Thursday, August 16, 2012

Evolution of security risk in centralized computing



Evolution of security risk in centralized computing.
As in the 80’s we do see a lot of distributed computing, the only computer that does exist was mainframe which have been heavily use for large batch processing jobs as well as complex computing.
Security during that time was not really a concern as the dumb terminal doesn’t have a lot of option but that doesn’t mean we are living in the world of computing utopia.
As in the 20th century, technology change from distributed computing to centralized computing such as Active Directory from Microsoft. There is more integration of application and services with Microsoft Active Directory for authentication and authorization but however convenience over security could expose the system to a risk that might impact the business operation.


Introduction
Consolidation has always become a biggest challenge in IT world for a bigger company and the risk has become more crucial day by day. The biggest challenges in managing a centralized server would be toward privilege given, skill set and planning.

Since in Windows 2000, a centralized access control was been introduced by Microsoft that called as Active Directory and from there, operating system have become more and more important as part of the centralized authentication.

Active Directory aka directory service it provide a single hierarchical view to manage all the access in the network. It also provide a centralize location where to store information of policies and also provide authentication to the domain logons.

The myth of tomorrow
As the service have become more and more important, all areas will need to be mitigate and address, but however how many of them does implement this?. Do you believe by having all those control in place, all the risk will get away from the it?. No matter how much we do, the risk won’t be eliminated but it will be just reduce. Let have a look into those area that mostly IT Security practitioner will do to secure the Windows Server machines from perpetrator.

·        Security Compliance Manager tools
v  Group policies are collection of users and computer configuration which are majority are linked to Organization Unit. It was first introduce in Windows 2000 as part of the initiative to secure Active Directory implementation. As the past, we have developed our own way to secure the users and computer object base on business needs. When the question has been raised, what would be the recommendation or can we download the best practices this might be a challenge.

v  Microsoft does understand the challenge and have come out with a tool that is free for download which known as security compliance manager v2. The tools consist of Microsoft security guide recommendation and industry best practice. The tools can help you to benchmark against the industry practice which it is very useful.

v  More detail can be found from http://www.wongchonkit.com/2012/01/microsoft-security-compliance-manager.html where by you can look into more detail of configuration and etc.

·        Best practices
v  Some of the best practices configuration you can find from the security compliance manager, however some of it will required manual tweaking such as disable admin share and etc. Admin share it is part of the windows share which can be disable from registry.
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Note The registry key AutoShareServer must be set as type REG_DWORD. When this value is set to 0 (zero), Windows does not automatically create administrative shares. Note that this does not apply to the IPC$ share or shares that you create manually.
  1. On the Edit menu, click Modify. In the Value data box, type 0, and then click OK.
  2. Quit Registry Editor.
  3. Stop and then start the Server service. To do so:
a.   Click Start, and then click Run.
b.   In the Open box, type cmd, and then click OK.
c.   At the command prompt, type the following lines. Press ENTER after each line:
net stop server
net start server
d.   Type exit to quit Command Prompt.
v  The best practices will also consist more configurations such as disabling some unused services to reduce surface attack.

·        Patching
v  It is part of the core function of IT management which carried out in a timely manner and efficient. The procedure it should be highly integrated with the corporate change management which apply for the entire organization. However in the previous before Windows Server Update Service was introduce, in the past patching was a nightmare as it was not a centralized patching infrastructure. Except for patching the security fixed, using the latest version of operating system it is also part of the core IT management.

v  You can find more information of patching and designing an infrastructure from http://www.wongchonkit.com/2012/01/wsus-in-windows-server-8.html.

·        Antivirus
v  No matter how good the windows operating system, it could not get a away from the massive damage that are cause by virus, worm and Trojan. It doesn’t matter how big the organization, antivirus it is standard hygiene that all the windows operating must have component to protect its integrity, confidentiality as well as availability. However, this is not just applicable just for Microsoft product, due to the increasing threat, other platform it is also catching up.

So, what’s the problem?
If you have a look in to the entire security ecosystem, we have cover from technical prevention, administration and also detective prevention plan. But however, the risk does not stop here. There is some risk that could not be prevented by technology. This is where I would like to discuss more on here. What if the risk is fall under the category of below?. I am going to show one of the attacks on active directory using a least privilege account to perform an attack.
1.   Human mistake
2.   Disgruntled employee
3.   Scripts are not virus

What is least privilege?
This would be the most headache portion, when we assign permission to users. The question will be what are those permission is and did I give more than it suppose to be?

This is where the least privilege was implemented across the organization where by only given them a list of required permission just enough for them to run the daily operation. For example, a DHCP administrator will be only able to run DHCP related application; any other privileges such as changing the domain name will be prohibited.

The principle was widely recognized as an IT Security consideration in term of enhancing the protection from any malicious behavior in computer.

In a typical Active Directory environment, the following service administrator groups are capable of creating groups and potentially causing access token limitation problems:
v  Default groups in the Builtin container:
ü  Administrators
ü  Server Operators
ü  Backup Operators
ü  Account Operators
ü  Print Operators
ü   
v  Default groups in the Users container:
ü  Enterprise Admins
ü  Schema Admins
ü  Domain Admins

What it mean?
As for now, I am pretty sure you have a better understanding on the entire security mitigation plan to secure the operating system. The rest of the articles, I am going to show a damage that can be done with a least privilege users till up the technology can’t prevent it from happening. This is not a 0 attack, but however I believe a lot of IT professional is not aware of the issues. The attack doesn’t require any third party software rather we will use some scripting on this examples.
As per explain above regarding  least privilege ID, for this round of lab test, I am going to use an operator group which have the minimum amount of permission compare to other account such as Administrators, Domain Admins and Enterprise Admins. This is all it takes to cripple your entire Active Directory domain. Do take note that, except from these operator groups, the other admin group I have mention can perform more damage.
The group of the operators that I have mention earlier was first introduce in Windows Server 2000 and by default the operator groups have the permission on creating and deleting the above
1.   Computer object
2.   Users object
3.   Group objects
And this is what I just need in order to cripple the entire active directory.  Of course when you referring to the name operator, you may think of some sort like helpdesk due to the lack of knowledge. This is why the group was created for this purpose. The group also has been given access to log on locally on the member server including domain controller. This is where the risk is started.
Let’s bring them storm
I am a strong advocate for security over convenience. In this examples, let assume in a corporate environment, I am pretty sure you will have an operator to look after your active directory server and also they are certain task have been delegated to them.
Windows admin have been clicking around the operating system to accomplish the task. After all GUI is the whole point of the Microsoft Windows and not an operating system that called as “text”. The GUI is great as it enable you to discover more.

However, for a perpetrator or a good admin, they have a strong believe in scripting as it can help them to accomplish the task in a timely manner.

What we can do is, there are 2 ways to perform the task depending whether you have any application to perform some looping on the group naming. In the first examples, I will use Microsoft excel and then I am going to create a group until 1,016 and then copy it over a text files. The next thing is to create the group using batch script as shown below.
for /f %i in (Group-List.txt) do dsadd group “cn=%i,OU=Groups,dc=testlab,dc=com” -secgrp yes -scope g -samid %i
Just to explain on the script, it will read the group-list.txt which contain all the group name and create those in the OU name as Groups as security group.
dsquery group “ou=Groups,dc=testlab,dc=com” -limit 2000 | dsmod group -addmbr “CN=Domain Users,CN=Users,dc=testlab,dc=com”

As you can see the above, sometime, the normal administrative command can be useful to launch an attack.
Figure 1: adding groups to the domain users

The dsquery command as above will try to list the group name and add it into the “Domain Users” group which all the Active directory users will be part of it as well. What would happen here, on the users itself you will find they are member of the group that you have just created.

The 2nd approach will be using powershell. For those who are new to powershell. Don’t be afraid of the name itself, it is almost similar to cmd.exe that was ship with the PC back in past. In nut shell, powershell it is not similar as the native bash shell and people always get confuse over powershell .
How should we start, is to import the active directory module into the powershell
import-module active directory

The balance of the command , it is pretty stragith forward as it try to create the group name with the incremental number till 1,016.

For($i = 0; $i -lt 1016; $i++)
{
    $UserNumber = $i + 1

    New-ADGroup -Name group$userNumber -SamAccountName group$userNumber -GroupCategory Security -GroupScope Global  -DisplayName group$userNumber -Path "ou=Groups,dc=testlab,dc=com"

}


For the above command, I think you know what it does.

dsquery group “ou=Groups,dc=testlab,dc=com” -limit 2000 | dsmod group -addmbr “CN=DomainUsers,CN=Users,dc=testlab,dc=com”


What have just happen?
By issuing the script that have been shown above, you have successfully cause a denial of service in the active directory and this will impact all the objects in the active directory.
As on figure 2, this is what you will see when you are trying to login to the machine with the domain crendential. The way how we created the number of groups , we have successfully cause a denial of service.

Figure 2: Error message when login into the machines.
The reason why this happen is because the LSA which also known as local security authority which are responsible for authentication, authorization as well as to process the authentication request was unable to create an access token.
So far, there is less people know about the limitation regard to the security groups in the active directory. The limitation was been carried out since the first active directory was introduced. Base on the technet portal, LSA will inserts 9 well known SID into the users token which total up the number is 1,024. Base on the test we have did over powershell and batch script we have created a group more than 1,016 which end up the total number is 1,025. This will cause all the users that use Kerberos authentication and authorization will be impacted.
Some of the application that will be impacted would be those that use Active Directory integrated such as share point and etc. The table below showed the well known SID.
SID Name Description
S-1-0 Null Authority An identifier authority.
S-1-0-0 Nobody No security principal.
S-1-1 World Authority An identifier authority.
S-1-1-0 Everyone A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.
S-1-2 Local Authority An identifier authority.
S-1-3 Creator Authority An identifier authority.
S-1-3-0 Creator Owner A placeholder in an inheritable access control entry (ACE) When the ACE is inherited, the system replaces this SID with the SID for the object's current owner.
S-1-3-1 Creator Group A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's current owner. The primary group is used only by the POSIX subsystem.
S-1-3-2 Creator Owner Server [SID not used in Windows 2000.]
S-1-3-3 Creator Group Server [SID not used in Windows 2000.]
S-1-4 Nonunique Authority An identifier authority.
S-1-5 NT Authority An identifier authority.
S-1-5-1 Dialup A group that implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
S-1-5-2 Network A group that implicitly includes all users who are logged on through a network connection. Membership is controlled by the operating system.
S-1-5-3 Batch A group that implicitly includes all users who have logged on through a batch queue facility such as task scheduler jobs. Membership is controlled by the operating system.
S-1-5-4 Interactive A group that includes all users who have logged on interactively. Membership is controlled by the operating system.
S-1-5-5- X - Y Logon Session A logon session. The X and Y values for these SIDs uniquely identify a particular logon session.
S-1-5-6 Service A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
S-1-5-7 Anonymous A user who has logged on anonymously.
S-1-5-8 Proxy [SID not used in Windows 2000.]
S-1-5-9 Enterprise Controllers A group that includes all domain controllers an Active DirectorySUP>™directory service forest of domains. Membership is controlled by the operating system.
S-1-5-10 Principal Self (or Self) A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object.
S-1-5-11 Authenticated Users A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
S-1-5-12 Restricted Code [SID reserved for future use.]
S-1-5-13 Terminal Server Users A group that includes all users who have logged on to a Terminal Services server. Membership is controlled by the operating system.
S-1-5-18 Local System A service account that is used by the operating system.
S-1-5-< domain >-500 Administrator A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group.
S-1-5-< domain >-501 Guest A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
S-1-5-< domain >-502 KRBTGT A service account that is used by the Key Distribution Center (KDC) service.
S-1-5-< domain >-512 Domain Admins A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
S-1-5-< domain >-513 Domain Users A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.
S-1-5-< domain >-514 Domain Guests A global group that, by default, has only one member, the domain's built-in Guest account.
S-1-5-< domain >-515 Domain Computers A global group that includes all computers that have joined the domain, excluding domain controllers.
S-1-5-< domain >-516 Domain Controllers A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.
S-1-5-< domain >-517 Cert Publishers A global group that includes all computers that are running an enterprise certificate authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.
S-1-5-< root domain >-518 Schema Admins A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
S-1-5-< root domain >-519 Enterprise Admins A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
S-1-5-< domain >-520 Group Policy Creators Owners A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
The default owner of a new Group Policy object is usually the user who created it. If the user is a member of Administrators or Domain Admins, all objects that are created by the user are owned by the group. Owners have full control of the objects they own.
S-1-5-< domain >-553 RAS and IAS Servers A domain local group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
S-1-5-32-544 Administrators A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
The Administrators group has built-in capabilties that give its members full control over the system. The group is the default owner of any object that is created by a member of the group.
S-1-5-32-545 Users A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.
S-1-5-32-546 Guests A built-in group. By default, the only member is the Guest account.
The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
S-1-5-32-547 Power Users A built-in group. By default, the group has no members. This group does not exist on domain controllers.
Power Users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power Users also can install most applications; create, manage, and delete local printers; and create and delete file shares.
S-1-5-32-548 Account Operators A built-in group that exists only on domain controllers. By default, the group has no members.
By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
S-1-5-32-549 Server Operators A built-in group that exists only on domain controllers. By default, the group has no members.
Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
S-1-5-32-550 Print Operators A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group.
Print Operators can manage printers and document queues.
S-1-5-32-551 Backup Operators A built-in group. By default, the group has no members.
Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
S-1-5-32-552 Replicators Not used in Windows 2000.
In Windows NT domains, it is a built-in group used by the File Replication service on domain controllers.



Note on ethics
Our intention, when we started writing these articles was to give an overview what tools exists on the market and how we can use it to secure our organization against any unidentified threats. When you start to use the tools above, please do make sure you have this with you:
1.   Don’t use this for any malicious intention
2.   Don’t attack any organization without any approval from the top management.
3.   Think of the damage that you might cause

Conclusion
Till now there are no proper fix for the above issues till up to Windows Server 2008, but however it is possible to recover from such damage. Most of the time, if the administrator are not aware of such limitation, the restoration of the entire directory can be gone into rebuilding stage.

One of the observation during the test, I have seen that if the administrator are not impacted during the time, he can open up the active directory users and computers to delete the groups.

But if all the administrators are impacted, the recovery can be more complex and it could cause more effort to restore it into original state. The only way to fix during this time will be login into safe mode and check the security groups.
As what you have read above, sometimes it is good for not using the built-in groups and it have been use widely because it is easier to use. It is always a best practice to use a security mechanism that is built into the active directory itself which allow you to delegate the permission at the granular level.

When it comes to Active Directory, especially on a global deployment the access must be properly plan which will reflect back to their roles and responsibilities.

No comments:

Post a Comment