00:00:08 protecting privileged identities in the defending 00:00:11 Active Directory against cyber attacks series. 00:00:14 Here, we're in Part II, 00:00:15 protecting privileged identities. 00:00:20 So, pretty much there are three components to securing privilege 00:00:23 access or protecting these identities. 00:00:25 They're broken down into separating identities, 00:00:28 randomizing localadmin passwords, 00:00:31 as well as separatingthe workstations. 00:00:32 And Josh will take us througheach one of these components. 00:00:36 >> Thanks, Claire. 00:00:37 Yeah, when we talk aboutseparating identities, 00:00:40 I think this is somethingthat a lot of customers, 00:00:42 at least ones that I workedwith, tend to very well. 00:00:45 They've been doing it fora long time. 00:00:48 Similar to like what we talkedabout in the previous section 00:00:53 here going back many, many,many years in security. 00:00:58 People thought it was simplyenough that if I have an admin 00:01:02 account and a normal useraccount I'm good to go. 00:01:05 And in more recent yearswe've figured out that 00:01:08 we need to take ita level beyond that. 00:01:11 Because as you sawin our demo earlier, 00:01:14 even if I used twodifferent accounts, 00:01:17 if I'm using them on the samework station, I'm still exposing 00:01:20 my privileged credentialsto that work station. 00:01:24 So we really needto get into having 00:01:28 not only a separate account forprivileged activities, but 00:01:32 a completely separatework station. 00:01:34 And we're gonna go cover thatin a little bit more detail 00:01:37 here, shortly. 00:01:38 And then the third pillarthat we have here is 00:01:42 randomizing that local adminpassword on all of our systems. 00:01:47 And we're gonna cover a toolthat you can use to do that, and 00:01:50 also why that is important. 00:01:53 >> So going back tothe different ways that 00:02:00 threat actors can geta hold in the environment, 00:02:04 move laterally andthen escalate. 00:02:07 These components,separating work stations, 00:02:08 randomizing local adminpasswords, which part is that 00:02:11 really addressing interms of the controls? 00:02:14 Is it focusing more onthe lateral, or elevation or 00:02:18 actually both? 00:02:19 >> So the randomizing localpasswords, or local admin 00:02:23 passwords, is focusing on thatpreventing lateral movement. 00:02:30 The other two are morein that realm 00:02:34 of preventingprivilege escalation. 00:02:37 >> Okay.>> Now, you gotta do them 00:02:39 together, though, because as Imentioned, if you only separate 00:02:44 the accounts but you're stillputting them both in to that 00:02:46 same system, and that systemhappens to be compromised, 00:02:50 it doesn't really matter thatyou separated the accounts. 00:02:53 So we have to add thatextra layer on there and 00:02:56 have that separate work station. 00:03:03 So if you are out walking about,one thing you probably don't 00:03:08 do is carry a large sumof money on you, right? 00:03:11 So, if I came up andsnatched your purse, 00:03:14 I'm not gonna get yourlife savings, right? 00:03:16 >> Yeah. 00:03:18 >> Should really applythat same concept, right? 00:03:21 I'm not going to take all of myvaluables with me everywhere I 00:03:24 go, so why would Icarry my most sensitive 00:03:27 privileges with meeverywhere I go? 00:03:28 I need to limit where Iexpose those credentials to. 00:03:31 And that's what these mitigationstrategies are all about. 00:03:34 They are all aboutlimiting the exposure 00:03:38 of your privileged credentials. 00:03:40 And that is the bestthing that you can do 00:03:43 to protect thoseprivileged identities. 00:03:45 >> Applying the common senseof life to technology. 00:03:49 >> Yes, exactly. 00:03:51 So, really, again startingwith that separating 00:03:55 our accounts here, we need tohave two separate accounts. 00:03:58 One for doing our normalday to day activities, 00:04:03 all of our businessproductivity type work. 00:04:06 Anything that is high risk. 00:04:08 And we consider high riskactivities to be things like 00:04:12 browsing the Internet orchecking your e-mail. 00:04:16 We talked earlierabout phishing being 00:04:19 the number one entry point,right? 00:04:23 That's what attackersuse the most. 00:04:24 They phish people to get in. 00:04:26 Well, if I am entering my 00:04:30 privilege credentials intothe same system or using the, 00:04:35 in this case we're talking aboutseparating our accounts here. 00:04:37 If I check my e-mail with myprivileged credentials and 00:04:43 that e-mail is infected, right? 00:04:47 I have some malware thatexecutes from opening the e-mail 00:04:50 or opening an attachmentfrom it, or 00:04:52 following a link that Ireceived in that e-mail. 00:04:54 I have just given away myprivileged credentials to my 00:04:57 adversary, and they may noteven need to bother with doing 00:05:03 the lateral movement and passingthe hash and doing the privilege 00:05:06 escalation because I justhanded it over to begin with. 00:05:09 >> Got it, yeah.>> So, 00:05:09 that's why we really gotta startwith this basic step here. 00:05:13 So, you really have to changeyour mindset and the way 00:05:18 that you work, and say that whenI'm doing these activities, 00:05:22 when I am doing my normalbusiness productivity, 00:05:26 and maybe I'm taking careof some training, everybody 00:05:32 maybe does a little bit ofshopping at work here and there. 00:05:34 Don't do that stuff usingyour privileged account, or 00:05:36 I'm checking my e-mail, 00:05:38 we're doing whateverpurposes I have there. 00:05:41 I have one account for 00:05:42 that, and I force myself toonly use that account for it. 00:05:45 And I never log in with myprivileged account to do those 00:05:48 types of activities. 00:05:49 And then, when it comes time to,I need to administer this 00:05:52 server, or in the contextof our series here, 00:05:56 we're really focusing onprotecting Active Directory. 00:06:00 I'm only logging in withan account that has domain admin 00:06:04 privileges, or Enterprise adminprivileges, or any of those 00:06:07 other high privilegedactive directory groups. 00:06:12 I'm only using that account whenit's necessary to perform a task 00:06:17 that requires thatlevel of privileges. 00:06:19 And that kinda ties back intothat least privilege concept 00:06:22 that talked about earlier. 00:06:28 So as I was mentioning,really, with standard user 00:06:31 accounts we're just doingthose high risk activities and 00:06:34 normal day-to-day stuff. 00:06:36 And when we get into ourprivilege accounts, if I need to 00:06:39 install some software ona system that might require 00:06:43 higher level of privileges, orif I need to install maybe some 00:06:47 patches, anything that requiresthose administrative privileges. 00:06:54 So one thing that's reallyhelpful when you're trying to 00:06:59 split out your accounts, 00:07:02 and then also as we move intothe next phase we're gonna talk 00:07:05 about with the splitting outto separate work stations, 00:07:08 is finding where are theseaccounts being used at. 00:07:12 They could be being usedall over the place. 00:07:14 One day I might log into thissystem with this account, and 00:07:19 tomorrow I have to administerfive different servers and 00:07:22 log into five different servers. 00:07:25 It could be hardto keep track of 00:07:28 where I've usedthese accounts at. 00:07:30 So we're gonna rollinto a demo here. 00:07:32 I'm gonna show you a brand newscript that we just posted out 00:07:36 on the TechNet Gallery that Iwrote called Get-LogonLocations. 00:07:40 >> Awesome. 00:07:47 >> I'm gonna go ahead andrun the script here. 00:07:53 And what this is gonna do isit is going to show me, and 00:07:57 I want to sort thisby unique entries, 00:08:00 because I want to filterout some of the noise here. 00:08:04 If I don't sort it, 00:08:05 it's gonna show me all the logins that happened anywhere. 00:08:09 But specifically, I wannalook at our Tier-0 groups. 00:08:14 I wanna find out wheremembers of these Tier-0 00:08:17 groups are logging into. 00:08:19 So then I could find outwhere these credentials have 00:08:21 been exposed to. 00:08:24 So I'm gonna sort this by user, 00:08:27 computer and IP address. 00:08:34 And I'm doing bothcomputer name and 00:08:35 IP address because there'sa possibility that 00:08:40 a log entry might have onlyone or the other and not both. 00:08:44 But this is gonna give mesome unique results here. 00:08:48 This'll take a second to run,and 00:08:50 while this is bringingback some results here, 00:08:53 I'm just gonna talk aboutthis a little bit more. 00:08:55 So what's happening rightnow is it's going out and 00:09:00 trying to connect to everydomain controller in 00:09:03 the environments andlook for a specific event. 00:09:06 And that event that youcan see up in the top here 00:09:11 on some of the codeis a 4624 event. 00:09:16 And if you're auditing this, andit's usually audited by default 00:09:19 on domain controllers, butyou can turn this auditing on. 00:09:22 And we'll talk moreabout auditing and 00:09:24 event log monitoringin a later session. 00:09:26 But if you're looking for 00:09:27 this one, it shows youwhen somebody logs in. 00:09:32 So by searching through this,once I find these logins, 00:09:37 it's gonna show meeither the IP address or 00:09:40 the computer name of wherethat account logged in to. 00:09:46 The built in functionthat I have here, 00:09:48 since I didn't specifywhat user I'm looking for, 00:09:51 or a group of usersthat I'm looking for, 00:09:54 it's looking for members of allof our standard Tier-0 groups. 00:09:58 So, all the default ones, 00:10:00 your domain admins, enterpriseadmins, schema admins, 00:10:04 the Account operators andbackup operators, and all those 00:10:07 things that we learned about inthat session earlier with Zaid. 00:10:12 And, it's looking in 00:10:17 the data for each one of theseevents that it finds that 00:10:20 matches our search query fora match for one of those names. 00:10:24 So anybody that'sa member of any single or 00:10:26 one of those groups we're gonnaget some data returned here in 00:10:29 just a moment showingwhere they logged in. 00:10:31 >> How do you setthe subset of machines that 00:10:36 you're searching runningthis query again? 00:10:41 How do you set thaton this script? 00:10:43 >> So if I wanted to lookat either a specific domain 00:10:46 controller rather than searchingfor events across all of it, or 00:10:49 let's say that I've set upsome central monitoring, 00:10:53 like Windows event forwarding, 00:10:54 which we're gonna discussin a later session as well. 00:10:58 I could specifythe computer name. 00:11:01 Now, if I specifya computer name that's 00:11:06 a Windows EventForwarding Collector, 00:11:08 I'm probably gonna wanna changewhat log I'm looking at too. 00:11:11 By default, we're lookingat the security log, 00:11:13 because that's wherethese events live. 00:11:15 But when we're doingevent forwarding 00:11:17 it goes into a different eventlog called Forwarded Events. 00:11:20 And I would specify that, 00:11:21 and that could actually giveme a much broader set of data. 00:11:25 It might be a littlebit more inclusive than 00:11:28 if I'm just hitting mydomain controllers. 00:11:31 So what I'll get backin that case is, 00:11:34 if I'm forwarding thistype of event from, 00:11:37 let's say, every system thatI have in the environment, 00:11:40 not just showing the onesthat hit the DC. 00:11:43 I'll see logins for accountsthat match our query across all 00:11:47 systems, and that's probablygonna give me a little bit more 00:11:51 valuable information thanif I'm just looking at DCs. 00:11:55 The DCs should catchthe majority of it. 00:11:58 But, I'll catch that last littlebit if I'm looking across 00:12:02 a wider set of them. 00:12:03 And using this script,I can specify as many computers 00:12:08 as I want,I'll just comma delineate them. 00:12:12 So, I could even use this forother purposes. 00:12:18 But, what we're using it forhere is we're trying to identify 00:12:22 where privileged accountsare being exposed to. 00:12:24 If I just wanted to findout where one specific 00:12:27 person logged into, or if theyhad logged into a system, I can 00:12:31 specify the username in additionwith some switches and stuff. 00:12:34 >> A lot of parametersyou can use. 00:12:36 >> There are quite a fewdifferent parameters 00:12:37 in here, yeah. 00:12:38 >> And what would a companyout there who wants to use 00:12:41 this script, what wouldthey do with the output? 00:12:44 Or what would you recommendthat they do with the output? 00:12:47 >> So I would recommendoutputting it exactly like I 00:12:50 am here. 00:12:51 I'm having it sort onlyunique entries, and then 00:12:55 that's gonna tell me where thesecredentials have been exposed. 00:13:00 And if I see that they'rebeing exposed on some of 00:13:06 those normal user workstationswhere I'm doing my higher risk 00:13:09 activities, I know that I needto prevent that from happening. 00:13:14 As we get along inhere further and 00:13:17 start talking aboutthe separate workstations, 00:13:19 one of the things that we dowhen we implement a dedicated, 00:13:24 or we call a privilegedaccess workstation, 00:13:27 is we set up some policies andcontrols that limit our 00:13:30 privileged log-insto that system. 00:13:33 So I could use thisscript to see if I have 00:13:36 properly implementedthose controls. 00:13:39 Have I successfullyprevented people from 00:13:42 accidentally using thosecredentials on another system 00:13:45 outside of where I expectthem to be used at? 00:13:49 Could also be really useful if 00:13:53 you're in what we call thattactical recovery phase and 00:13:58 you know that you'vebeen compromised. 00:14:00 You've had a team on sitedoing some incident response. 00:14:04 And they wanna use this andfigure out where 00:14:11 the credentials that they knowwere compromised have been used 00:14:15 at, because those systemshave also been compromised? 00:14:19 Cuz we know they've been usedall over the place here. 00:14:23 All right, so here you can seethat we got our results back. 00:14:27 I have only,in my lab environment really, 00:14:29 only been usingthe administrator account at 00:14:33 least that's the only one thatis part of the tier 0 groups. 00:14:36 So you can see thatadministrator has logged on to 00:14:39 DC1. 00:14:42 And I am seeing DC1twice because I 00:14:45 have two different IPs for it. 00:14:46 One the login was loggedwith the loopback address, 00:14:50 another was the actual IPof that domain controller, 00:14:54 same thing for logins to DC2. 00:14:56 And then, here,we can see there's 00:15:00 one where it couldn't resolvethe host name from it, but, if I 00:15:03 were to get to go back throughand look at these results 00:15:06 it looks like I've got an IPv6address that was logged in here. 00:15:09 And then I've also loggedin to the WEF01 computer, 00:15:16 the Windows 10 computer, andthen there was a login from 00:15:20 quite a ways back on a computerthat hadn't been renamed yet. 00:15:25 We also include In herewhat the login type was. 00:15:31 And I could filter outthese results using 00:15:35 some differentPowerShell commandlets, 00:15:37 piping it into kind of like Idid with how I sorted it here. 00:15:41 I could filter it to a Wherestatement if I wanted to, and 00:15:44 maybe filter outmy network logins. 00:15:46 The main thing I'm looking forwhen I'm looking for 00:15:51 where credentials have beenexposed are Interactive logins. 00:15:56 And then here, we have anotherone that's RemoteInteractive, 00:16:00 and then you can alsosee some Unlocks. 00:16:02 We don't necessarilycare about Unlocks or 00:16:07 Network, but I kinda like toinclude them all just to get 00:16:10 a better sense of wherethey're being used period. 00:16:13 Right, just anywhereon the network there. 00:16:17 >> So going back to what wehad in the beginning about how 00:16:19 tactic one and two canreally be used together or 00:16:22 done in parallel. 00:16:24 This tool not onlyshows our customers 00:16:29 what accounts are loggingonto what machines. 00:16:33 But by having that information,they can also continue their 00:16:37 privilege reduction exercise,going back to tactic one. 00:16:41 >> Yes, so 00:16:42 we can determine exactly wherethese are being used at, and 00:16:50 by finding that information, wecan reduce our attack surface. 00:16:55 So okay,I see that administrator 00:17:00 logged in to thisWindows 10 box. 00:17:06 Well, as you saw in our earlierdemo, that exposed those 00:17:09 credentials to that normaluser workstation and 00:17:13 I was able to stealthose credentials. 00:17:16 If this account hadnever been used there, 00:17:20 I wouldn't have beenable to steal them. 00:17:21 >> Right, so that's limitingaccounts to least privileged, 00:17:26 only those who need it. 00:17:27 Let's go intoseparating machines, 00:17:29 because that's really thatsecond component where 00:17:33 those credentials wouldn'thave been exposed. 00:17:37 If the machines were separated,even if that one person needed 00:17:40 both a privileged account anda user account. 00:17:42 >> Yep. 00:17:44 Right, so 00:17:45 let's talk about the separationof work stations there. 00:17:49 Like I said, 00:17:50 we like to call them privilegedaccess work stations. 00:17:55 We have a very nice article thatwe provide as a resource at 00:17:59 the end of the deck here thatyou folks watching at home can 00:18:02 download andhave a read through. 00:18:06 Internally at Microsoft, 00:18:07 they've also referred to themas secure admin work stations. 00:18:11 You might hear them by a fewdifferent names depending on 00:18:15 what vendors you talk to. 00:18:16 But the concept isreally the same. 00:18:20 We have one machine that's ouruser machine, and that's where, 00:18:23 earlier where we talked aboutseparating our user accounts and 00:18:27 our privileged accounts. 00:18:29 Our user machine is onlyused to login with our user 00:18:32 account that'scompletely unprivileged, 00:18:35 doesn't have accessto anything else. 00:18:37 >> So a tier two account. 00:18:38 >> Tier two account. 00:18:39 And that's what we're gonna use,for 00:18:41 doing all of ourhigh-risk activities. 00:18:44 We're gonna do our Internetaccess, our web browsing, 00:18:48 our email access,our normal productivity stuff. 00:18:51 Anything that is Internet facingis done from this workstation. 00:18:56 And then if we take a lookhere at the admin workstation, 00:19:00 this one is used exclusively foradministrative tasks. 00:19:05 And we can onlyuse our privileged 00:19:08 credentials on this workstation. 00:19:13 We would actually put controlsin place that prevent us 00:19:16 from logging intoa user machine. 00:19:18 So we're trying to take someof the human error out of it, 00:19:24 and make it so 00:19:24 that if I accidentally forgetwhich workstation I'm logging 00:19:28 into, I still don't end upunintentionally exposing my 00:19:32 credentials to a machinethat may be compromised. 00:19:39 We should never ever accessthe Internet or do any of those 00:19:42 high-risk activities from thisworkstation be tailored for 00:19:46 the type of managementthat we need to perform. 00:19:50 So in the context of ourdiscussions here around 00:19:53 defending Active Directory, 00:19:56 this would include allof our AD tools in it. 00:20:00 So we'll have the remote. 00:20:01 Admin tools for 00:20:02 active directory on thereare active directory users and 00:20:05 computers, the active directorymodule for Power Shell. 00:20:09 Anything that we mightneed to use to administer 00:20:14 a domain controller we wouldput on this tier zero privilege 00:20:18 access workstation, orwe call them PAW for short. 00:20:21 >> Mm-hm, going back to thatside by side comparison, 00:20:24 I wanna highlight the exposureversus the impact 00:20:28 from a risk perspective. 00:20:29 So the user machine,tier two, it's high exposure, 00:20:33 right, that's doingall the risky stuff. 00:20:35 >> Yep. 00:20:35 >> But will impact, soif those credentials are stolen 00:20:39 there's not much thatsomeone could do with them, 00:20:41 a threat actor can do with them. 00:20:43 >> Right, it's kinda going intothat containerization that 00:20:47 Zaid talked about. 00:20:49 So I'm limiting what the impactthat stolen credential has. 00:20:56 >> Mm-hm. 00:20:58 My normal user account mighthave access to some information 00:21:02 that's interesting. 00:21:04 I might have some emailsthat are valuable. 00:21:07 >> Right.>> Maybe had 00:21:08 some trade secrets in it. 00:21:09 Or allow somebody that got 00:21:13 a hold of my normal credentialsand got into my mailbox, 00:21:15 they could maybe dosome insider trading. 00:21:18 Because they found out froman email that I sent that 00:21:21 my company's about toacquire this other company. 00:21:23 So that's juicy. 00:21:25 I'm gonna go buysome stocks here. 00:21:27 But, we're limiting it to onlywhat that one person knows, and 00:21:32 what that one personhas access to. 00:21:34 And if we're implementing thoseleast privilege concepts that 00:21:39 you guys talked about earlier. 00:21:41 We're limiting access that that 00:21:44 user has only to the data thatthey need to do their job. 00:21:48 So if I am, let's say I'm 00:21:53 gonna pick on IT, cuz we'reall IT professionals here. 00:21:57 If I'm working at the help desk,I probably don't need to 00:22:02 have access to the same type ofdata that somebody that works in 00:22:08 payroll in our financedepartment has. 00:22:11 Right? 00:22:11 So, if you get my normal userhelp desk credentials, the most 00:22:17 interesting thing you might findfor me, is emails regarding 00:22:21 status of trouble ticketsthat I have open right now. 00:22:25 And because I'm using thesemitigation techniques and 00:22:29 using separate machines, 00:22:32 I've not exposed my admincredentials to you. 00:22:34 So you're not gonna beable to use them to go and 00:22:37 access the more valuableinformation in the environment. 00:22:40 >> And then looking at thatadmin machine that has 00:22:43 low exposure, buthigh impact activities. 00:22:46 So that's exactlywhat we're after and 00:22:49 what we're trying to limit,keep in that compartment 00:22:55 of being an admin,of having low exposure to 00:22:59 the internet to threat actors,whatever it may be. 00:23:03 But, high impact on the kindof work that we do. 00:23:06 So let's look at kind ofthe options, I guess, 00:23:08 on how we can separateout the machines and 00:23:10 make this really real forour customers. 00:23:14 >> Yeah. 00:23:15 So we have a couple differentways that we can go about it. 00:23:19 And one is actually is havingtwo separate physical machines. 00:23:23 Now, when you tellthat to people they go. 00:23:26 Man you're making me go out andbuy all this new hardware and 00:23:30 we just don't havethe budget for right now. 00:23:32 And it can kind of becomean excuse not to do this. 00:23:35 But as you can see, this isreally one of our most impactful 00:23:39 mitigation strategies thatwe have available,by, 00:23:44 if we limit wherethe credentials are entered. 00:23:46 We make it extremely difficult,if not impossible, 00:23:51 for a attacker to stealthose credentials, and 00:23:55 we're really achieving the goalsthat we're talking about and 00:23:58 this tactic here and protectingour privileged identities. 00:24:02 So if we take a look atthe options that we have here 00:24:09 there's some pros andcons to each one of them. 00:24:11 If we have Separatephysical machines. 00:24:15 We are least likelylikely to have 00:24:18 human errors becauseI actually have to 00:24:21 move from one computer toanother to do different tasks. 00:24:25 And it's pretty easy forme to tell where I'm working. 00:24:31 Some of the down sides tothat is, obviously, the cost. 00:24:34 We talked about that. 00:24:35 I have to buy an additionalsystem to act as my paw, and 00:24:40 the other one is dev space,you know? 00:24:45 I know when I used to beon the customer side, 00:24:49 I had a pretty decentsized desk and 00:24:51 I used to have three monitorsand stuff like that. 00:24:53 And I had multiple computers,so it wasn't a big deal for me. 00:24:55 But, I've also worked otherplaces and I've worked with 00:24:58 a lot of customers that don'thave as much desk real estate, 00:25:02 and you really would bepushing things to have them, 00:25:06 have multiple system. 00:25:07 >> RIght.>> That do 00:25:08 these types of things. 00:25:09 >> And for that user, the waitmight come into account also. 00:25:12 Especially, they may not be. 00:25:12 >> RIght, especially ifthey're a remote worker, yeah. 00:25:14 >> Exactly,right at their desk, but 00:25:15 they're carrying aroundtheir machines, and 00:25:16 they don't want to carryaround two machines. 00:25:18 I definitely wouldn't. 00:25:19 I can tell you my backpackthat I carry around, 00:25:23 I've got a very large laptopin it, and that thing weighs 00:25:26 about 50 pounds with all thegear that I have in it already. 00:25:29 If I had to add a second systemto that, I'd probably be going 00:25:33 to the doctor forsome back surgery very soon. 00:25:36 [LAUGH]>> So what are our 00:25:37 other options? 00:25:38 So the other options thatwe have are to virtualize. 00:25:43 Now you, especially if youhave some more recent and more 00:25:48 modern hardware, can probablydo this on existing hardware. 00:25:52 Especially now Well, it reallystarted back with Windows 8, but 00:25:57 it's gotten even better movinginto Windows 10, is that we have 00:26:02 some virtualization built rightinto the operating system. 00:26:04 So I can run my standarduser environment 00:26:09 inside of my admin environmentas a virtual machine. 00:26:14 So that I got one place to doall my work and I just need to 00:26:18 make sure that when I'mswitching back and forth between 00:26:22 my admin environment andmy user environment. 00:26:25 I'm not trying to entermy credentials into 00:26:29 the normal user environment. 00:26:30 >> But, I see here, 00:26:31 one thing I want to point outunder the virtual machine 00:26:34 >> The admin environment, 00:26:36 that has to bethe base image right? 00:26:38 >> Absolutely. 00:26:39 >> On the hardware. 00:26:40 >> Yes. 00:26:40 >> Andcan you elaborate on that? 00:26:42 >> Right.So again it's all about 00:26:43 controlling wherethe credentials are entered. 00:26:47 If I enter the credentials intothe untrusted system, that high 00:26:52 risk system, where I'm supposedto be doing my normal user 00:26:54 activities, then I can do theattacks that we showed earlier. 00:27:00 If I enter my normal usercredentials into my highly 00:27:03 protected admin workstation, Idon't have those same concerns. Right? 00:27:09 I'm exposing 00:27:10 lesser trusted credentials toa more trusted system, but 00:27:14 the attackers don't have accessto that, they only have access. 00:27:18 Potentially have access tomy guest virtual machine, 00:27:22 that's the userenvironment in there. 00:27:24 So it's very important that theadmin is always the host, and 00:27:29 the normal user,a standard user environment, 00:27:32 is always the guest ifyou're going to virtualize. 00:27:34 >> Right.And 00:27:35 that's consistent withthe third option, right. 00:27:37 >> Yeah, and the third option, 00:27:41 you can do it a fewdifferent ways. 00:27:42 Or, we have an externaladmin interface. 00:27:44 So, I could have a,actually, we're 00:27:51 showing something differentin the third option, here. 00:27:53 I'm sorry, I thought we, 00:27:54 I guess we lumped that inwith the virtual machine. 00:27:57 So, the third option here isthat you had actually reboot 00:28:00 the system andto an admin environment. 00:28:03 So this is using a USB 00:28:06 drive that has your adminenvironment installed on it, and 00:28:10 I would reboot into that andwhen I'm done using it. 00:28:13 I pull that USB stick out, 00:28:14 and I reboot back into mynormal user environment. 00:28:17 Which I kind of 00:28:22 can be a little bit more towardthe best of both worlds where 00:28:26 we're blending the abilityto have two machines, 00:28:30 but not two separate physicalmachines, same physical machine. 00:28:34 But I'm less likelyto enter accidentally 00:28:39 enter my credentials intothe standard user environment 00:28:43 because I have to do that rebootto get from one to the other. 00:28:47 Although that couldbe a little bit more 00:28:50 cumbersome in my dayto day activities. 00:28:53 Because I might need to be ableto switch quickly back and 00:28:56 forth between them and 00:28:57 having to wait between rebootscan be a little bit annoying. 00:29:01 But at least there's severaldifferent options out there. 00:29:03 Another that I wanna point out 00:29:06 that kinda falls into the middleon there, the virtual machine, 00:29:09 is the virtual machine doesn'tnecessarily have to be running. 00:29:12 On that adminworkstation I could 00:29:19 connect to a virtual machinethat's running in a, like a VDI. 00:29:23 All right, so I've got a virtualdesktop that runs on a dedicated 00:29:28 server farm, that's mynormal user environment. 00:29:31 And then my Admin machineis my host that I'm just 00:29:35 remotely connecting tothe other one from. 00:29:41 Right, so 00:29:42 now let's talk about randomizingthe local admin password. 00:29:48 We have a solution called theLocal Admin Password Solution. 00:29:52 [LAUGH] Or LAPs for sure. 00:29:54 >> Happy title. 00:29:55 >> Yeah. 00:29:56 This is a free tool. 00:29:58 And it's very easy to use. 00:30:01 To set it up, all there is isthere's a very quick schema 00:30:03 extension, andyou get these two values here. 00:30:06 One of them stores the passwordin it, the other one stores 00:30:11 an expiration time, and all ofthis is controlled by a GPO. 00:30:15 So there is a veryquick script to run. 00:30:19 It's actuallya one-liner command, and 00:30:21 it's a very detailed guidethat comes with this for 00:30:24 setting it up. 00:30:25 You execute the script, and thatsets up the schema extensions. 00:30:28 And then you go into the GPO andyou configure your settings. 00:30:33 And it pushes outthe DLL that tells 00:30:38 every computer that youapply this GPO to, that 00:30:41 I'm going to set the passwordfor the local admin account 00:30:46 on this computer to somethingthat's completely random. 00:30:49 And we do this, because ifI have the same password, 00:30:54 same local admin passwordon all of my systems, 00:30:58 it's very easy forme to do that lateral movement. 00:31:02 Because I can just use thatlocal account to go from machine 00:31:05 to machine to machine,and eventually, 00:31:07 I'm gonna find thosedomain credentials and 00:31:10 get that escalation ofprivilege by doing this. 00:31:13 So this is a verybig step towards 00:31:18 eliminating the ability todo that lateral traversal. 00:31:20 >> Now, question, 00:31:21 why is it okay that it's storingthe password in clear text? 00:31:25 >> Very good question, 00:31:27 because I get asked thisone a lot by customers. 00:31:30 And it's okay because it'sstored in Active Directory 00:31:33 in a secure value 00:31:36 that you lock down withan access control list. 00:31:39 So only people that you want tobe able to read this password 00:31:42 can read the password. 00:31:44 So, for example, I 00:31:47 would give my helpdesk staff the ability 00:31:52 to read the passwords onmy tier-2 workstations. 00:31:55 So that if you were to call meup, and I'm working on the help 00:31:59 desk, and you say I'm havingthis problem with my computer, 00:32:04 and I need to remoteinto your computer. 00:32:06 Well, just like wewere talking about with 00:32:09 separating our accounts andseparating workstations, 00:32:12 I don't want to expose a domainaccount that is highly 00:32:17 privileged to youruntrusted workstation. 00:32:20 I wanna use a local accountthat is privileged, 00:32:23 just the local admin accounton your workstation so 00:32:27 that I can fix your computer foryou. 00:32:29 So I'm gonna first go intoActive Directory, and 00:32:32 I'm gonna look at yourcomputer account. 00:32:34 And actually,why don't I just show you? 00:32:37 Let's hop into a demo here, and 00:32:39 we'll show you howthis actually works. 00:32:42 All right, so as I wastalking about, this is all 00:32:45 controlled by GPO, and here'swhat the GPO settings look like. 00:32:49 When you install this localadmin password, or LAPS 00:32:53 solution here, you'll get a GPOwith a few different settings. 00:32:56 The first one I have hereare the password settings. 00:33:04 For my demo here in the labI went with the defaults, 00:33:07 and it sets the password tosomething completely random 00:33:12 that's 14 characters long, and 00:33:13 then it sets the expirationon it for 30 days. 00:33:17 Now, I could make that more orless however I want. 00:33:22 Every time this computerreboots, that password is going 00:33:27 to get reset to somethingcompletely random. 00:33:32 When it happens, 00:33:34 we write to those values thatwe saw on the slides there. 00:33:36 We write that password, and Igo over and find this computer. 00:33:44 So this was the computerthat I logged into. 00:33:47 And if I havepermissions to do this, 00:33:50 which you should verytightly control, and 00:33:53 we want specific people tohave permissions on it. 00:34:01 I can go andlook up what the password is for 00:34:04 this workstation,and here we have it. 00:34:08 So you see this14 character long 00:34:10 random password was generated. 00:34:13 Now, if I wanted toremote into this machine, 00:34:17 I could copy this out of here. 00:34:19 And then there'sactually a couple 00:34:20 different ways youcan get to it. 00:34:22 So I'm showing howto look at this 00:34:24 through the Attribute Editorin AD Users and Computers, but 00:34:27 it actually comeswith a thick client 00:34:30 that you can give to whoeverneeds to have this capability of 00:34:34 looking up a system'slocal admin password. 00:34:36 Or they could just type in thename of the computer that they 00:34:39 need the password for,and it will query it. 00:34:41 And as long as they havethe proper permissions to 00:34:44 access this attribute, it willreturn the password form. 00:34:47 There's also a PowerShell 00:34:50 tool that you could dothe same thing with, so 00:34:52 you've got a couple differentoptions for retrieving it there. 00:34:55 So I get the password, andthen I remote into the system, 00:35:01 and I log in with whatever thelocal administrator account is. 00:35:04 It doesn't matter if it's beenrenamed, the tool is looking for 00:35:07 the well-known SID forthat account. 00:35:10 So if my local adminaccount was renamed Claire, 00:35:14 it would set the passwordon Claire, right? 00:35:17 But if it's administrator,administrator, you get the idea. 00:35:19 And so 00:35:21 I would just copy this passwordand paste it in to log in. 00:35:25 And when I'm done doing that,I can go back and 00:35:29 force the password to change sothat the next time somebody 00:35:33 needs to do it, they haveto look up a new password. 00:35:35 >> Andthe end user really never gets? 00:35:38 >> The end user never knows,because they shouldn't, right? 00:35:40 They shouldn't know whatthat local password is, 00:35:43 they don't need that levelof privileges on it. 00:35:47 So only the people that you givepermissions to retrieve this 00:35:51 information are ableto access it. 00:35:53 >> Great, andall part of the free tool. 00:35:57 >> All part of the free tool. 00:35:59 And it's soeasy to implement, and 00:36:02 because you can controleverything from the GPO, 00:36:07 one of the other settingsthat was in there was you can 00:36:11 enable and disable whether ornot you're setting the password. 00:36:14 So you can set everything up inadvance and get it ready to go 00:36:18 and then roll it out during yournext change management window or 00:36:22 whatever the processes are foryour organization, and 00:36:26 you can even test it first,right? 00:36:29 I can link the GPO andenable it just for 00:36:31 a small subset of computers,make sure it's doing what I 00:36:35 expect it to do before I rollit out to the rest of them. 00:36:38 And we should do this onboth our workstations and 00:36:43 our servers. 00:36:44 The exception, obviously, beingdomain controllers, because 00:36:49 domain controllers don't reallyhave a local admin account, 00:36:52 it's the built inadministrator account. 00:36:54 We don't wanna try andset that there, but all of our 00:36:56 other Window's systems, whetherthey're server or workstations, 00:37:00 gotta use this tool on. 00:37:01 >> That's great. 00:37:03 >> So let's take a look atsome additional controls. 00:37:09 One thing that youcan do to strengthen. 00:37:12 So we talked about the topthree here in protecting your 00:37:15 privilege identities, butthere's some additional controls 00:37:19 as you move along thatyou wanna implement here. 00:37:23 One of them beingmulti-factor authentication. 00:37:25 That could be anythinglike a smart card, 00:37:29 a one time use password token. 00:37:32 We have this thing in allof our online properties, 00:37:35 like Office 365 and Azure,called phonefactor or 00:37:38 phone authentication where youcan have it send you a text 00:37:41 message orgive you a phone call and 00:37:43 ask you to put in a PIN asanother form of authentication. 00:37:47 So always something you have and 00:37:50 something you know todo that multi-factor. 00:37:53 Now, you should always start outwith those privileged accounts, 00:37:57 you wanna make it mandatory forthose privileged accounts. 00:38:00 So when I log into my PA, I haveto have a second, or if there 00:38:04 are more than one factor ofauthentication to get into it. 00:38:08 And then,it's also very recommended for 00:38:11 all of the other accounts thatyou have in the environment, 00:38:15 all your normal user accounts. 00:38:17 It doesn't stop the pass tohash, but it does stop you from 00:38:22 if you don't have my additionalfactor of authentication, 00:38:26 it stops you from usingmy credentials remotely. 00:38:29 So if you phished me andgot my password, 00:38:31 maybe you're not gonna be ableto log into my system now 00:38:35 if all you have is my password. 00:38:37 In that scenario where youask me for my password, and 00:38:40 I give it to you,it doesn't stop the attacker if 00:38:45 you click on something anddownload some malware. 00:38:48 At that point,they don't need your password, 00:38:49 because they couldjust use the hasher. 00:38:52 But still, 00:38:53 a lot of value out of doing thatmulti-factor authentication. 00:38:57 The next thing, andI combine these together, 00:39:00 you might hear people separatethem from time to time, 00:39:04 but is Just In Time andJust Enough Administration, 00:39:08 and they're the most powerfulwhen combined together. 00:39:12 And when I use those,what I'm doing is making it so 00:39:16 that I only have privilegeswhen I need them. 00:39:20 So we already reduced where ourprivileges are being exposed by 00:39:23 having those privilege accessworkstations, and I can reduce 00:39:28 the exposure even further bymaking my privilege temporary. 00:39:33 So if I know that I'm gonna needto be a domain admin to work on 00:39:38 a domain controller anddo some maintenance on it, and 00:39:41 it's gonna take me threehours to do this maintenance. 00:39:45 I can apply thisJust In Time approach, and 00:39:48 there are different solutionsout there that'll help you 00:39:52 with that, 00:39:53 where it puts my privilegedaccount into domain admins. 00:39:57 On a timer for that threehours or however long it's 00:40:00 gonna take me to completemy work and my tasks. 00:40:02 And as soon asthat timer's up or 00:40:04 as soon as I'm done doing mywork, it pulls it out and 00:40:08 that account no longerhas those privileges. 00:40:10 So that makes it so that even ifsomebody managed to get it past 00:40:13 our mitigations and defenses,the account may still be useless 00:40:18 to them because right now I'mnot doing anything with it, 00:40:22 it's unprivileged andI can't access things. 00:40:25 >> One offering that we havearound that is MARS, right? 00:40:28 So we have an offering calledManage Access Request System. 00:40:32 MARS was built on PHIMin the past, right? 00:40:36 Or it is built on PHIM and 00:40:38 now with MIM coming outwe're building MARS on MIM. 00:40:42 So one of the credentialtheft mitigations that 00:40:45 we offer as part ofMicrosoft s Services. 00:40:47 >> Yeah, that's that MicrosoftIdentity Management Solution. 00:40:51 >> Yes. 00:40:52 >> Yeah, and I know they'rebuilding some things in another 00:40:55 tool called the PrivilegedAccess Management, 00:40:58 the PAM tool that kind ofgoes along with this as well. 00:41:02 And then you tie that in to thejust enough administration which 00:41:07 goes back to the leastprivileges that you and 00:41:09 Zade talked about earlier. 00:41:11 So I only have 00:41:14 enough privileges to completethe tasks that I need. 00:41:17 If I don't need to be a domainadmin to do something 00:41:20 I don't get thatlevel of privileges. 00:41:22 I get something less than it. 00:41:24 And like I said, 00:41:26 it really ties back into thoseprinciples of least privileges. 00:41:30 Then the last control that youwould look at is a separate 00:41:35 forest for administeringyour production forest for 00:41:39 Active Directory. 00:41:42 Now we have a solutioncalled the Enhanced Security 00:41:45 Administration Environment forthis and 00:41:48 we set up what we call a RedForest and our tier 0 pause and 00:41:53 all our tier 0 accounts liveinside of this Red Forest. 00:41:57 And we use that tomanage our tier 0 00:42:00 assets in our production forest. 00:42:03 Sometimes you might hear peoplerefer to it as a Blue Forest, 00:42:07 Red versus Blue there. 00:42:08 And with that if my productionforest gets compromised, 00:42:15 they don't have a way backin to my admin forest. 00:42:20 And they can never get a holdof my admin credentials there. 00:42:23 So that's just another thingto do to reduce the exposure. 00:42:28 That's really what allof this is about and 00:42:30 all these mitigations are aboutis minimizing the exposure of 00:42:34 the credentials. 00:42:35 Because if I was an attacker,never have an opportunity to 00:42:38 see those credentials andI'm stuck and 00:42:41 hopefully you're gonna findme before I can ever get to 00:42:44 that privileged escalation stepthat we talked about earlier. 00:42:51 >> All right, so coming up nextwe are moving into Tactic 3, 00:42:54 Defending your Directory. 00:42:57 And I will be workingwith Josh on that one. 00:43:01 And finally, the resources thatwe have available as part of 00:43:04 this session,there's a whole list of them. 00:43:07 There's securing privilegeaccess by Microsoft, 00:43:11 at these aka.ms links. 00:43:14 There's more informationabout our PAW offering under 00:43:16 Privileged Access Workstations,something that you can also take 00:43:19 and do on your own atyour organization. 00:43:24 The script that Josh showed us,demoed here today, 00:43:27 that's available on the technetgallery there at that link. 00:43:32 LAPS, again a free solution,also demoed today. 00:43:37 Pass-the-hash demo, the thirddemo that we went through today. 00:43:43 >> Actually, that wasthe first one that we did, but 00:43:45 there is a recordingthat's actually 00:43:48 probably a little bit shorterthan the one that we did here, 00:43:51 that's out on YouTube that youcan watch, very well done. 00:43:56 It's put in a way that you couldeven show this to your business 00:44:01 leaders and 00:44:02 not necessarily just limit thataudience to IT professionals. 00:44:07 It's very impactful, 00:44:08 I find, so again a bunchof great, free resources. 00:44:13 Everything that we're showinghere in this session today you 00:44:16 can do on your own. 00:44:18 Of course there are lots ofservices that we have available 00:44:22 from Microsoft to help you outhere and help you implement 00:44:26 these mitigations andhelp you defend and 00:44:30 secure your Active Directoryagainst cyberattacks. 00:44:34 We hope to see you againin the next section. 00:44:36 >> Thank you.