Meeting the InCommon Assurance profile criteria using Active Directory

[Brian Arkills <>]

For those that didn't make the connection, the first session I noted several weeks ago is based on the Mitigating the Pass-the-Hash paper that Jeff separately noted: www.microsoft.com/en-us/download/details.aspx?id=36036.

 

I've watched the session now.

 

Here's a high-level summary:

-Very sharp guys, know the topical area well

-Microsoft is seeing that most enterprise compromises involve compromise low-level workstation + lateral compromise involving pass-the-hash to get privilege escalation.

-Microsoft has come up with some semi-useful mitigation strategies, which the presenters acknowledge are "just a starting point". MS is working on more effective solutions since this is ultimately based on architecture/design.

 

Random bits of info I found interesting:

-network logon doesn't generate a password hash; all other logon types do.

-'smartcard required for interactive logon' is not protection against pass the hash; a hash is still generated and that hash doesn't expire

-"Advanced Security architecture" presented at end was very convoluted with:

                - a separate forest for domain admins

                -a trust with selective authentication

                -IPSec security isolation for selective ports on the DCs

                -no accounts in Domain Admins

 

The smart card hash info means that depending on the scenario, orgs planning on getting InCommon Silver with AD using smart cards/certificate based authN may need have replaying the hash issues they hadn't realized.

 

On the 2nd session, it was more of a pen-test demonstration that exposed that some Microsoft applications store the password via methods that can be reversed. The presenter compromised a computer, then demonstrated that she could leverage these various application password storage methods to retrieve higher privilege account passwords. One notable example was IIS app pool identities (even those whose password is encrypted). Not especially relevant to our topical area here, but interesting all the same.

 

From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Thursday, June 06, 2013 6:40 AM
To:
Subject: [AD-Assurance] RE: interesting teched sessions that overlap with our topic area

 

The recording for the first session is now available online.  Time is 80 minutes.

 

The second program is today, so it may take 24-48 hours for it to be posted.

-Jeff C.

 

From: [] On Behalf Of Brian Arkills
Sent: Thursday, May 09, 2013 4:46 PM
To:
Subject: [AD-Assurance] interesting teched sessions that overlap with our topic area

 

I came across these two yesterday:

 

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B210

 

Pass the Hash (PtH) has become one of the most widespread attacks affecting our customers. Many of our customers have made it their top priority to address PtH. In response, Microsoft has assembled a workgroup to investigate effective and practical mitigations that could be used now as well as future platform modifications. This presentation covers the problem of credential theft and re-use, focusing on Pass-the-Hash attacks as an example, and discusses Microsoft’s recommended mitigations. The presenters are members of the Cybersecurity Services team.

 

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B301

 

Wherever and whenever you enter your password in the password field, there is at least one mechanism that must know it to use it later for the designed purpose. The common knowledge is that when we set up our password in Windows it is hashed and stored either in SAM or ntds.dit database in Active Directory. This is useful for verification purposes, but if your operating system can re-use the password it means others can decrypt it! In this intensive session, learn the encryption and decryption techniques being used nowadays in systems, networks, and applications. We look at the various technology weaknesses and try to take passwords from the places where they are used by the operating system to perform several operations. Become familiar with some unexpected places for your passwords and learn what you can do to mitigate the risk before somebody else grabs them! Session covers passwords’ internals. Have a cup of coffee before attending!

---

That Microsoft workgroup mentioned in the top one sounds like folks we'd really like to talk to, and I'm going to see if I can't hunt down the speakers.

 

I'll also try to attend these sessions in early June.

 

-B