In this presentation from his webinar, Derek A. Smith, Founder, National Cybersecurity Education Center, delves into the strategies and techniques attackers use to gain privileged access to systems, and how you can stop them.This presentation covers:
- Privileged Windows accounts
- The importance of managing privileged access in Windows
- How attackers compromise Windows Privileged Accounts
- Challenges PAM can help solve in your Windows environment
- 10 Steps to better Windows privileged access management
You can also watch the full webinar on-demand here: https://www.beyondtrust.com/resources/webinar/10-steps-better-windows-privileged-access-management/
3. WHAT IS PRIVILEGED ACCESS
MANAGEMENT?
• In this presentation we will cover the best practices of Windows privileged access management
(PAM).
• Privileged access management is the creation and enforcement of controls over users, systems and
accounts that have elevated or “privileged” entitlements—examples: admin or root accounts,
application accounts..
• Many public breaches are due to the compromising of privileged accounts. External hackers and
insider threats seek out and exploit shared or privileged accounts because of the entitlements they
hold as “keys to the kingdom.”
• Privileged access management technologies focus on providing granular authorization of users to
systems and accounts, auditing and recording attempts to access, as well as vaulting and rotating the
privileged account’s credentials including passwords or key/token-based authentication.
4. WHAT ARE PRIVILEGED WINDOWS
ACCOUNTS
• MicrosoftWindows privileged accounts include admin accounts,Active Directory
service accounts, and domain admin accounts
• "Privileged" accounts and groups in Active Directory are those to which powerful rights,
privileges, and permissions are granted that allow them to perform nearly any action in Active
Directory and on domain-joined systems.
• Windows admin accounts are highly targeted due to their broad access and privileges, giving
rise to insider threats and advanced persistent threats (APTs) onWindow Servers.
• Additionally, regulatory frameworks require audits of users who have access to sensitive
information and how their account privileges are used.
5. WHAT ARE PRIVILEGED WINDOWS
ACCOUNTS CONT.
• In an organization, there are different types of windows privileged accounts, categorized by the
task they perform:
– administrative accounts (have access to all standard privileged processes);
– system accounts (are integrated into applications or systems, e.g.Windows or Linux);
– operational accounts (include shared accounts for software administration or installation and service
accounts for remote access to systems).
• Companies should be aware of possible outsider and insider attacks on these accounts and
strive to improve control measures for users with privileged access permissions.
6. 8 D I F F E R E N T M E T H O D S
T O I D E N T I F Y W I N D O W S
P R I V I L E G E D U S E R S
7. 1. MEMBERS OF PRIVILEGED GROUPS
• Active Directory has built-in privileged groups for privileged accounts; this is an obvious place
to start.These groups are;“Administrators”,“Domain Admins”,“Enterprise Admins”,“Schema
Admins”,“DnsAdmins” and “Group Policy Creator Owners”. Other places to look are Local
Administrator Groups on client systems.
• A few of the built-in privileged groups can be located in the “Built-in” container, while others
are in the “Users” container.The “DS Restore Mode Administrator” privileged account is not
stored in Active Directory.
9. 2. PRIVILEGES TO ADMINISTER
ORGANIZATIONAL UNITS
• Permissions in parent OUs spread down to child organizational units, groups, users and other
objects. So, if a user has been provided full control on an organizational unit, that user has
privileges equal to an administrator. For example, if User1 is given “Full Control” on “Users” (a
default Organizational Unit), then User1 has more privileges than a Domain Administrator.
• If “Everyone” has full control on the root “Built-in”,it means that every user in your IT
infrastructure has domain administrative privileges.
10. In this image, “Test2” user and “Everyone’ has full control
on “Users” Organizational Unit, default container. Similarly,
you can check permissions on all organizational units and
prepare a list of users who have delegated permissions on
11. 3. LOCAL ADMIN OR OTHER USERS WITH
PRIVILEGES ASSIGNED FROM GPO
• Instead of having direct privileged access within Active Directory, there are some accounts that
receive administrative privileges. If a user has access to the Local Administrator account of a
Domain Controller then that user has rights equivalent to a Domain Administrator.
• Outside Active Directory, there can be users who have been provided Admin-like privileges
through Group Policy Objects.Any privileged user or administrator can modify “Computer
Configuration” “Policies” “Windows Settings” “Security Settings” “Local Policies” “User Rights
Assignment” to provide administrative privileges to other users.
• There are third party PowerShell scripts available that can provide you a list of users with their
rights. It is recommended to use a script only from a trusted source.
13. 4. USERS WHO HAVE PASSWORD RESET
AUTHORITY OVER OTHER USERS
• Another type of privileged user is one that has authority to reset other users’ passwords.
There are some applications that let a user delegate password resets to another user. If the
password reset permission is delegated through Active Directory, you have to browse the
permissions of a user account to check which other users have the permission to reset the
password.
14. In this image, “User2” has “Reset Password” permission on
“User1”. It means “User2” can reset a password on behalf
of “User1”.
15. 5. USERS WHO HAVE KNOWLEDGE OF ANY
PRIVILEGED SERVICE ACCOUNT
• Privileged service accounts, including those used for Exchange Server, SQL Server and for
creating backups, have some level of elevated privileges on the computers on which those
accounts are used.
• So, if someone has knowledge of a privileged account’s credentials, that service account can be
used maliciously.
• Domain controllers are at even more of a risk as an unauthorized user can get administrative
access to a domain.
• To know if someone is misusing a service account you will have to audit the logon of each
service account.
16. 6. USERS WITH WRITE ACCESS TO GPOS
APPLIED TO IMPORTANT COMPUTERS
• Specific group policies can be created for any computer in the network.
• Such computer related Group Policy Objects are crucial only for the domain controllers and
for those computers that host server applications with domain-privileged access.
• If a user has privileges to write to such important GPOs, then that user account is also a
privileged user.
17. In this image, “User1” has “Edit settings, delete, modify
security” rights and “User2” has “Edit settings” rights.
18. 7. USER WHO HAVE ACCESS TO ACTIVE
DIRECTORY MANAGEMENT APPLICATIONS
• Many organizations use third-party Active Directory management solutions to simplify and improve
the management tasks.These solutions either use a service or proxy account with privileged access
to manage Active Directory, or use accounts that are granted elevated privileges by some other
means (such as membership in a built-in privileged group or OU-based permissions).
• Depending on the level of delegation, gaining control over an account like this one is just as good as
being a Domain Admin.
• To find out who has access to such accounts, you will have to enlist all relevant applications in the
network, then identify all service or proxy accounts with privileged access that these applications
are using.You can enable “Audit Directory Service Access” group policy to monitor what these
accounts are doing.
• As far as misuse of the Active Directory management solution itself is concerned, you will have to
ensure that it has a built-in audit trail to monitor inappropriate use.
19. 8. USERS WHO HAVE ADMIN LEVEL
ACCESS TO VIRTUAL INFRASTRUCTURE
• Users who manage virtual environments that host domain controllers or member servers have
the same privileges as those with administrative access to desktops. For example, if you are
managing Hyper-V, members of the Hyper-V Administrators local group have administrator
level access on the host operating system.
• You should identify which accounts have privileged access to your virtual infrastructure, either
by checking Local Admin groups on a given domain controller/server or by looking for
privileged access within the virtual environment itself.
20. • Knowing who the privileged users in your IT environment are is the first step towards
securing your company’s network from privileged abuse. By regularly assessing the
current state of Active Directory’s user rights, permissions and delegations, you
can mitigate the risk of privileged abuse.
21. W I N D O W S A C C O U N T S
S E C U R I T Y C H A L L E N G E S
22. WHAT’S THE CHALLENGE?
• MicrosoftWindows privileged accounts, including admin accounts,Active
Directory service accounts, and domain admin accounts are prime targets for
outside hackers and malicious insiders seeking to escalate privileges once
endpoints are compromised.
23. PRIVILEGED ACCESS CONTINUES TO FACE
THREE PRIMARY CHALLENGES:
1. Privileged accounts have the permissions and entitlements that, if in the wrong hands, allow an attacker to
access and steal sensitive data. But organizations have struggled to control access because, historically, these
accounts and their passwords are shared across multiple individuals.
2. Privileged accounts are often over-granted entitlements to perform key activities like configure, operate or
maintain the underlying systems—so, removing or blocking access to these accounts is not a feasible option.
Emerging best practices are now advocating to separate these into a more granular set of capabilities.
3. To validate the effectiveness and worth of restraining access, many organizations need to first discover what
privileged accounts are in their environment and then implement a solution that satisfies audit, security and
compliance concerns without disrupting operational efficiency.
25. THE IMPORTANCE OF MANAGING
PRIVILEGED ACCESS IN WINDOWS
• Undiscovered and unprotected Windows privileged accounts and vulnerable endpoints
are everywhere on servers and desktops throughout organizations worldwide.They
represent one of the most significant attack surface vulnerabilities of IT systems.
• Privileged user accounts have unrestricted access to all critical servers, applications and databases in
an organization.They also have the permissions to add, remove or manage user profiles.With this in
mind, it’s easy to see how such accounts can be misused.
• Privileged accounts are those which are assigned comparatively more permissions than a normal
user account.To address any potential issues with security, a systematic method is required
to identify users with excessive privileges.
• The best way to create a list of privileged users is by going through Active Directory Users and
Computers and the Group Policy Management Console.
26. THE RISK OF WINDOWS LOCAL
ADMINISTRATOR ACCOUNTS
• Windows local admin accounts are a security problem for every organization because one set of
login credentials is typically used by many IT administrators.
• This can make it difficult or even impossible to implement an identity access management policy
because organizations cannot track who is gaining access to what network equipment at any given
time.These accounts are everywhere – Windows workstations, servers, and even your laptop fleet.
• An attacker, or even a local malicious user, browsing around on a workstation they have
administrator access to might be able to discover their own local administrator password (using the
local SAM accounts, and some password dumping tools like mimikatz, impacket or whatever).
• This, of course, is a major security issue.
27. ACTIVE DIRECTORY DOMAIN ADMIN
ACCOUNTS VULNERABLE TO ATTACKS
• Windows server administrators need to use domain admin (DA) accounts to perform
standard administrative tasks.
• Ideally,AD domain admin accounts should only be used when privilege is required (admins
should not run as a domain admin for their regular AD account) and they should only be used
by a single administrator for accountability.
28. ACTIVE DIRECTORY DOMAIN ADMIN
ACCOUNTS VULNERABLE TO ATTACKS CONT.
• Also, these accounts are highly susceptible to Pass-the-Hash attacks because their passwords
are not frequently changed.This gives attackers domain admin access across the network.
• A Pass-the-Hash attack is where an attacker captures and uses the plain text hash of a user’s
password instead of their plain text password. It allows an attacker to impersonate another
user, typically a privileged account.This type of attack can affect ANY network usingWindows
machines. For the attacker, the advantage getting a hash instead of the password is it can be
done without a brute-force attack, which is not as effective and takes a lot more time.
• To protect these accounts, privilege management is very important.Access should be
controlled and audited, and passwords must be changed frequently to prevent Pass the Hash
attacks – ideally after each usage of the account.
29. HOW ATTACKERS COMPROMISE
WINDOWS PRIVILEGED ACCOUNTS
• In many cases, user credentials are stolen via phishing campaigns. Oftentimes, the attacks are highly
sophisticated and highly targeted. Individual users are selected and a campaign is developed to fool
them into visiting a malicious website and downloading malware or opening an infected email
attachment.
• Information about the target is obtained via social media networks such as Facebook,Twitter, or
LinkedIn.Their contacts are identified, and a phishing email is either sent from a hacked colleagues
account or is masked to make it appear that it has been sent from a trusted individual.
• All too often a sophisticated attack is not necessary. If malware can be installed on just one single
computer, shared-privilege accounts can be used to gain access to a wide range of systems.
31. WHAT PROBLEMS PAM CAN HELP SOLVE
IN YOUR WINDOWS ENVIRONMENT
• Protecting against the hacking of privileged accounts is difficult. It is not possible to eliminate
privileged accounts as they essential to the functioning of the business. Since these accounts cannot
be eliminated, efforts must be made to make accounts more secure. Unfortunately, the management
of privileged accounts is complicated and is difficult to automate.
• A survey recently conducted by Dimensional Research/Dell highlights the extent of the current
problem. 560 IT professionals were asked about privileged access management and 41% revealed
that they did not use any software at all or rely on Excel or other spreadsheet software packages to
manage their accounts.
• Fewer than half of respondents did not log or monitor privileged account access. 23% did not have
a defined account management process. 28% did not have a defined process for changing default
passwords on new equipment and software. Passwords were also found not to be changed
frequently. Only a quarter of organizations changed admin passwords every month.
32. WHAT PROBLEMS PAM CAN HELP SOLVE
IN YOUR WINDOWS ENVIRONMENT CONT.
• A real concern for enterprises today is resource access within an Active Directory environment. Particularly troubling are:
– Vulnerabilities.
– Unauthorized privilege escalations.
– Pass-the-hash.
– Pass-the-ticket.
– spear phishing.
– Kerberos compromises.
– Other attacks.
• Today, it’s too easy for attackers to obtain Domain Admins account credentials, and it’s too hard to discover these attacks after the fact.The goal of PAM is to
reduce opportunities for malicious users to get access, while increasing your control and awareness of the environment.
• PAM makes it harder for attackers to penetrate a network and obtain privileged account access.
– PAM adds protection to privileged groups that control access across a range of domain-joined computers and applications on those computers.
– It also adds more monitoring, more visibility, and more fine-grained controls. This allows organizations to see who their privileged administrators are and what are
they doing.
– PAM gives organizations more insight into how administrative accounts are used in the environment.
33. 2 KEY GOALS
• Lock down your Windows applications and endpoints
– Organizations today need to lock down desktops for better security, stability, and lower
management costs.That means removing IT admin privileges available to business users to lower
risk, and limiting privileges for IT admins to improve security.
• Stop endpoint exploits such as malware and ransomware across your Windows
environments
– Provide comprehensive endpoint privilege management and security solutions.
– Assure least privilege application control.
– Enable administrative user group management.
– Deliver security compliance remediation.
34. 10 STEPS TO BETTER WINDOWS
PRIVILEGED ACCESS MANAGEMENT
• Step #1: Make a List of All Windows Privileged Access Accounts
• Step #2: Don’t Share Passwords for Shared Accounts
• Step #3: Use as Few Privileged Accounts as Possible
• Step #4: Minimize the Number of Rights for Each Privileged Account
• Step #5: Manage Passwords Properly
• Step #6: Separate Privileges for Specific Tasks
• Step #7: Practice Privilege Elevation Instead of Assigning Superuser Privileges
• Step #8: Use One-Time Passwords
• Step #9: Use Two-Factor Authentication
• Step #10: Record Privileged User Sessions
37. Windows Management Challenges
➢Too Many Administrators
➢Breach Prevention
➢High Compliance Costs
➢Privilege Abuse
➢User Productivity
How do you deal with
removing user rights without
obstructing productivity or
overburdening the Help
Desk?
38. Windows Management Challenges
➢ Organizations increasingly recognize that properly securing and
controlling privileged credentials ranks as one of the best lines of
defense against attacks from external hackers as well as from
insiders.
➢ For optimal results, privilege management solutions should protect
organizations at all stages of the cyber kill chain by implementing
comprehensive layers of control, audit and analysis.
39. ➢ Too Many Administrators
➢ Breach Prevention
➢ High Compliance Costs
➢ Privilege Abuse
➢ User Productivity
Challenges
➢ Limit Exposure
➢ Minimize Impact
➢ Reduce Costs
➢ Limit Exposure
➢ Lower TCO
Benefits
PowerBroker for Windows
1. Reduce the attack surface by limiting the use of privileged accounts and by controlling
access to shared privileged accounts across the enterprise
2. Monitor privileged user, session, and file activities for unauthorized access and/or
changes to key files and directories
3. Analyze asset and user behavior to detect suspicious and/or malicious activities of
insiders and/or compromised accounts
➢ Reduce the Attack Surface
➢ Detect & Respond to Events
➢ Automate Compliance
➢ Ensure Appropriate Use
➢ Enhance User Productivity
BeyondTrust
40. PowerBroker for Windows
Security Layer Challenge Benefit
Fine Grained Access Enforcement ➢ Least Privilege Adoption
➢ Removing administrator access
without impacting productivity
✓ Helps organizations realize the benefits of least privilege faster and with less complexity.
✓ Elevate privileges to applications, not users, on an as-needed basis without exposing passwords
✓ Enforce least-privilege access based on an application’s known vulnerabilities
✓ Track and control applications with known vulnerabilities or malware to further protect endpoints
Session Recording ➢ Cost of Compliance
➢ Ensuring Appropriate use if
privileges
✓ Gain visibility through detailed event logs and session recording capabilities and control through
automated, secure logging with searchable playback
✓ Satisfy compliance/internal security standards through automated gathering of necessary data
Remote Host Execution ✓ Enhance user productivity
User Behavior Monitoring ➢ Ensuring appropriate use and
detecting compromised account
activity
✓ Gain unmatched visibility into privileged user activity with centralized analytics and reporting
Child Process Monitoring & Control ➢ Back door access ✓ Close back door access
File Integrity Monitoring ✓ Protect critical files from malware & privilege misuse
Dynamic Threat Based Access &
Audit
✓ Dynamically adjust access policies based on asset and user risk
Active Threat Response Gateway ✓ Immediately respond to events by reducing or quarantining access
41. Endpoint Privilege
Management
Remove excessive user privileges
and control applications on endpoints
WINDOWS | MAC
Enterprise Password
Security
Provide accountability and control over
privileged credentials and sessions
APPS | DATABASES | DEVICES
SSH KEYS | CLOUD | VIRTUAL
Server Privilege
Management
Control, audit and simplify access for
DevOps and business-critical systems
UNIX | LINUX | WINDOWS
ASSET & ACCOUNT
DISCOVERY
THREAT & VULNERABILITY
INTELLIGENCE &
BEHAVIORAL ANALYTICS
REPORTING &
CONNECTORS
POLICY & ACTION
RESPONSE
THE POWERBROKER PRIVILEGED ACCESS MANAGEMENT PLATFORM
BeyondInsight