lawrence livermore national laboratory a system for strong local account management. slam david frye...
TRANSCRIPT
![Page 1: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/1.jpg)
Lawrence Livermore National Laboratory
A system for strong local account management.
SLAM
David Frye
Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551
This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.
![Page 2: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/2.jpg)
The Subject: Local Accounts
All computers have a local account database Allows people or code to authenticate locally Enable access to resources locally At least 1 administrator (full permissions) Maintained independently• No linkage to Active Directory• No centralized management
UCRL: LLNL-PRES-413302
![Page 3: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/3.jpg)
The Problem: Common Passwords
Admin Password typically set build time Typically the same on all machines (imaging) Password is seldom if ever changed Often neglected when joined to Domain
UCRL: LLNL-PRES-413302
![Page 4: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/4.jpg)
The Problem: Illustrated
• Typical AD Environment• Machines built from images• Local Administrator enabled• Password is common
UCRL: LLNL-PRES-413302
![Page 5: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/5.jpg)
The Problem: Illustrated
• Machine hack = site hack• AD is immune• AD can’t help
Hacker
UCRL: LLNL-PRES-413302
![Page 6: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/6.jpg)
Disable Local Accounts?
Offline without cached credentials Temporary administration• Scientists on travel w/ need to install sw.
Dropped from domain• OS Virtualization
Re-enable via Recovery Console requires physical access.
UCRL: LLNL-PRES-413302
![Page 7: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/7.jpg)
The Options:
Disable all local accounts • Best option• Not feasible in most environments
Deny “Access This Computer From The Network”• Force physical login• Kills remote management capability
Enabled accounts with common static passwords• Most typical• Most dangerous
Other options• Commercial solutions (expensive)
UCRL: LLNL-PRES-413302
![Page 8: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/8.jpg)
Strong Local Admin Manager (SLAM)
Dynamic/Unique Passwords
Centralized Recovery
No Centralized Password Storage
No Specialized Authorization
No Dedicated Infrastructure*
UCRL: LLNL-PRES-413302
![Page 9: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/9.jpg)
Dynamic/Unique Passwords
Unique Computer AD Attribut
e
Master Key
Strong Uniqu
e Value
How it works:
Computer Last Password Change
Date + GUID
SHA-256 HMAC
• Crypto-Random 256 bits• RSA 1024 bit encrypted
Local Administrator Password
UCRL: LLNL-PRES-413302
![Page 10: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/10.jpg)
Centralized RecoveryHow it works:
• OU Administrator uses AD Users & Computers (ADUC)• Custom Context Menu Option for SLAM Recovery• ADUC connects to Web Service & returns password
UCRL: LLNL-PRES-413302
![Page 11: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/11.jpg)
No Centralized Password Storage
How it works:• Passwords are NOT random• Passwords are calculated• Only the master hashing key & computer password change dates are stored
No Specialized Authorization
How it works:• SLAM Recovery leverages existing authorization in AD• Permissions Required: Full Control of computer object
UCRL: LLNL-PRES-413302
![Page 12: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/12.jpg)
SLAM InfrastructureSLAM Client AD OU
Administrator• Small .NET app• Daily process• Requests new Local Admin Pwd• Creates local account if needed
Computer Password Change
Date
Master Key
ADUC
• Checks for recently expired Computer pwd• Checks for recently recovered Admin pwd• Validates Authorization• Calculates and returns password
SSL
Web Service
SSL
• Copy to clipboard• Historical passwords• Print
UCRL: LLNL-PRES-413302
![Page 13: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/13.jpg)
SLAM Rollout @ LLNL
Developed in April 2008 by David Frye and Joe Taitt Started deployment in June 2008 Became mandated in 2009 for all unclassified Windows
computers (except DCs) ~9,000 Total SLAM Clients ~200 Password Recoveries per Month
UCRL: LLNL-PRES-413302
![Page 14: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/14.jpg)
SLAM Next Steps
SLAM Client for MAC (Daniel Hoit)• Client is developed & currently in test
Remove/Disable non-SLAM local accounts• Necessary next step to gain full benefit• Need exception policies and procedures• Need to be careful
UCRL: LLNL-PRES-413302
![Page 15: Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649e685503460f94b650b8/html5/thumbnails/15.jpg)
Questions on SLAM?
UCRL: LLNL-PRES-413302