Lawrence Livermore National Laboratory

A system for strong local account management.

SLAM

David Frye

Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551

This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

The Subject: Local Accounts

All computers have a local account database Allows people or code to authenticate locally Enable access to resources locally At least 1 administrator (full permissions) Maintained independently• No linkage to Active Directory• No centralized management

UCRL: LLNL-PRES-413302

The Problem: Common Passwords

Admin Password typically set build time Typically the same on all machines (imaging) Password is seldom if ever changed Often neglected when joined to Domain

UCRL: LLNL-PRES-413302

The Problem: Illustrated

• Typical AD Environment• Machines built from images• Local Administrator enabled• Password is common

UCRL: LLNL-PRES-413302

The Problem: Illustrated

• Machine hack = site hack• AD is immune• AD can’t help

Hacker

UCRL: LLNL-PRES-413302

Disable Local Accounts?

Offline without cached credentials Temporary administration• Scientists on travel w/ need to install sw.

Dropped from domain• OS Virtualization

Re-enable via Recovery Console requires physical access.

UCRL: LLNL-PRES-413302

The Options:

Disable all local accounts • Best option• Not feasible in most environments

Deny “Access This Computer From The Network”• Force physical login• Kills remote management capability

Enabled accounts with common static passwords• Most typical• Most dangerous

Other options• Commercial solutions (expensive)

UCRL: LLNL-PRES-413302

Strong Local Admin Manager (SLAM)

Dynamic/Unique Passwords

Centralized Recovery

No Centralized Password Storage

No Specialized Authorization

No Dedicated Infrastructure*

UCRL: LLNL-PRES-413302

Dynamic/Unique Passwords

Unique Computer AD Attribut

e

Master Key

Strong Uniqu

e Value

How it works:

Computer Last Password Change

Date + GUID

SHA-256 HMAC

• Crypto-Random 256 bits• RSA 1024 bit encrypted

Local Administrator Password

UCRL: LLNL-PRES-413302

Centralized RecoveryHow it works:

• OU Administrator uses AD Users & Computers (ADUC)• Custom Context Menu Option for SLAM Recovery• ADUC connects to Web Service & returns password

UCRL: LLNL-PRES-413302

No Centralized Password Storage

How it works:• Passwords are NOT random• Passwords are calculated• Only the master hashing key & computer password change dates are stored

No Specialized Authorization

How it works:• SLAM Recovery leverages existing authorization in AD• Permissions Required: Full Control of computer object

UCRL: LLNL-PRES-413302

SLAM InfrastructureSLAM Client AD OU

Administrator• Small .NET app• Daily process• Requests new Local Admin Pwd• Creates local account if needed

Computer Password Change

Date

Master Key

ADUC

• Checks for recently expired Computer pwd• Checks for recently recovered Admin pwd• Validates Authorization• Calculates and returns password

SSL

Web Service

SSL

• Copy to clipboard• Historical passwords• Print

UCRL: LLNL-PRES-413302

SLAM Rollout @ LLNL

Developed in April 2008 by David Frye and Joe Taitt Started deployment in June 2008 Became mandated in 2009 for all unclassified Windows

computers (except DCs) ~9,000 Total SLAM Clients ~200 Password Recoveries per Month

UCRL: LLNL-PRES-413302

SLAM Next Steps

SLAM Client for MAC (Daniel Hoit)• Client is developed & currently in test

Remove/Disable non-SLAM local accounts• Necessary next step to gain full benefit• Need exception policies and procedures• Need to be careful

UCRL: LLNL-PRES-413302

Questions on SLAM?

UCRL: LLNL-PRES-413302