SlideShare una empresa de Scribd logo

Dakotacon 2017

B
Blue Teamer

Deploying privileged access workstations (PAWs) is part of a strategy to limit credential theft and lateral movement in an organization's network. PAWs are hardened administrative workstations designed to isolate privileged accounts and limit the exposure of credentials. An effective PAW strategy involves deploying dedicated hardware for administrators, applying security group policies and logon restrictions, and implementing additional controls like multi-factor authentication and device whitelisting.

Tecnología
1 de 66
Descargar para leer sin conexión
DEPLOYING PRIVILEGED ACCESS WORKSTATIONS (PAWS) AS PART OF A STRATEGY TO LIMIT CREDENTIAL THEFT AND LATERAL MOVEMENT
C:>whoami •Proud DSU grad - 2009 •Competed in 1st NCCCDC at DSU •Long-time Dakotacon Attendee
C:>whoami •@blueteamer •Financial Sector - 100 employees and 10 locations •SMB = Lot of hats •Network admin + Vendor Management + Sysadmin + Physical Security + Risk Assessment – wide range •Love what I do
GOAL OF THIS TALK •Highlight effective, mostly FREE controls •Think more clearly about risk •Embrace “Assume Breach” mindset
ATTN: IT DECISION MAKERS STOP LOOKING FOR AN EASY BUTTON
HOW TO THINK LIKE AN ATTACKER? •DSU is a good start  •Learn from Pros - @Twitter is awesome •Embrace the infosec community •OffensiveSecurityTraining++
ATTACK SCENARIO #1 •Non security conscious org •Most users running as local admin •Attack dumps local creds •Local admin creds are the same on every PC •Attacker moves laterally, dumps more creds •Quick path to Domain Admin
ATTACK SCENARIO #2 •Somewhat security conscious org •Most users running as standard •Attacker needs to escalate privileges •May abuse misconfigs or find creds on network •Move laterally until escalation success & dump creds •Rinse/Lather/Repeat until goal achieved
WHY PAWS? •Scenarios not all encompassing •Domain Admin may not be end goal •Attacker tactics revolve around finding/using creds •Main goal of PAWs – limit this exposure
• WINDOWS LOGON TYPES •Interactive [2] •Network [3] – No Reusable Credentials • Net use • SQL Windows Authentication • Powershell Remoting • Remote Registry • Other MMC Snap-ins • WMI / WMIC • Batch [4] • Service [5] • Unlock [7] • Network Cleartext [8] • New Credentials [9] • Remote Interactive [10] • Cached Interactive [11]
LOCAL SAM DATABASE
ACTIVE DIRECTORY DATABASE •AKA – NTDS.dit •Credentials for all user accounts in domain •Read-only DCs by default don’t store privileged creds
LSASS •Mimikatz and WCE pull creds from here •User logs on – LSASS caches creds for future use •Can be hashes, Kerberos tickets, or plaintext
LSASS Prior to Windows 8.1, Server 2012 & KB2871997 Changes with Windows 8.1, Server 2012 & KB2871997
LSASS
LSA SECRETS •Data only accessible to SYSTEM process •Credentials are encrypted and stored on disk •Scheduled tasks •Computer Account •Service Accounts
LSA SECRETS •Domain cached credentials – aka password verifiers •Stored in salted hash format •Can’t be passed in a Pass-the-Hash attack •Can be dumped and brute forced
CREDENTIAL MANAGER •Passwords entered manually via Control Panel applet •Or when user tells Windows to remember password •Remote Desktop, IE Autocomplete •Encrypted with key derived from user’s password •Any program running as that user can access
WINDOWS CREDENTIAL & AUTH ISSUES •Pass-the-Hash Attacks •NTLM hashes acquired from memory or SAM •Can be used to authenticate just as Windows does
WINDOWS CREDENTIAL & AUTH ISSUES •Auth via NTLM protocols uses challenge/ response •NTLMv1 – completely broken • Attacker can recover hash if traffic can be capture on wire •NTLMv2 – better but brute force still possible •Both vulnerable to relay attacks – Use SMB Signing
WINDOWS CREDENTIAL & AUTH ISSUES •Kerberos – Pass-the-Ticket •Dumped from one computer and loaded on another •Tickets can be extended by presenting expired TGT •Other Issues • Golden/Silver Tickets, etc.
WINDOWS CREDENTIAL & AUTH ISSUES •Windows Access Tokens •Not well known among defenders •User logs on, system verifies password •If password OK, access token is created •Every process this user runs has copy of token •Stored in memory, enable single sign-on
WINDOWS CREDENTIAL & AUTH ISSUES •Impersonation Tokens - Non-Interactive Logons •Can be used to escalate privs, but only good locally •Delegation Tokens - Interactive Logons •Attacker can steal more privileged user's token •Use it on any network accessible system
STEALING WINDOWS ACCESS TOKENS
STEALING WINDOWS ACCESS TOKENS
STEALING WINDOWS ACCESS TOKENS •Incognito – Tool from Luke Jennings •Presented at Defcon 15 in 2008 •Whitepaper – Security Implications of Windows Access Tokens – A Penetration Tester’s Guide https://labs.mwrinfosecurity.com/assets/142/original/mwri_security-implications-of-windows-access- tokens_2008-04-14.pdf
WINDOWS CRED & AUTH ISSUES •Cred theft – major issue for a long time •Roadblocks to overcome •IT Admins may not understand the risk •Change is hard; usability > security •No “patch” for these issues •Light at the end of the tunnel
INTRODUCING PAWS •Hardened admin workstations •Designed to limit credential theft of privileged accounts •Similar in theory to network segmentation •Requires grouping systems and users by privilege level https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access- workstations
ACTIVE DIRECTORY ADMINISTRATIVE TIER MODEL •Tier 0 – Domain Admin & Domain Controllers •Tier 1 – Member Server Admins & Member Servers •Tier 2 – Workstation Admins & Workstations
LOGON RESTRICTIONS
LOGON RESTRICTIONS
PAW PREREQUISITES •Remove local admin as many users as possible •If necessary, give users multiple accounts and/or segment •Legacy software may not play well with UAC •Look for workarounds •Put pressure on vendors
PAW PREREQUISITES •Break out separate member server admins, if necessary •Limit number of Tier 0 admins •Delegate privileges in AD •If possible, segment each group of admins •Ops Server Admins; Dev Server Admins; Network Admins
PHASES OF DEPLOYMENT •1) - Immediate deployment for AD Admins •2) - Extend PAWs to all users with admin rights over mission critical applications •Cloud services admins, member server admins •3) - Advanced PAW Security
PAW DEPLOYMENT MODELS •Dedicated Hardware •Pros – Strongest security separation •Cons – Additional desk space, weight, hardware cost •Simultaneous Use •Pros – Lower hardware cost, better user experience •Cons – Single keyboard/mouse can cause unintentional errors
PAW DEPLOYMENT MODELS •Simultaneous Use •“User” VM locally on hardened PAW host, or •VDI, RDP – “User” VMs managed centrally in datacenter accessed from hardened PAW
PAW DEPLOYMENT MODELS
DEPLOY PAW ACTIVE DIRECTORY FRAMEWORK •Create-PAWOUs.ps1 •Create the new OU structure in Active Directory •Create-PAWGroups.ps1 •Create the new security groups in the appropriate OUs •Set-PAWOUDelegation.ps1 •Assign permissions to the new OUs to the appropriate groups
NEW OUs Users that are members of: Domain Admins Enterprise Admins or equivalent
PAW HARDENING - COMPUTER GPOs •Empty all local groups •Add PAW Maintenance & Administrator to local admin •Grant “PAW Users” group local login access •Block Inbound Network Traffic •Permit security scanning, patch management, etc. •Configure WSUS for PAW
PAW HARDENING - USER GPOs •Block Internet Access for PAW Users •Allow internal and other necessary browsing •Restrict Administrators from logging onto lower tier hosts •Local PoliciesUsers Rights AssignmentDeny logon on… •As a service •As a batch job •Locally
PAW GPOS – DENY LOWER TIER LOGON
PAW SETUP – PHASE 1 (AD ADMINS) •Acquire & validate installation media and other tools •Windows 10 Enterprise if possible •Credential Guard & Device Guard •Set unique, complex password for local admin
PAW SETUP – PHASE 1 (AD ADMINS) •Connect PAW to network, join domain •Move to AdminTier 0Devices •Install Windows Updates and any necessary admins tools •Carefully consider risk for each tool installed •Forward logs to SIEM •Validate hardening GPOs
RESTRICTED ADMIN MODE •Controversial RestrictedAdmin mode •Leaves no reusable credentials •Enabling it opens up Pass-the-Hash via RDP •Weigh the Risk vs. Reward
RESTRICTED ADMIN MODE Open up systems to Pass-the-Hash via RDP Further limit reusable creds left on systems vs. Lock down RDP: only trusted hosts
RESTRICTED ADMIN MODE •RestrictedAdmin Mode •Off by default; Enable on destination systems with regedit •Mstsc.exe /RestrictedAdmin •To Force RestrictedAdmin mode: •Restrict Delegation of credential to remote servers – GPO •Link to Admin Computer OUs in each tier •Limitation - Connections made with computer account
REMOTE CREDENTIAL GUARD •Same regedit as Restricted Admin mode to enable •Mstsc.exe /remoteGuard •Remote computer must be running Windows 10 - 1607 or Windows Server 2016 •Limitation - signed on credentials only •Benefit - Allows Multi-hop from the remote desktop
CREDENTIAL GUARD •Enable Credential Guard, if possible •Virtualizes Windows services that manage credentials •To isolate from running OS and attacker with admin rights •Requirements: •Windows 10 Enterprise x64 •Secure Boot Enabled •TPM & CPU Virtualization ext.
CREDENTIAL GUARD SCREENSHOT • #1 Motivator to buy Windows 10 Enterprise
CREDENTIAL GUARD SCREENSHOT • #1 Motivator to buy Windows 10 Enterprise
CREDENTIAL GUARD SCREENSHOT • #1 Motivator to buy Windows 10 Enterprise
PAW SETUP – PHASE 3 •Builds on Phase 1; Not dependent Phase 2 •Multi-factor authentication – Smart cards •Whitelisting – Device Guard / Applocker •Protected Users Group •Authentication Policies and Silos
PAW SETUP – PHASE 3 (MULTI-FACTOR) •Windows 2FA solutions great control, but not magic bullet •Limitations: •Only enforced on interactive logons •Forcing smart card logons ensures hash never changes •Mitigate by script that toggles “Smart Card Required”
PAW SETUP – PHASE 3 (PROTECTED USERS) •Most painless control to implement to limit cred exposure •Most benefits when running 2012 R2 functional level •Forces more secure Kerberos; tickets 4 hours instead of 10 •Users must re-authenticate when TGT expires •Feature/Limitation - No local cached credentials
PAW SETUP – PHASE 3 (AUTH POLICIES & SILOS) •Pair well with Protected Users group •Requires 2012 R2 Functional Level •Control where accounts can log on •Which services they can authenticate to •Set TGT settings
LESSONS LEARNED FROM MY DEPLOYMENT •Windows 10 Enterprise Hyper-V is Awesome •Dual monitors, audio & mic, copy+paste, separate vlans •So many user accounts! The struggle is real •Dramatic shift in day to day •Sometimes “User Bill” doesn’t love “Security Bill” •You can do it! Figure out system that works for you
FURTHER LIMITING EXPOSURE TO CREDENTIAL THEFT AND LATERAL MOVEMENT •Randomize local admin – Use LAPS or similar
NETWORK SEGMENTATION Site1 Site2 Site3 Site1_HR – 192.168.52.0/24 Site1_IT – 192.168.53.0/24 Site2_Legal – 192.168.60.0/24 Site2_HR – 192.168.62.0/24 Site2_IT – 192.168.63.0/24 Site3_HR – 192.168.72.0/24 Site3_IT – 192.168.73.0/24 ACL1 ACL2 ACL3 ACL4 ACL8 ACL7 ACL6ACL5 ACL12 ACL11 ACL10ACL9 WAN Site1_Legal – 192.168.50.0/24 Site1_Accounting – 192.168.51.0/24 Site2_Accounting – 192.168.61.0/24 Site3_Accounting – 192.168.71.0/24 Site3_Legal – 192.168.70.0/24 Site1 Site2 Site3 Site1_HR – 192.168.52.0/24 Site1_IT – 192.168.53.0/24 Site2_Legal – 192.168.60.0/24 Site2_HR – 192.168.62.0/24 Site2_IT – 192.168.63.0/24 Site3_HR – 192.168.72.0/24 Site3_IT – 192.168.73.0/24 ACL1 ACL2 ACL3 ACL4 ACL8 ACL7 ACL6ACL5 ACL12 ACL11 ACL10ACL9 WAN Site1_Legal – 192.168.50.0/24 Site1_Accounting – 192.168.51.0/24 Site2_Accounting – 192.168.61.0/24 Site3_Accounting – 192.168.71.0/24 Site3_Legal – 192.168.70.0/24 • Isolate User systems from each other at Layer 2 & 3
CLOSING •Stop buying blinky boxes as a cure-all •Take time to truly understand the risk •Research and learn offensive techniques •Find your weak points, build walls, set tripwires, plug the holes the best you can
THANKS / #FF @curi0usJack @TonikJDK @harmj0y @obscuresec @passingthehash @gentilkiwi @hardwaterhacker @HackerHurricane @mattifestation @mikepilkington @PyroTek3 @scriptjunkie • BrakeSec Podcast • Defensive Security Podcast
QUESTIONS/CONTACT @blueteamer http://blueteamer.blogspot.com/ Feel free to contact me with any questions/comments
REFERENCES • PAW Technet Article • https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations • Security Implications of Windows Access Tokens – A Penetration Tester’s Guide • https://labs.mwrinfosecurity.com/assets/142/original/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf • Hello my name is Microsoft and I have a credential problem • https://media.blackhat.com/us-13/US-13-Duckwall-Pass-the-Hash-WP.pdf • Mitigating Service Account Credential Theft on Windows • https://community.rapid7.com/docs/DOC-2881 • Pass-the-Hash Whitepapers • https://www.microsoft.com/en-us/download/details.aspx?id=36036 • Abusing Kerberos Whitepaper • https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf
REFERENCES • https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue- Modern-Active-Directory-Attacks-Detection-And-Protection.pdf • https://www.scriptjunkie.us/2013/09/remote-desktop-and-die/ • http://www.irongeek.com/i.php?page=videos/bsidescleveland2016/101- preventing-credential-theft-lateral-movement-after-initial-compromise-cameron- moore • https://dirteam.com/sander/2013/07/18/security-thoughts-pass-the-hash-and- other-credential-theft/ • https://logrhythm.com/blog/detecting-lateral-movement-from-pass-the-hash-attacks/ • https://technet.microsoft.com/en-us/security/dn920237.aspx • https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass- the-Hash-Separation-Of-Powers-wp.pdf • https://www.crowdstrike.com/blog/mitigating-pass-hash-pth/ • https://channel9.msdn.com/Blogs/Taste-of-Premier/Proactively-Secure-your-IT- Environment-from-Credential-Theft-with-POP-SLAM • https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B210 • https://www.secureworks.com/blog/targeted-credential-theft • http://www.derekseaman.com/2013/06/teched-pass-the-hash-preventing-lateral- movement-atc-b210.html • https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security- Briefings-Fall-2012-Sessions/BH1208 • https://channel9.msdn.com/events/teched/northamerica/2014/dcim-b359#fbid= • https://technet.microsoft.com/library/dn408187.aspx • https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter- mimikatzkiwi-in-windows-8-1/ • https://www.schneier.com/blog/archives/2016/05/credential_stea.html • https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx • https://blogs.technet.microsoft.com/askpfeplat/2016/04/04/reading-the-fine-print- on-the-protected-users-group/ • https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest- part-1/ • http://passing-the-hash.blogspot.com/2014/03/guest-post-lets-talk-about-pass- hash-by.html
REFERENCES • https://dfir-blog.com/2015/11/08/protecting-windows-networks-defeating-pass- the-hash/ • https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of- before-using-the-protected-users-group/ • https://adsecurity.org/?p=1667 • https://digital-forensics.sans.org/blog/2012/03/21/protecting-privileged-domain- accounts-access-tokens • https://technet.microsoft.com/en-us/security/dn920237.aspx • https://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx • https://adsecurity.org/?p=1684 • https://blogs.technet.microsoft.com/canitpro/2016/06/23/step-by-step-enabling- restricted-admin-mode-for-remote-desktop-connections/ • https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows- pass-the-hash/ • https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain- accounts-restricted-admin-and-protected-users • http://www.geektime.com/2014/04/02/remote-desktops-restricted-admin-is-the- cure-worse-than-the-disease/ • http://www.exploit-monday.com/2016/09/introduction-to-windows-device- guard.html • https://dfir-blog.com/2015/11/24/protecting-windows-networks-dealing-with- credential-theft/comment-page-1/#comment-527 • http://www.rsmusconsultingpros.com/prevent-token-impersonation/ • https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit- registry-hives-bypass-sacls-dacls-file-locks/ • https://dirteam.com/sander/2014/12/23/new-features-in-active-directory-domain- services-in-windows-server-2012-r2-part-3-authentication-policies-and- authentication-policy-silos/ • https://technet.microsoft.com/windows-server-docs/identity/ad-ds/manage/how-to- configure-protected-accounts • https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain- accounts-restricted-admin-and-protected-users • https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard • https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf- BeyondTheMCSE-RedTeamingActiveDirectory.pdf

Recomendados

Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
Wallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access ControlWallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access Control
zayedalji
 
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
John Wallix
 
Wallix Admin Bastion: Introduction
Wallix Admin Bastion: IntroductionWallix Admin Bastion: Introduction
Wallix Admin Bastion: Introduction
Chris Pace
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
Matthew Saltzman
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and Security
Precisely
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 

Recomendados

Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
Wallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access ControlWallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access Control
zayedalji
 
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.For CIOs and CISOs: every user is a privileged user, learn how to deal with.
For CIOs and CISOs: every user is a privileged user, learn how to deal with.
John Wallix
 
Wallix Admin Bastion: Introduction
Wallix Admin Bastion: IntroductionWallix Admin Bastion: Introduction
Wallix Admin Bastion: Introduction
Chris Pace
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
Matthew Saltzman
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and Security
Precisely
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
NCCOMMS
 
Ensuring Rock-Solid Unified Endpoint Management
Ensuring Rock-Solid Unified Endpoint ManagementEnsuring Rock-Solid Unified Endpoint Management
Ensuring Rock-Solid Unified Endpoint Management
Quest
 
Multi domain security-management_technical_presentation
Multi domain security-management_technical_presentationMulti domain security-management_technical_presentation
Multi domain security-management_technical_presentation
davebrosnan
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
Hitachi ID Systems, Inc.
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
NCCOMMS
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
BeyondTrust
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid Cyberattacks
Erdem Erdogan
 
Security from the Inside
Security from the InsideSecurity from the Inside
Security from the Inside
Naomi Weisz
 
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
Ricoh India Limited
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
Saravanan Purushothaman
 
Secure Email Communications from Symantec
Secure Email Communications from SymantecSecure Email Communications from Symantec
Secure Email Communications from Symantec
Arrow ECS UK
 
Effective Patch and Software Update Management
Effective Patch and Software Update ManagementEffective Patch and Software Update Management
Effective Patch and Software Update Management
Quest
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
Jason Chan
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
Bc product overview_v2c
Bc product overview_v2cBc product overview_v2c
Bc product overview_v2c
Saurav Aich
 
What's New in Security for IBM i?
What's New in Security for IBM i?What's New in Security for IBM i?
What's New in Security for IBM i?
HelpSystems
 
CEC XenApp 6.5 New Features Impact
CEC XenApp 6.5 New Features ImpactCEC XenApp 6.5 New Features Impact
CEC XenApp 6.5 New Features Impact
sthirion
 
The Cost of Managing IBM i Without Automation
The Cost of Managing IBM i Without AutomationThe Cost of Managing IBM i Without Automation
The Cost of Managing IBM i Without Automation
HelpSystems
 
Sunray Presentation
Sunray PresentationSunray Presentation
Sunray Presentation
Emirates Computers
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
Jou Neo
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
Sergey Soldatov
 

Más contenido relacionado

La actualidad más candente

Multi domain security-management_technical_presentation
Multi domain security-management_technical_presentationMulti domain security-management_technical_presentation
Multi domain security-management_technical_presentation
davebrosnan
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
Saravanan Purushothaman
 
Bc product overview_v2c
Bc product overview_v2cBc product overview_v2c
Bc product overview_v2c
Saurav Aich
 
CEC XenApp 6.5 New Features Impact
CEC XenApp 6.5 New Features ImpactCEC XenApp 6.5 New Features Impact
CEC XenApp 6.5 New Features Impact
sthirion
 

La actualidad más candente (20)

CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
 
Ensuring Rock-Solid Unified Endpoint Management
Ensuring Rock-Solid Unified Endpoint ManagementEnsuring Rock-Solid Unified Endpoint Management
Ensuring Rock-Solid Unified Endpoint Management
 
Multi domain security-management_technical_presentation
Multi domain security-management_technical_presentationMulti domain security-management_technical_presentation
Multi domain security-management_technical_presentation
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid Cyberattacks
 
Security from the Inside
Security from the InsideSecurity from the Inside
Security from the Inside
 
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
Secure Email Communications from Symantec
Secure Email Communications from SymantecSecure Email Communications from Symantec
Secure Email Communications from Symantec
 
Effective Patch and Software Update Management
Effective Patch and Software Update ManagementEffective Patch and Software Update Management
Effective Patch and Software Update Management
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Bc product overview_v2c
Bc product overview_v2cBc product overview_v2c
Bc product overview_v2c
 
What's New in Security for IBM i?
What's New in Security for IBM i?What's New in Security for IBM i?
What's New in Security for IBM i?
 
CEC XenApp 6.5 New Features Impact
CEC XenApp 6.5 New Features ImpactCEC XenApp 6.5 New Features Impact
CEC XenApp 6.5 New Features Impact
 
The Cost of Managing IBM i Without Automation
The Cost of Managing IBM i Without AutomationThe Cost of Managing IBM i Without Automation
The Cost of Managing IBM i Without Automation
 
Sunray Presentation
Sunray PresentationSunray Presentation
Sunray Presentation
 

Destacado

Very stable PUF based on two mosfet
Very stable PUF based on two mosfetVery stable PUF based on two mosfet
Very stable PUF based on two mosfet
Riccardo Bernardini
 
Two-fet based PUF
Two-fet based PUFTwo-fet based PUF
Two-fet based PUF
Riccardo Bernardini
 
Generalized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsGeneralized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random Bits
Riccardo Bernardini
 
A Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable ConstantA Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable Constant
Riccardo Bernardini
 
Physically Unclonable Random Permutations
Physically Unclonable Random PermutationsPhysically Unclonable Random Permutations
Physically Unclonable Random Permutations
Riccardo Bernardini
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 

Destacado (20)

Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
 
Very stable PUF based on two mosfet
Very stable PUF based on two mosfetVery stable PUF based on two mosfet
Very stable PUF based on two mosfet
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозы
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
 
Two-fet based PUF
Two-fet based PUFTwo-fet based PUF
Two-fet based PUF
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Generalized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsGeneralized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random Bits
 
Io t security-ameba-ppt
Io t security-ameba-pptIo t security-ameba-ppt
Io t security-ameba-ppt
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
RTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draftRTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draft
 
A Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable ConstantA Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable Constant
 
Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017
 
Physically Unclonable Random Permutations
Physically Unclonable Random PermutationsPhysically Unclonable Random Permutations
Physically Unclonable Random Permutations
 
Active Directory - Real Defense For Domain Admins
Active Directory - Real Defense For Domain AdminsActive Directory - Real Defense For Domain Admins
Active Directory - Real Defense For Domain Admins
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovPHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 

Similar a Dakotacon 2017

Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Identity Days
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component
C/D/H Technology Consultants
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
Amazon Web Services
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
 

Similar a Dakotacon 2017 (20)

Centrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxCentrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptx
 
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
 
Securing the cloud and your assets
Securing the cloud and your assetsSecuring the cloud and your assets
Securing the cloud and your assets
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Dakotacon 2017

  • 1. DEPLOYING PRIVILEGED ACCESS WORKSTATIONS (PAWS) AS PART OF A STRATEGY TO LIMIT CREDENTIAL THEFT AND LATERAL MOVEMENT
  • 2. C:>whoami •Proud DSU grad - 2009 •Competed in 1st NCCCDC at DSU •Long-time Dakotacon Attendee
  • 3. C:>whoami •@blueteamer •Financial Sector - 100 employees and 10 locations •SMB = Lot of hats •Network admin + Vendor Management + Sysadmin + Physical Security + Risk Assessment – wide range •Love what I do
  • 4. GOAL OF THIS TALK •Highlight effective, mostly FREE controls •Think more clearly about risk •Embrace “Assume Breach” mindset
  • 5. ATTN: IT DECISION MAKERS STOP LOOKING FOR AN EASY BUTTON
  • 6.
  • 7. HOW TO THINK LIKE AN ATTACKER? •DSU is a good start  •Learn from Pros - @Twitter is awesome •Embrace the infosec community •OffensiveSecurityTraining++
  • 8. ATTACK SCENARIO #1 •Non security conscious org •Most users running as local admin •Attack dumps local creds •Local admin creds are the same on every PC •Attacker moves laterally, dumps more creds •Quick path to Domain Admin
  • 9. ATTACK SCENARIO #2 •Somewhat security conscious org •Most users running as standard •Attacker needs to escalate privileges •May abuse misconfigs or find creds on network •Move laterally until escalation success & dump creds •Rinse/Lather/Repeat until goal achieved
  • 10. WHY PAWS? •Scenarios not all encompassing •Domain Admin may not be end goal •Attacker tactics revolve around finding/using creds •Main goal of PAWs – limit this exposure
  • 11. • WINDOWS LOGON TYPES •Interactive [2] •Network [3] – No Reusable Credentials • Net use • SQL Windows Authentication • Powershell Remoting • Remote Registry • Other MMC Snap-ins • WMI / WMIC • Batch [4] • Service [5] • Unlock [7] • Network Cleartext [8] • New Credentials [9] • Remote Interactive [10] • Cached Interactive [11]
  • 13. ACTIVE DIRECTORY DATABASE •AKA – NTDS.dit •Credentials for all user accounts in domain •Read-only DCs by default don’t store privileged creds
  • 14. LSASS •Mimikatz and WCE pull creds from here •User logs on – LSASS caches creds for future use •Can be hashes, Kerberos tickets, or plaintext
  • 15. LSASS Prior to Windows 8.1, Server 2012 & KB2871997 Changes with Windows 8.1, Server 2012 & KB2871997
  • 16. LSASS
  • 17. LSA SECRETS •Data only accessible to SYSTEM process •Credentials are encrypted and stored on disk •Scheduled tasks •Computer Account •Service Accounts
  • 18. LSA SECRETS •Domain cached credentials – aka password verifiers •Stored in salted hash format •Can’t be passed in a Pass-the-Hash attack •Can be dumped and brute forced
  • 19. CREDENTIAL MANAGER •Passwords entered manually via Control Panel applet •Or when user tells Windows to remember password •Remote Desktop, IE Autocomplete •Encrypted with key derived from user’s password •Any program running as that user can access
  • 20. WINDOWS CREDENTIAL & AUTH ISSUES •Pass-the-Hash Attacks •NTLM hashes acquired from memory or SAM •Can be used to authenticate just as Windows does
  • 21. WINDOWS CREDENTIAL & AUTH ISSUES •Auth via NTLM protocols uses challenge/ response •NTLMv1 – completely broken • Attacker can recover hash if traffic can be capture on wire •NTLMv2 – better but brute force still possible •Both vulnerable to relay attacks – Use SMB Signing
  • 22. WINDOWS CREDENTIAL & AUTH ISSUES •Kerberos – Pass-the-Ticket •Dumped from one computer and loaded on another •Tickets can be extended by presenting expired TGT •Other Issues • Golden/Silver Tickets, etc.
  • 23. WINDOWS CREDENTIAL & AUTH ISSUES •Windows Access Tokens •Not well known among defenders •User logs on, system verifies password •If password OK, access token is created •Every process this user runs has copy of token •Stored in memory, enable single sign-on
  • 24. WINDOWS CREDENTIAL & AUTH ISSUES •Impersonation Tokens - Non-Interactive Logons •Can be used to escalate privs, but only good locally •Delegation Tokens - Interactive Logons •Attacker can steal more privileged user's token •Use it on any network accessible system
  • 27. STEALING WINDOWS ACCESS TOKENS •Incognito – Tool from Luke Jennings •Presented at Defcon 15 in 2008 •Whitepaper – Security Implications of Windows Access Tokens – A Penetration Tester’s Guide https://labs.mwrinfosecurity.com/assets/142/original/mwri_security-implications-of-windows-access- tokens_2008-04-14.pdf
  • 28. WINDOWS CRED & AUTH ISSUES •Cred theft – major issue for a long time •Roadblocks to overcome •IT Admins may not understand the risk •Change is hard; usability > security •No “patch” for these issues •Light at the end of the tunnel
  • 29. INTRODUCING PAWS •Hardened admin workstations •Designed to limit credential theft of privileged accounts •Similar in theory to network segmentation •Requires grouping systems and users by privilege level https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access- workstations
  • 30. ACTIVE DIRECTORY ADMINISTRATIVE TIER MODEL •Tier 0 – Domain Admin & Domain Controllers •Tier 1 – Member Server Admins & Member Servers •Tier 2 – Workstation Admins & Workstations
  • 33. PAW PREREQUISITES •Remove local admin as many users as possible •If necessary, give users multiple accounts and/or segment •Legacy software may not play well with UAC •Look for workarounds •Put pressure on vendors
  • 34. PAW PREREQUISITES •Break out separate member server admins, if necessary •Limit number of Tier 0 admins •Delegate privileges in AD •If possible, segment each group of admins •Ops Server Admins; Dev Server Admins; Network Admins
  • 35. PHASES OF DEPLOYMENT •1) - Immediate deployment for AD Admins •2) - Extend PAWs to all users with admin rights over mission critical applications •Cloud services admins, member server admins •3) - Advanced PAW Security
  • 36. PAW DEPLOYMENT MODELS •Dedicated Hardware •Pros – Strongest security separation •Cons – Additional desk space, weight, hardware cost •Simultaneous Use •Pros – Lower hardware cost, better user experience •Cons – Single keyboard/mouse can cause unintentional errors
  • 37. PAW DEPLOYMENT MODELS •Simultaneous Use •“User” VM locally on hardened PAW host, or •VDI, RDP – “User” VMs managed centrally in datacenter accessed from hardened PAW
  • 39. DEPLOY PAW ACTIVE DIRECTORY FRAMEWORK •Create-PAWOUs.ps1 •Create the new OU structure in Active Directory •Create-PAWGroups.ps1 •Create the new security groups in the appropriate OUs •Set-PAWOUDelegation.ps1 •Assign permissions to the new OUs to the appropriate groups
  • 40. NEW OUs Users that are members of: Domain Admins Enterprise Admins or equivalent
  • 41. PAW HARDENING - COMPUTER GPOs •Empty all local groups •Add PAW Maintenance & Administrator to local admin •Grant “PAW Users” group local login access •Block Inbound Network Traffic •Permit security scanning, patch management, etc. •Configure WSUS for PAW
  • 42. PAW HARDENING - USER GPOs •Block Internet Access for PAW Users •Allow internal and other necessary browsing •Restrict Administrators from logging onto lower tier hosts •Local PoliciesUsers Rights AssignmentDeny logon on… •As a service •As a batch job •Locally
  • 43. PAW GPOS – DENY LOWER TIER LOGON
  • 44. PAW SETUP – PHASE 1 (AD ADMINS) •Acquire & validate installation media and other tools •Windows 10 Enterprise if possible •Credential Guard & Device Guard •Set unique, complex password for local admin
  • 45. PAW SETUP – PHASE 1 (AD ADMINS) •Connect PAW to network, join domain •Move to AdminTier 0Devices •Install Windows Updates and any necessary admins tools •Carefully consider risk for each tool installed •Forward logs to SIEM •Validate hardening GPOs
  • 46. RESTRICTED ADMIN MODE •Controversial RestrictedAdmin mode •Leaves no reusable credentials •Enabling it opens up Pass-the-Hash via RDP •Weigh the Risk vs. Reward
  • 47. RESTRICTED ADMIN MODE Open up systems to Pass-the-Hash via RDP Further limit reusable creds left on systems vs. Lock down RDP: only trusted hosts
  • 48. RESTRICTED ADMIN MODE •RestrictedAdmin Mode •Off by default; Enable on destination systems with regedit •Mstsc.exe /RestrictedAdmin •To Force RestrictedAdmin mode: •Restrict Delegation of credential to remote servers – GPO •Link to Admin Computer OUs in each tier •Limitation - Connections made with computer account
  • 49. REMOTE CREDENTIAL GUARD •Same regedit as Restricted Admin mode to enable •Mstsc.exe /remoteGuard •Remote computer must be running Windows 10 - 1607 or Windows Server 2016 •Limitation - signed on credentials only •Benefit - Allows Multi-hop from the remote desktop
  • 50. CREDENTIAL GUARD •Enable Credential Guard, if possible •Virtualizes Windows services that manage credentials •To isolate from running OS and attacker with admin rights •Requirements: •Windows 10 Enterprise x64 •Secure Boot Enabled •TPM & CPU Virtualization ext.
  • 51. CREDENTIAL GUARD SCREENSHOT • #1 Motivator to buy Windows 10 Enterprise
  • 52. CREDENTIAL GUARD SCREENSHOT • #1 Motivator to buy Windows 10 Enterprise
  • 53. CREDENTIAL GUARD SCREENSHOT • #1 Motivator to buy Windows 10 Enterprise
  • 54. PAW SETUP – PHASE 3 •Builds on Phase 1; Not dependent Phase 2 •Multi-factor authentication – Smart cards •Whitelisting – Device Guard / Applocker •Protected Users Group •Authentication Policies and Silos
  • 55. PAW SETUP – PHASE 3 (MULTI-FACTOR) •Windows 2FA solutions great control, but not magic bullet •Limitations: •Only enforced on interactive logons •Forcing smart card logons ensures hash never changes •Mitigate by script that toggles “Smart Card Required”
  • 56. PAW SETUP – PHASE 3 (PROTECTED USERS) •Most painless control to implement to limit cred exposure •Most benefits when running 2012 R2 functional level •Forces more secure Kerberos; tickets 4 hours instead of 10 •Users must re-authenticate when TGT expires •Feature/Limitation - No local cached credentials
  • 57. PAW SETUP – PHASE 3 (AUTH POLICIES & SILOS) •Pair well with Protected Users group •Requires 2012 R2 Functional Level •Control where accounts can log on •Which services they can authenticate to •Set TGT settings
  • 58. LESSONS LEARNED FROM MY DEPLOYMENT •Windows 10 Enterprise Hyper-V is Awesome •Dual monitors, audio & mic, copy+paste, separate vlans •So many user accounts! The struggle is real •Dramatic shift in day to day •Sometimes “User Bill” doesn’t love “Security Bill” •You can do it! Figure out system that works for you
  • 59. FURTHER LIMITING EXPOSURE TO CREDENTIAL THEFT AND LATERAL MOVEMENT •Randomize local admin – Use LAPS or similar
  • 60. NETWORK SEGMENTATION Site1 Site2 Site3 Site1_HR – 192.168.52.0/24 Site1_IT – 192.168.53.0/24 Site2_Legal – 192.168.60.0/24 Site2_HR – 192.168.62.0/24 Site2_IT – 192.168.63.0/24 Site3_HR – 192.168.72.0/24 Site3_IT – 192.168.73.0/24 ACL1 ACL2 ACL3 ACL4 ACL8 ACL7 ACL6ACL5 ACL12 ACL11 ACL10ACL9 WAN Site1_Legal – 192.168.50.0/24 Site1_Accounting – 192.168.51.0/24 Site2_Accounting – 192.168.61.0/24 Site3_Accounting – 192.168.71.0/24 Site3_Legal – 192.168.70.0/24 Site1 Site2 Site3 Site1_HR – 192.168.52.0/24 Site1_IT – 192.168.53.0/24 Site2_Legal – 192.168.60.0/24 Site2_HR – 192.168.62.0/24 Site2_IT – 192.168.63.0/24 Site3_HR – 192.168.72.0/24 Site3_IT – 192.168.73.0/24 ACL1 ACL2 ACL3 ACL4 ACL8 ACL7 ACL6ACL5 ACL12 ACL11 ACL10ACL9 WAN Site1_Legal – 192.168.50.0/24 Site1_Accounting – 192.168.51.0/24 Site2_Accounting – 192.168.61.0/24 Site3_Accounting – 192.168.71.0/24 Site3_Legal – 192.168.70.0/24 • Isolate User systems from each other at Layer 2 & 3
  • 61. CLOSING •Stop buying blinky boxes as a cure-all •Take time to truly understand the risk •Research and learn offensive techniques •Find your weak points, build walls, set tripwires, plug the holes the best you can
  • 64. REFERENCES • PAW Technet Article • https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations • Security Implications of Windows Access Tokens – A Penetration Tester’s Guide • https://labs.mwrinfosecurity.com/assets/142/original/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf • Hello my name is Microsoft and I have a credential problem • https://media.blackhat.com/us-13/US-13-Duckwall-Pass-the-Hash-WP.pdf • Mitigating Service Account Credential Theft on Windows • https://community.rapid7.com/docs/DOC-2881 • Pass-the-Hash Whitepapers • https://www.microsoft.com/en-us/download/details.aspx?id=36036 • Abusing Kerberos Whitepaper • https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf
  • 65. REFERENCES • https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue- Modern-Active-Directory-Attacks-Detection-And-Protection.pdf • https://www.scriptjunkie.us/2013/09/remote-desktop-and-die/ • http://www.irongeek.com/i.php?page=videos/bsidescleveland2016/101- preventing-credential-theft-lateral-movement-after-initial-compromise-cameron- moore • https://dirteam.com/sander/2013/07/18/security-thoughts-pass-the-hash-and- other-credential-theft/ • https://logrhythm.com/blog/detecting-lateral-movement-from-pass-the-hash-attacks/ • https://technet.microsoft.com/en-us/security/dn920237.aspx • https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass- the-Hash-Separation-Of-Powers-wp.pdf • https://www.crowdstrike.com/blog/mitigating-pass-hash-pth/ • https://channel9.msdn.com/Blogs/Taste-of-Premier/Proactively-Secure-your-IT- Environment-from-Credential-Theft-with-POP-SLAM • https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B210 • https://www.secureworks.com/blog/targeted-credential-theft • http://www.derekseaman.com/2013/06/teched-pass-the-hash-preventing-lateral- movement-atc-b210.html • https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security- Briefings-Fall-2012-Sessions/BH1208 • https://channel9.msdn.com/events/teched/northamerica/2014/dcim-b359#fbid= • https://technet.microsoft.com/library/dn408187.aspx • https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter- mimikatzkiwi-in-windows-8-1/ • https://www.schneier.com/blog/archives/2016/05/credential_stea.html • https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx • https://blogs.technet.microsoft.com/askpfeplat/2016/04/04/reading-the-fine-print- on-the-protected-users-group/ • https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest- part-1/ • http://passing-the-hash.blogspot.com/2014/03/guest-post-lets-talk-about-pass- hash-by.html
  • 66. REFERENCES • https://dfir-blog.com/2015/11/08/protecting-windows-networks-defeating-pass- the-hash/ • https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of- before-using-the-protected-users-group/ • https://adsecurity.org/?p=1667 • https://digital-forensics.sans.org/blog/2012/03/21/protecting-privileged-domain- accounts-access-tokens • https://technet.microsoft.com/en-us/security/dn920237.aspx • https://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx • https://adsecurity.org/?p=1684 • https://blogs.technet.microsoft.com/canitpro/2016/06/23/step-by-step-enabling- restricted-admin-mode-for-remote-desktop-connections/ • https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows- pass-the-hash/ • https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain- accounts-restricted-admin-and-protected-users • http://www.geektime.com/2014/04/02/remote-desktops-restricted-admin-is-the- cure-worse-than-the-disease/ • http://www.exploit-monday.com/2016/09/introduction-to-windows-device- guard.html • https://dfir-blog.com/2015/11/24/protecting-windows-networks-dealing-with- credential-theft/comment-page-1/#comment-527 • http://www.rsmusconsultingpros.com/prevent-token-impersonation/ • https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit- registry-hives-bypass-sacls-dacls-file-locks/ • https://dirteam.com/sander/2014/12/23/new-features-in-active-directory-domain- services-in-windows-server-2012-r2-part-3-authentication-policies-and- authentication-policy-silos/ • https://technet.microsoft.com/windows-server-docs/identity/ad-ds/manage/how-to- configure-protected-accounts • https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain- accounts-restricted-admin-and-protected-users • https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard • https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf- BeyondTheMCSE-RedTeamingActiveDirectory.pdf