretty effectively they have user account names that have a different character in front of them if it's their admin account and they of course have different passwords for their admin accounts a lot of customers are even doing two-factor now with smart cards so all of that stuff is great yes two-factor is fantastic or proper least multi-factor because you can actually have you not a third or a fourth or a fifth in there as well but one of the things about multi-factor is that if you leave the smart card in the reader the attacker actually can access the smart card just as if it's a regular identity and in fact when you use a smart card for interactive logon Windows is actually creating an N CLM hash in the background and storing it in else s just as if you typed a password so there are plenty of customers that ask when we talk about pass the hash or credential theft more broadly they ask does multi factors solve that problem and unfortunately no it doesn't multi factor is fantastic for remote access scenarios proving it's truly you because you know not only the username but you have the smart card associated with that username but at the same time it can potentially lull some customers into a false sense of security thinking that because they have that smart card that they're protected against all ills and that's that's just not the case it's a piece of the puzzle in fact we we recommend the use of smart cards and some of our other deliverables and including the enhanced security admin environment but the smart card itself is not a panacea it's part of the solution it's not a complete solution in and of itself yeah absolutely it was a long response here your off-the-cuff statement but I know that that's absolute the hobbyhorse for me yeah yeah yeah yeah I didn't realize that there was an ntlm hash that got generated because of the smart card that's actually pretty interesting yeah and you can it never changes so it's the same hash forever the way that you would change it is actually toggling the smart card required for interactive logon checkbox on the account we call that Skrill for the from the initials SCR IL and if you toggle Skrill just turn it off turn it right back on it doesn't impact the smart card or the smart card pin all it does is changes the Hassen hash associated with that particular account well where is that stored is that a registry key or the smart card required for interactive logon yeah I believe it's actually a value in either user account control or in yes heuristics just wondering we just finished a series on PowerShell and I'm just wondering if there's a way to toggle it via barish oh oh I'm sure there is I don't know right would be kind of neat for a customer to maybe push out a login script that toggles it every time somebody logs in actually what we're seeing is that organizations are doing that on a regular basis that they have a script that toggles it for all of their smart card enabled users and it happens at like 3 o'clock in the morning you don't want to toggle it when the person is actually logging in or is online because then it invalidates the exist - and they would need to login a second time - Jen to get the new one so it would be a user disruption but you can you can manage it after the fact Goldie ill yeah that's cool so there are two primary deployment models for pause the preferred model by far the preferred model is to have separate systems you have a physical workstation you have a physical pas and the reason for this is it sends a really strong signal I'm doing an admin work oh I need to use the right hand system I'm doing regular work oh I use the left hand system I actually know one customer that when as far as is literally painting the the hand rests on the keyboard for the PAS bright-red just to make it a really clear visual signal that this is the one you use your red account on and I thought that was a fantastic fantastic thing again sends a really really strong signal yeah but in fact that's additional hardware and sometimes people just for some strange reason don't want to carry an extra ten pounds with them everywhere they go so it is possible to use physical paw and then connect to a virtual daily use system and there are two traditional mechanisms for doing that the first is a local hypervisor so whether you're running Windows 10 and hyper-v as we strongly recommend for a PHA or you're running VMware a local daily use system running within the confines of the pie itself or you can connect to a virtual desktop instance running off of a virtualization farm in your place of business so that instead of running a local hypervisor you would run off of a server based hypervisor now this is a Valu value and I know customers that have been experimenting with this and going with this over the last couple of years unfortunately it's slightly less secure than the separate hardware model unfortunately there are sandbox escapes there are escalations of privilege that allow somebody to go from a virtual machine a guest to the host itself and access content and memory on the host they're few and far between and most of them all the ones that I know of for hyper-v have been patched or there are patches available for them but it's it is it doesn't reduce that risk where that risk does not exist if it's separate physical hardware so we recommend strongly recommends that customers that do choose to use privileged access workstation that they use separate Hardware now one question that we get a lot is can I bring this home what if I need to do administration at two o'clock in the morning you're saying I have to drive into the office to get to my workstation no no these workstations can be laptops that's in fact why Mark and I chose to use the the icons of the laptops themselves you can use a laptop at home on your network your son's downstairs playing xbox live your daughter's on Facebook your wife is watching Netflix and you're on your workstation using on the same network using the same network resources all of the traffic is essentially bouncing off because the only systems that your workstation could connect to are your IPSec endpoints for your VPN and then all of the internal resources to which you should have access and again we create rules as part of Pau create rules allowing the the workstation to talk to these resources but not these other resources the daily use system has unfettered access to the the content but the Pau has limited access only to the things that it actually needs to administer awesome that's cool stuff now one thing that I have to highlight and I think this is the last slide one thing I have to highlight is the order is extremely important in the virtualization it you cannot go from a user workstation to an admin VM because anything I do in the admin VM is essentially under the control of the workstation itself although the credentials may not be directly exposed because you're not running the attacker can't run code within the VM the VM itself could be compromised by the administrator of the user workstation for example I can have screen scraping software that records everything that I just in the VM I can export the VM itself I can export the VHD to another system for offline cracking and analysis I could have a keystroke logger running on the user workstation to record every keystroke that takes place in that admin VM so unfortunately going from a user workstation to an admin VM pas it has a huge risk of a privilege escalation but if you go the other way around if the physical device is the PAS and you access a user VM well the pod never talks directly to the internet the PAS doesn't have access or the attacker doesn't have access to the PAS the user VM talks to the Internet has email has all the risks of privileged escalation but if the attacker compromises the user VM there's no way to get back to the PAS even if he installs a keystroke logger and the user VM it doesn't work on the paw it works on the virtual keyboard within the VM so it's a bit of a change from the model the people are very very used to we've trained people over years and years that you log into a workstation with a low trust account and you use run as to elevate your privileges well unfortunately that doesn't really work anymore run as put some credentials in memory into L SAS for the attacker to grab we need to train people to log in to the privileged access workstation with their privileged credentials and then downgrade the connection to the user VM using their regular user credentials again it's culture change it's bit bit of a shock for people but it's the most secure way of doing administration yeah that was cool so John man thanks for coming on and doing this with us you're very welcome glad to get the word out about paw but one thing I want to say we didn't as part of this go through the actual instructions go through the details but you'll find that the article for which I showed the link again it's a k-8 on ms cyber paw the instructions are pretty detailed do this do this do this go into the registry configure this go into GPO and configure this all of that information is there if you have any issues actually following the steps in the guidance feel free to contact us its cyber doc feedback back at microsoft.com and just let us know what we're where our instructions failed you and we'll help you out and make sure that we get it right for the for everybody else that uses the same instructions yeah well you guys heard it I mean that's an awesome offer and and again thanks for being on the show this was a really interesting topic you're very welcome Lex glad to be here and thanks for having me okay guys I guess that's it that's your taste of premiere

Info

Channel: Taste of Premier

Views: 2,625

Rating: 4.8000002 out of 5

Keywords: Security, Microsoft, Cybersecurity, Windows, Windows 10, Azure, Microsoft Azure, Pass the Hash, Malware, Ransomware

Id: 0KNIuFzgoWQ

Channel Id: undefined

Length: 33min 57sec (2037 seconds)

Published: Wed Dec 27 2017