Derek Melber, Technical Evangelist for the AD Solutions team at ManageEngine and one of only 12 Microsoft Group Policy MVPs in the world, from his extensive knowledge in the Windows Active Directory security domain shares practical tips on the various ways to protect a computer / organization from Windows computer / password attacks. Gain strength from the detailed 14 tips and tricks!
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
1. Click to edit Master title style
Protecting Windows Passwords
2. 2
• Derek Melber, MCSE & MVP (Group Policy and AD)
• derek@manageengine.com
• www.auditingwindowsexpert.com
• Online Resources
• ManageEngine Active Directory Blog
• Group Policy Resource Kit – MSPress
• Windows Security Audit Package Consulting
• Active Directory/Windows Audit Program
• Training for efficient auditing
• Administration Consultant
• Active Directory and Server Design/Security
• Active Directory and Group Policy Design
About Your Speaker
4. 4
• Deleting SAM
• Dual Boot Scenarios
• Social Engineering
• Impersonate another person or company
• Barter
• Guessing
• Cracking
• Captured challenge-response pairs
• Locally-stored hashes
Password Attacks
5. 5
Access:
Users and
Workstations
Power:
Domain
Controllers
Data:
Servers and
Applications
Pass The Hash (PtH) Attack
1. Bad guy targets workstations en
masse
2. User running as local admin
compromised, Bad guy harvests
credentials.
3. Bad guy starts “credentials
crabwalk”
4. Bad guy finds host with domain
privileged credentials, steals, and
elevates privileges
5. Bad guy owns network, can harvest
what he wants.
6. 6
• Attacker must gain local admin privileges
• Attacker must have a connection to the computer
• The attack can’t be 100% prohibited!
PtH Attack
7. 7
• Restrict and protect high privileged domain accounts
• Configure with long, strong, complex password
• Use dual accounts
• Restrict User Rights
• Restrict where these accounts can logon
• Configure “Sensitive and cannot be delegated”
• Do not use as service accounts or scheduled tasks
Mitigation #1
8. 8
• Remove standard users from the local Administrators
group
• Ensure all applications run as standard user
• Deploy new software and updates without administrative
rights
• Obtain software to allow apps/features to run, even though
user is standard user (Viewfinity)
Mitigation #2
9. 9
• Restrict and protect local accounts with administrative
privileges
• Disable the local Administrator account
• Do not use the same password on multiple computers
• Configure User Rights
• Restrict from remote administration
• Restrict from network access
Mitigation #3
10. 10
• Don’t use the same password on workstations, servers,
domain
• Don’t allow every workstation to use the same local admin
password
• Reset passwords often (even Admins)
• Don’t use the same password for workstations and servers
• Use password vault and change passwords often for domain
admin behavior
Mitigation #4
11. 11
• Restrict inbound traffic using the Windows Firewall
• Restrict all inbound connections to all workstations except for
those with expected traffic
• Configure trusted sources
• Help desk
• Workstations
• Scanners
• Management servers
Mitigation #5
12. 12
• Do not allow browsing the Internet with highly
privileged accounts
• Configure User Account Control at highest level
• Configure outbound proxies to deny Internet access to
privileged accounts
• Ensure administrative accounts do not have email accounts or
mailboxes associated with them
Mitigation #6
13. 13
• Update applications and operating systems
• Use Microsoft WSUS
• Use Microsoft SCCM
• Obtain software to verify current vulnerabilities
Mitigation #7
14. 14
• Limit the number of privileged domain accounts
• Restrict access to default groups with elevated privileges
• Enterprise Admins
• Schema Admins
• Domain Admins
• Administrators
• DNS Admins
• DHCP Admins
• Group Policy Creator Owners
• Backup Operators
• Account Operators
Mitigation #8
15. 15
• Secure Domain Controllers
• Reduce number of applications installed
• Physical security
• Ensure User Rights are configured properly
• Restrict Anonymous access
Mitigation #9
16. 16
• Remove LM Hashes
• Will not store LM hash with user account
• Local SAM
• Active Directory
• If user DB is compromised, LM hash is not there
Mitigation #10
17. 17
• Disabled LM and NTLM
• Will deny these authentication protocols from being used
• Will deny interception of the LM and NTLM hashes
Mitigation #11
18. 18
• Workstations Setting Configured for Service Accounts
• Limits which computers user can logon to
• Restricts from logging on to any other computer
• Set in user account properties
Mitigation #12
19. 19
• Don’t Allow Service Accounts to Reset Own Password
• Only an administrator can reset the password
• Denies the user (or attacker) from resetting password
• Set in user account properties
Mitigation #13
20. 20
• Reset Passwords for ALL User Accounts
• Normal users should change password every 60 to 180 days
• Depends on compliance regulations
• Depends on password structure
• Administrators should change password every 60 to 180 days
• Service Accounts should have password changed every 180 to
360 days
Mitigation #14
21. Click to edit Master title style
Questions?
Thank you!