CPAVMUG Presentation 2015-07-16 - Resource Pool Balancing
PSU Security Conference 2015 - LAPS Presentation
1. Managing Local Administrator
Passwords with LAPS
2015 PENN STATE SECURITY CONFERENCE
DAN BARR – DRB45@PSU.EDU
SYSTEMS ADMINISTRATOR, APPLIED RESEARCH LABORATORY
10/14/2015 PENN STATE SECURITY CONFERENCE
2. The Shared Password Threat
Shared passwords are one vector used in Pass-the-Hash attacks
It only takes one compromised client to effectively compromise every system using the same
local Administrator password
Makes lateral movement within a “trusted” network trivial
Even if the clear text password isn’t compromised, you’re still in big trouble
So, how do we manage passwords on a large # of systems?
◦ And rotate them often?
◦ And control who can access them?
◦ Without spending a small fortune on additional complex infrastructure or products?
10/14/2015 PENN STATE SECURITY CONFERENCE
3. What is Pass-the-Hash (PtH)?
(The short, short version)
Credential replay attack
Attacker does not need the cleartext password!
Hashes can be harvested from:
◦ Memory (lsass.exe process)
◦ Local SAM database (local accounts and cached AD credentials)
◦ NTLM traffic sniffing (but requires brute-force since hash is encrypted over the wire)
NTLM and Kerberos (via ticket replay/forwarding) are both vulnerable
Compromised Client Admin Client Clients Servers Databases
Attacker
10/14/2015 PENN STATE SECURITY CONFERENCE
4. More on PtH
For more in-depth information and a demo of Pass-the-Hash:
Security Features of OneForest Active Directory Deployment
Keith Brautigam & Jake DeSantis
Thursday at 2:50pm
10/14/2015 PENN STATE SECURITY CONFERENCE
5. What is LAPS?
•Local Administrator Password Solution
•Free tool made public by Microsoft in May 2015
•Formerly only available to MS Premier Support agreement holders
•Securely manages unique, random local Administrator passwords on managed systems
•Completely implemented using AD & Group Policy, no additional infrastructure needed
•Developed due to frequency of shared admin passwords used as a primary attack vector in
customer security incidents handled by Microsoft
•Does NOT eliminate PtH, just reduces the impact
10/14/2015 PENN STATE SECURITY CONFERENCE
6. How does it work?
•Schema extension adds two attributes to Computer objects:
• ms-Mcs-AdmPwd: Confidential, RODC Filtered
• ms-Mcs-AdmPwdExpirationTime
•Client-side GPO extension (DLL) installed via MSI
•Managed via simple GUI, PowerShell,
or native AD management tools
Active Directory
Group Policy Framework
AdmPwd.dll
LAPS UI
PowerShell
Group Policy Editor
AD Computer Account
ms-Mcs-AdmPwd
ms-Mcs-AdmPwdExpirationTime
10/14/2015 PENN STATE SECURITY CONFERENCE
7. LAPS Features & Requirements
FEATURES
•Passwords stored centrally in AD
•Optional audit/debug logging to client’s
Security Event Log
•Define password parameters: length,
complexity, age
•Force a password reset
•GUI, PowerShell, or native AD tools for
management
REQUIREMENTS
AD: At least Server 2003 SP1
Officially-supported clients:
◦ Vista with current SP & above
◦ Server 2003 SP2 & above
Unofficially works on XP
10/14/2015 PENN STATE SECURITY CONFERENCE
8. LAPS Process
GP Refresh
Check expiration
timestamp in AD
attribute
If expired,
generate new
password based
on configured
rules
Store new
password in AD
attribute and
update expiration
timestamp
If successful,
update local
account PW
10/14/2015 PENN STATE SECURITY CONFERENCE
9. LAPS Security Considerations
Kerberos encryption used in transit
Use AD object access auditing to track
password retrievals
Currently only handles one account per client
◦ Does not have to be built-in Administrator
Password is stored in clear text
◦ Encryption at rest would require key exchange
(symmetric) or PKI (assymetric)
◦ ACLs adequately protect
◦ Maintains the solution’s simplicity
◦ Compromised AD means game over anyway
AD attribute is marked confidential, need one
of the following permissions to read it:
◦ “Full Control” on computer object, OR
◦ “All Extended Rights” on computer object, OR
◦ “Control Access” on ms-Mcs-AdmPwd attribute
Not replicated to RODCs
Not exposed in audit logging
10/14/2015 PENN STATE SECURITY CONFERENCE
13. Typical Deployment Workflow
Extend AD
Schema
Review/Revoke
Extended
Rights
Add Machine
Rights (SELF)
Add User
Rights and
Auditing
Apply Group
Policy Settings
Deploy Client
Side Extension
10/14/2015 PENN STATE SECURITY CONFERENCE
14. Deployment Workflow - PowerShell
Extend AD Schema
◦ Update-AdmPwdADSchema
Audit/remove undesired extended rights
◦ Find-AdmPwdExtendedRights -Identity <OU Name> | Format-Table
Add Machine rights (SELF permission to update new attributes)
◦ Set-AdmPwdComputerSelfPermission -OrgUnit <OU Name>
Add User rights to read PW or force reset
◦ Set-AdmPwdReadPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals
<users/groups>
◦ Set-AdmPwdResetPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals
<users/groups>
Enable access auditing
◦ Set-AdmPwdAuditing -OrgUnit <OU Name> -AuditedPrincipals <users/groups/Everyone>
10/14/2015 PENN STATE SECURITY CONFERENCE
15. Other PtH Mitigations
Upgrade clients – lots of kernel-level hardening in newer (Win8+) versions.
Limit client-to-client communications
Disable caching of AD credentials where possible
Limit use/scope of privileged accounts – least user access
◦ Use hardened administrative stations & “jump” servers
◦ Offers fewer chances to harvest a privileged hash
Limit debug privileges (often used to access memory of protected processes)
10/14/2015 PENN STATE SECURITY CONFERENCE
16. THANK YOU!
Dan Barr – drb45@psu.edu
Reminder: Security of OneForest AD Deployment, 2:30pm tomorrow
Keith Brautigam & Jake DeSantis, ITS Identity Services
10/14/2015 PENN STATE SECURITY CONFERENCE