lawrence livermore national laboratory a system for strong local account management. slam david frye...
TRANSCRIPT
Lawrence Livermore National Laboratory
A system for strong local account management.
SLAM
David Frye
Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551
This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.
The Subject: Local Accounts
All computers have a local account database Allows people or code to authenticate locally Enable access to resources locally At least 1 administrator (full permissions) Maintained independently• No linkage to Active Directory• No centralized management
UCRL: LLNL-PRES-413302
The Problem: Common Passwords
Admin Password typically set build time Typically the same on all machines (imaging) Password is seldom if ever changed Often neglected when joined to Domain
UCRL: LLNL-PRES-413302
The Problem: Illustrated
• Typical AD Environment• Machines built from images• Local Administrator enabled• Password is common
UCRL: LLNL-PRES-413302
The Problem: Illustrated
• Machine hack = site hack• AD is immune• AD can’t help
Hacker
UCRL: LLNL-PRES-413302
Disable Local Accounts?
Offline without cached credentials Temporary administration• Scientists on travel w/ need to install sw.
Dropped from domain• OS Virtualization
Re-enable via Recovery Console requires physical access.
UCRL: LLNL-PRES-413302
The Options:
Disable all local accounts • Best option• Not feasible in most environments
Deny “Access This Computer From The Network”• Force physical login• Kills remote management capability
Enabled accounts with common static passwords• Most typical• Most dangerous
Other options• Commercial solutions (expensive)
UCRL: LLNL-PRES-413302
Strong Local Admin Manager (SLAM)
Dynamic/Unique Passwords
Centralized Recovery
No Centralized Password Storage
No Specialized Authorization
No Dedicated Infrastructure*
UCRL: LLNL-PRES-413302
Dynamic/Unique Passwords
Unique Computer AD Attribut
e
Master Key
Strong Uniqu
e Value
How it works:
Computer Last Password Change
Date + GUID
SHA-256 HMAC
• Crypto-Random 256 bits• RSA 1024 bit encrypted
Local Administrator Password
UCRL: LLNL-PRES-413302
Centralized RecoveryHow it works:
• OU Administrator uses AD Users & Computers (ADUC)• Custom Context Menu Option for SLAM Recovery• ADUC connects to Web Service & returns password
UCRL: LLNL-PRES-413302
No Centralized Password Storage
How it works:• Passwords are NOT random• Passwords are calculated• Only the master hashing key & computer password change dates are stored
No Specialized Authorization
How it works:• SLAM Recovery leverages existing authorization in AD• Permissions Required: Full Control of computer object
UCRL: LLNL-PRES-413302
SLAM InfrastructureSLAM Client AD OU
Administrator• Small .NET app• Daily process• Requests new Local Admin Pwd• Creates local account if needed
Computer Password Change
Date
Master Key
ADUC
• Checks for recently expired Computer pwd• Checks for recently recovered Admin pwd• Validates Authorization• Calculates and returns password
SSL
Web Service
SSL
• Copy to clipboard• Historical passwords• Print
UCRL: LLNL-PRES-413302
SLAM Rollout @ LLNL
Developed in April 2008 by David Frye and Joe Taitt Started deployment in June 2008 Became mandated in 2009 for all unclassified Windows
computers (except DCs) ~9,000 Total SLAM Clients ~200 Password Recoveries per Month
UCRL: LLNL-PRES-413302
SLAM Next Steps
SLAM Client for MAC (Daniel Hoit)• Client is developed & currently in test
Remove/Disable non-SLAM local accounts• Necessary next step to gain full benefit• Need exception policies and procedures• Need to be careful
UCRL: LLNL-PRES-413302
Questions on SLAM?
UCRL: LLNL-PRES-413302