Pass the Hash Whitepaper v2CDP-B241

Patrick Jungles, TwC

Mark Simos, MCS

Takeaways

Apply Mitigations 1-31

Upgrade hosts and domain2

3 Build full defenses (IPDRR)

4

• Credential theft attacks

• Review previous mitigations

• Strategies: Identify, Protect, Detect, Respond, Recover

• New features and platform updates

• Scenarios

Agenda

“There are two types of companies today, those that have been hacked and those that don’t know they’ve been hacked.” 1

Assumption of breach represents a maturing of defenses to meet this reality and shifts the focus from “if” to “when” an attacker gets inside an organization’s network.

Assume breach

1. http://bits.blogs.nytimes.com/2013/04/22/the-year-in-hacking-by-the-numbers

Problem Get Credentials• Social engineering and phishing schemes

are used to trick personnel and obtain credentials.

• Most organizations do not recognize when attackers are already within the network and have access to information such as emails, confidential documents and other intellectual property.

Get Data• The attack doesn’t stop there. Attackers

look for the next set of credentials with elevated permissions to access servers.

• Once elevated credentials are obtained and servers are compromised, organizations risk losing revenue, brand reputation and business continuity.

Get Control• The ultimate goal of the attacker may

be to gain access to the domain controllers, the central clearing hub for all credentials and identities.

• Once compromised, an attacker has complete control over an entire organization. All assets, intellectual property, physical property and personal information are in jeopardy.

Mitigation 1 - Restrict and protect high privileged domain accounts

This mitigation reduces the risk of administrators from  inadvertently exposing privileged credentials to higher risk computers. 

• Restrict DA/EA accounts from authenticating to lower trust computers

• Provide admins with accounts to perform administrative duties

• Assign dedicated workstations for administrative tasks.

• Mark privileged accounts as “sensitive and cannot be delegated”

• Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers

Objective How

An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer.

Outcome

Addition of authentication policies

Mitigation 2 - Restrict and protect local accounts with administrative privileges

This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.

• Enforce the restrictions available in Windows Vista and later versions, preventing local accounts from being used for remote administration.

• Explicitly deny network and Remote Desktop logon rights for all administrative local accounts.

• Create unique passwords for local accounts with administrative privileges.

An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network.

Objective How Outcome

Built-in SIDs for local accounts and local administrators

Mitigation 3 - Restrict inbound traffic using the Windows Firewall

This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections.

• Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers.

An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations.

Objective How Outcome

No technical changes

1. Identify high-value assets2. Protect against known and unknown threats 3. Detect PtH and other related attacks4. Respond to suspicious activity5. Recover from breach

Strategies

Current environment

Identify

Identify high-value assets

Consider attacker mindset

Baseline normal behavior

Against known and unknown threats

Protect

Architect a complete credential theft defense

AdminPassword!

External storage Sign-on Use/cache

on clientIn transit

on networkAuthoritative

store

Consider usability a security feature

Protect Production Forest

Forest/Domain Admins and

Groups

Server Admins and Groups

Workstation Admins

Tier 0

Tier 1

Tier 2

Resources

Workstations

Admin Workstations

Admin Workstations

Domain Controllers

All Logons Blocked

Admin Workstations

Tier Logon

Higher Tier Logon

Lower Tier LogonOnly as required by role

Create hardened and restricted administrative

hosts

Develop a containment strategy

PtH and related attacks

Detect

Focus onhigh-valueassets

Monitor Event IDs

of interest

Collect and

correlate events

To suspicious activity

Respond

Regularly update protection and detection mechanisms

Follow up on lessons learned

Closely observe affected hosts

Ensure attack vectors are properly addressed

Account compromise

Recover

Regain control over accounts

Change compromised account passwords orDisable an account and remove group memberships

Considerations:• Only effective against future authentication• Offline attackers can still use cached logon pv• Attacker may be able to re-obtain password• Attacker may persist using malware in user context

Domain compromise

Recover

Consider professional incident response services

Tactical Recovery

A short-term operation designed to disrupt a known adversary operation

• Useful intelligence on the adversary presence

• Stealth operation that the adversary is unaware of

• Properly scoped defender operation

Strategic Recovery

A long-term plan that consists of multiple operations focused on recovering integrity at a high assurance level

• Risk of migration• Risk of coexistence • Planned end state

Core platform changes (automatically on)

Platform updates

Features Description AVAILABLE ONWindows 7 / Windows Server 2008 R2

AVAILABLE ON Windows 8 / Windows Server 2012

AVAILABLE ON Windows 8.1 /Server 2012 R2

REQUIRES DOMAIN UPGRADEWindows Server 2012 R2Domain Functional Level

Remove LAN

Manager (LM)

hashes and

plaintext

credentials from

LSASS

LAN Manager legacy hashes and (reversibly

encrypted) plaintext passwords are no longer

stored in LSASS

Enforce credential

removal after

logoff

New mechanisms have been implemented to

eliminate session leaks in LSASS, thereby preventing

credentials from remaining in memory

Logon restrictions

with new well-

known security

identifiers (SIDs)

Use the new SIDs to block network logon for local

users and groups by account type, regardless of what

the local accounts

are named

Platform updates

Features Description AVAILABLE ONWindows 7 /Windows Server 2008 R2

AVAILABLE ON

Windows 8 / Windows Server 2012

AVAILABLE ON Windows 8.1 /Server 2012 R2

REQUIRES DOMAIN UPGRADEWindows Server 2012 R2Domain Functional Level

Restricted

Admin mode for

Remote Desktop

Connection

The Remote Desktop application and service have been

updated to support authentication without providing

credentials to the remote host

Protected Users

security group

The new Protected Users security group enables

administrators to restrict authentication to the Kerberos

protocol only for group members within a domain

Authentication

Policy and

Authentication

Policy Silos

New Authentication policies provide the ability to restrict

account authentication to specific hosts

and resources

Configurable Features

Credentials in memory

Adapted from: Benjamin Delpy LSASS security improvements #windows8.1https://twitter.com/gentilkiwi/status/352557093640892416/photo/1

~ Only if installed** Off by default on Windows 8.1 and Windows Server 2012 R2* Off by default

Sample scenarios

RecommendationsHelpdeskDomain administrationOperations and service managementService accountsBusiness group isolationBring your own device (BYOD)

• Separate administrative accounts from user accounts

• Use hardened and restricted hosts• Limit exposure of administrative credentials

• RDP /RestrictedAdmin• Tools that only use network logon (Type 3)

• Add accounts to Protected Users security group(if Kerberos only is feasible)

• Create authentication policies and silos (if protected users is feasible)

Sample scenarios

RecommendationsHelpdesk

Domain administrationOperations and service managementService accountsBusiness group isolationBring your own device (BYOD)

• Reduce privileges and privilege use• Only use DA/EA for DC Maintenance and

Delegation• Separate administrative accounts from user

accounts • Use hardened and restricted hosts• Strengthen authentication assurance• Implement security monitoring• Add accounts to Protected Users security group

(if Kerberos only is feasible)• Create authentication policies and silos

(if protected users is feasible)

Sample scenarios

RecommendationsHelpdeskDomain administrationOperations and service management

Service accountsBusiness group isolationBring your own device (BYOD)

• Grant the least privilege• Never add to Domain Admins or Enterprise

Admins• Use managed service accounts• Change passwords regularly• Strengthen authentication assurance• Monitor service account activity• Contain credential exposure

Sample scenarios

ConsiderationsHelpdeskDomain administrationOperations and service managementService accounts

Business group isolationBring your own device (BYOD) • Define Use Cases

• Use hardened and restricted hosts• Restrict account logons• Consider blocking Internet access• Do not share accounts or passwords• Ensure unique local administrative passwords on

workstations and servers

Sample scenarios

ConsiderationsHelpdeskDomain administrationOperations and service managementService accountsBusiness group isolation

Bring your own device (BYOD)

• Define use cases and policies• Ensure risks are understood and accepted• Do not use BYOD devices for administration• Ensure that high business impact (HBI) data is not

being stored on these devices• No shared password for corporate and personal

accounts• No use of privileged service accounts on BYOD

devices• Deploy available security policies• Isolate network access• Create response/recovery strategies

26

Implement mitigations 1,2 and 3.1) Restrict DA/EA and other privileged accounts2) Deny network logon to local accounts and groups3) Restrict inbound access using the Windows Firewall

Manage with RDP /RestrictedAdminRemove service account privileges (e.g. Domain Admins)Adopt Protected Users and Auth Policies

Next stepsImplement strategies1Apply scenario guidance 2

3 Identify and implement quick wins

27

http://www.microsoft.com/PtH

References

Credential Theft Portalhttp://www.microsoft.com/PTH

NIST Framework http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Credential Theft Mitigation (CTM) Solutions - http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213

Update to Improve Credentials Protection and Managementhttps://technet.microsoft.com/en-us/library/security/2871997.aspx

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Developer Network

http://developer.microsoft.com

Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7

For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx

Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Azure

Implementing Microsoft Azure Infrastructure Solutions

Classroomtraining

Exams

+

(Coming soon)Microsoft Azure Fundamentals

Developing Microsoft Azure Solutions

MOC

10979

Implementing Microsoft Azure Infrastructure Solutions

Onlinetraining

(Coming soon)Architecting Microsoft Azure Solutions

(Coming soon)Architecting Microsoft Azure Solutions

Developing Microsoft Azure Solutions

(Coming soon)Microsoft Azure Fundamentals

http://bit.ly/Azure-Cert

http://bit.ly/Azure-MVA

http://bit.ly/Azure-Train

Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal

2 5 5MOC

20532

MOC

20533

EXAM

532EXAM

533EXAM

534

MVA MVA

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.