Evolution
of security risk in centralized computing.
As in the 80’s we do see a lot of
distributed computing, the only computer that does exist was mainframe which
have been heavily use for large batch processing jobs as well as complex
computing.
Security during that time was not
really a concern as the dumb terminal doesn’t have a lot of option but that doesn’t
mean we are living in the world of computing utopia.
As in the 20th century,
technology change from distributed computing to centralized computing such as
Active Directory from Microsoft. There is more integration of application and
services with Microsoft Active Directory for authentication and authorization
but however convenience over security could expose the system to a risk that
might impact the business operation.
Introduction
Consolidation has always
become a biggest challenge in IT world for a bigger company and the risk has
become more crucial day by day. The biggest challenges in managing a
centralized server would be toward privilege given, skill set and planning.
Since in Windows 2000, a
centralized access control was been introduced by Microsoft that called as
Active Directory and from there, operating system have become more and more
important as part of the centralized authentication.
Active Directory aka
directory service it provide a single hierarchical view to manage all the
access in the network. It also provide a centralize location where to store
information of policies and also provide authentication to the domain logons.
The
myth of tomorrow
As
the service have become more and more important, all areas will need to be
mitigate and address, but however how many of them does implement this?. Do you
believe by having all those control in place, all the risk will get away from
the it?. No matter how much we do, the risk won’t be eliminated but it will be
just reduce. Let have a look into those area that mostly IT Security
practitioner will do to secure the Windows Server machines from perpetrator.
·
Security Compliance Manager tools
v Group
policies are collection of users and computer configuration which are majority
are linked to Organization Unit. It was first introduce in Windows 2000 as part
of the initiative to secure Active Directory implementation. As the past, we
have developed our own way to secure the users and computer object base on
business needs. When the question has been raised, what would be the recommendation
or can we download the best practices this might be a challenge.
v Microsoft
does understand the challenge and have come out with a tool that is free for
download which known as security compliance manager v2. The tools consist of
Microsoft security guide recommendation and industry best practice. The tools
can help you to benchmark against the industry practice which it is very
useful.
v More
detail can be found from http://www.wongchonkit.com/2012/01/microsoft-security-compliance-manager.html
where by you can look into more detail of configuration and etc.
·
Best practices
v Some
of the best practices configuration you can find from the security compliance
manager, however some of it will required manual tweaking such as disable admin
share and etc. Admin share it is part of the windows share which can be disable
from registry.
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Note The registry key AutoShareServer
must be set as type REG_DWORD. When this value is set to 0 (zero), Windows
does not automatically create administrative shares. Note that this does not
apply to the IPC$ share or shares that you create manually.
- On the Edit menu, click Modify. In the Value data box, type 0, and then click OK.
- Quit Registry Editor.
- Stop and then start the Server service. To do so:
a. Click Start,
and then click Run.
b. In the Open
box, type cmd, and then click OK.
c. At the command
prompt, type the following lines. Press ENTER after each line:
net stop server
net start server
net start server
d. Type exit to quit Command
Prompt.
v The
best practices will also consist more configurations such as disabling some
unused services to reduce surface attack.
·
Patching
v It
is part of the core function of IT management which carried out in a timely
manner and efficient. The procedure it should be highly integrated with the
corporate change management which apply for the entire organization. However in
the previous before Windows Server Update Service was introduce, in the past
patching was a nightmare as it was not a centralized patching infrastructure.
Except for patching the security fixed, using the latest version of operating
system it is also part of the core IT management.
v You
can find more information of patching and designing an infrastructure from http://www.wongchonkit.com/2012/01/wsus-in-windows-server-8.html.
·
Antivirus
v No
matter how good the windows operating system, it could not get a away from the
massive damage that are cause by virus, worm and Trojan. It doesn’t matter how
big the organization, antivirus it is standard hygiene that all the windows
operating must have component to protect its integrity, confidentiality as well
as availability. However, this is not just applicable just for Microsoft
product, due to the increasing threat, other platform it is also catching up.
So, what’s the problem?
If
you have a look in to the entire security ecosystem, we have cover from
technical prevention, administration and also detective prevention plan. But
however, the risk does not stop here. There is some risk that could not be
prevented by technology. This is where I would like to discuss more on here.
What if the risk is fall under the category of below?. I am going to show one
of the attacks on active directory using a least privilege account to perform
an attack.
1.
Human mistake
2.
Disgruntled
employee
3.
Scripts are not
virus
What is least privilege?
This would be the most
headache portion, when we assign permission to users. The question will be what
are those permission is and did I give more than it suppose to be?This is where the least privilege was implemented across the organization where by only given them a list of required permission just enough for them to run the daily operation. For example, a DHCP administrator will be only able to run DHCP related application; any other privileges such as changing the domain name will be prohibited.
The principle was widely recognized as an IT Security consideration in term of enhancing the protection from any malicious behavior in computer.
In a typical Active Directory environment, the
following service administrator groups are capable of creating groups and
potentially causing access token limitation problems:
v Default groups in
the Builtin container:
ü Administrators
ü Server Operators
ü Backup Operators
ü Account Operators
ü Print Operators
ü
v Default groups in
the Users container:
ü Enterprise Admins
ü Schema Admins
ü Domain Admins
What it mean?
As for now, I am pretty sure you have
a better understanding on the entire security mitigation plan to secure the
operating system. The rest of the articles, I am going to show a damage that
can be done with a least privilege users till up the technology can’t prevent
it from happening. This is not a 0 attack, but however I believe a lot of IT
professional is not aware of the issues. The attack doesn’t require any third
party software rather we will use some scripting on this examples.
As per explain above regarding least privilege ID, for this round of lab
test, I am going to use an operator group which have the minimum amount of
permission compare to other account such as Administrators, Domain Admins and
Enterprise Admins. This is all it takes to cripple your entire Active Directory
domain. Do take note that, except from these operator groups, the other admin
group I have mention can perform more damage.
The group of the operators that I have
mention earlier was first introduce in Windows Server 2000 and by default the
operator groups have the permission on creating and deleting the above
1.
Computer
object
2.
Users
object
3.
Group
objects
And this is what I just need in order
to cripple the entire active directory.
Of course when you referring to the name operator, you may think of some
sort like helpdesk due to the lack of knowledge. This is why the group was
created for this purpose. The group also has been given access to log on
locally on the member server including domain controller. This is where the
risk is started.
Let’s bring them storm
I am a strong advocate for security
over convenience. In this examples, let assume in a corporate environment, I am
pretty sure you will have an operator to look after your active directory
server and also they are certain task have been delegated to them.
Windows admin have been clicking
around the operating system to accomplish the task. After all GUI is the whole
point of the Microsoft Windows and not an operating system that called as
“text”. The GUI is great as it enable you to discover more.
However, for a perpetrator or a good
admin, they have a strong believe in scripting as it can help them to
accomplish the task in a timely manner.
What we can do is, there are 2 ways to
perform the task depending whether you have any application to perform some
looping on the group naming. In the first examples, I will use Microsoft excel
and then I am going to create a group until 1,016 and then copy it over a text
files. The next thing is to create the group using batch script as shown below.
for /f %i in (Group-List.txt)
do dsadd group “cn=%i,OU=Groups,dc=testlab,dc=com” -secgrp yes -scope g -samid
%i
Just to explain on the script, it
will read the group-list.txt which contain all the group name and create those
in the OU name as Groups as security
group.
dsquery group
“ou=Groups,dc=testlab,dc=com” -limit 2000 | dsmod group -addmbr “CN=Domain Users,CN=Users,dc=testlab,dc=com”
As you can
see the above, sometime, the normal administrative command can be useful to
launch an attack.
Figure 1:
adding groups to the domain users
The dsquery command as above will try to
list the group name and add it into the “Domain
Users” group which all the Active directory users will be part of it as
well. What would happen here, on the users itself you will find they are member
of the group that you have just created.
The 2nd approach will be
using powershell. For those who are new to powershell. Don’t be afraid of the
name itself, it is almost similar to cmd.exe that was ship with the PC back in
past. In nut shell, powershell it is not similar as the native bash shell and
people always get confuse over powershell .
How should we start, is to import the
active directory module into the powershell
import-module active directory
The balance of the command , it is pretty
stragith forward as it try to create the group name with the incremental number
till 1,016.
For($i = 0; $i -lt 1016; $i++)
{
$UserNumber = $i + 1
New-ADGroup -Name group$userNumber
-SamAccountName group$userNumber -GroupCategory Security -GroupScope
Global -DisplayName group$userNumber
-Path "ou=Groups,dc=testlab,dc=com"
}
For the above command, I think you know
what it does.
dsquery group
“ou=Groups,dc=testlab,dc=com” -limit 2000 | dsmod group -addmbr
“CN=DomainUsers,CN=Users,dc=testlab,dc=com”
What have just happen?
By issuing the script that have been
shown above, you have successfully cause a denial of service in the active
directory and this will impact all the objects in the active directory.
As on figure 2, this is what you will
see when you are trying to login to the machine with the domain crendential.
The way how we created the number of groups , we have successfully cause a
denial of service.
Figure 2: Error message when login into
the machines.
The reason why this happen is because
the LSA which also known as local security authority which are responsible for
authentication, authorization as well as to process the authentication request
was unable to create an access token.
So far, there is less people know about
the limitation regard to the security groups in the active directory. The
limitation was been carried out since the first active directory was
introduced. Base on the technet portal, LSA will inserts 9 well known SID into
the users token which total up the number is 1,024. Base on the test we have
did over powershell and batch script we have created a group more than 1,016
which end up the total number is 1,025. This will cause all the users that use
Kerberos authentication and authorization will be impacted.
Some of the application that will be
impacted would be those that use Active Directory integrated such as share
point and etc. The table below showed the well known SID.
SID | Name | Description |
S-1-0 | Null Authority | An identifier authority. |
S-1-0-0 | Nobody | No security principal. |
S-1-1 | World Authority | An identifier authority. |
S-1-1-0 | Everyone | A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. |
S-1-2 | Local Authority | An identifier authority. |
S-1-3 | Creator Authority | An identifier authority. |
S-1-3-0 | Creator Owner | A placeholder in an inheritable access control entry (ACE) When the ACE is inherited, the system replaces this SID with the SID for the object's current owner. |
S-1-3-1 | Creator Group | A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's current owner. The primary group is used only by the POSIX subsystem. |
S-1-3-2 | Creator Owner Server | [SID not used in Windows 2000.] |
S-1-3-3 | Creator Group Server | [SID not used in Windows 2000.] |
S-1-4 | Nonunique Authority | An identifier authority. |
S-1-5 | NT Authority | An identifier authority. |
S-1-5-1 | Dialup | A group that implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. |
S-1-5-2 | Network | A group that implicitly includes all users who are logged on through a network connection. Membership is controlled by the operating system. |
S-1-5-3 | Batch | A group that implicitly includes all users who have logged on through a batch queue facility such as task scheduler jobs. Membership is controlled by the operating system. |
S-1-5-4 | Interactive | A group that includes all users who have logged on interactively. Membership is controlled by the operating system. |
S-1-5-5- X - Y | Logon Session | A logon session. The X and Y values for these SIDs uniquely identify a particular logon session. |
S-1-5-6 | Service | A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system. |
S-1-5-7 | Anonymous | A user who has logged on anonymously. |
S-1-5-8 | Proxy | [SID not used in Windows 2000.] |
S-1-5-9 | Enterprise Controllers | A group that includes all domain controllers an Active DirectorySUP>™directory service forest of domains. Membership is controlled by the operating system. |
S-1-5-10 | Principal Self (or Self) | A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. |
S-1-5-11 | Authenticated Users | A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. |
S-1-5-12 | Restricted Code | [SID reserved for future use.] |
S-1-5-13 | Terminal Server Users | A group that includes all users who have logged on to a Terminal Services server. Membership is controlled by the operating system. |
S-1-5-18 | Local System | A service account that is used by the operating system. |
S-1-5-< domain >-500 | Administrator | A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group. |
S-1-5-< domain >-501 | Guest | A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. |
S-1-5-< domain >-502 | KRBTGT | A service account that is used by the Key Distribution Center (KDC) service. |
S-1-5-< domain >-512 | Domain Admins | A global group whose
members are authorized to administer the domain. By default, the Domain
Admins group is a member of the Administrators group on all computers that
have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. |
S-1-5-< domain >-513 | Domain Users | A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically. |
S-1-5-< domain >-514 | Domain Guests | A global group that, by default, has only one member, the domain's built-in Guest account. |
S-1-5-< domain >-515 | Domain Computers | A global group that includes all computers that have joined the domain, excluding domain controllers. |
S-1-5-< domain >-516 | Domain Controllers | A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. |
S-1-5-< domain >-517 | Cert Publishers | A global group that
includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory. |
S-1-5-< root domain >-518 | Schema Admins | A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. |
S-1-5-< root domain >-519 | Enterprise Admins | A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. |
S-1-5-< domain >-520 | Group Policy Creators Owners | A global group that is
authorized to create new Group Policy objects in Active Directory. By
default, the only member of the group is Administrator. The default owner of a new Group Policy object is usually the user who created it. If the user is a member of Administrators or Domain Admins, all objects that are created by the user are owned by the group. Owners have full control of the objects they own. |
S-1-5-< domain >-553 | RAS and IAS Servers | A domain local group. By
default, this group has no members. Computers that are running the Routing
and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. |
S-1-5-32-544 | Administrators | A built-in group. After
the initial installation of the operating system, the only member of the
group is the Administrator account. When a computer joins a domain, the
Domain Admins group is added to the Administrators group. When a server
becomes a domain controller, the Enterprise Admins group also is added to the
Administrators group. The Administrators group has built-in capabilties that give its members full control over the system. The group is the default owner of any object that is created by a member of the group. |
S-1-5-32-545 | Users | A built-in group. After
the initial installation of the operating system, the only member is the
Authenticated Users group. When a computer joins a domain, the Domain Users
group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. |
S-1-5-32-546 | Guests | A built-in group. By
default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. |
S-1-5-32-547 | Power Users | A built-in group. By
default, the group has no members. This group does not exist on domain
controllers. Power Users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power Users also can install most applications; create, manage, and delete local printers; and create and delete file shares. |
S-1-5-32-548 | Account Operators | A built-in group that
exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. |
S-1-5-32-549 | Server Operators | A built-in group that
exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. |
S-1-5-32-550 | Print Operators | A built-in group that
exists only on domain controllers. By default, the only member is the Domain
Users group. Print Operators can manage printers and document queues. |
S-1-5-32-551 | Backup Operators | A built-in group. By
default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. |
S-1-5-32-552 | Replicators | Not used in
Windows 2000. In Windows NT domains, it is a built-in group used by the File Replication service on domain controllers. |
Note
on ethics
Our intention, when we started
writing these articles was to give an overview what tools exists on the market
and how we can use it to secure our organization against any unidentified
threats. When you start to use the tools above, please do make sure you have
this with you:
1. Don’t use this for any malicious intention
2. Don’t attack any organization
without any approval from the top management.
3. Think of the damage that you might
cause
Conclusion
Till now there are no
proper fix for the above issues till up to Windows Server 2008, but however it
is possible to recover from such damage. Most of the time, if the administrator
are not aware of such limitation, the restoration of the entire directory can
be gone into rebuilding stage.One of the observation during the test, I have seen that if the administrator are not impacted during the time, he can open up the active directory users and computers to delete the groups.
But if all the administrators are impacted, the recovery can be more complex and it could cause more effort to restore it into original state. The only way to fix during this time will be login into safe mode and check the security groups.
As what you have read above, sometimes it is good for not using the built-in groups and it have been use widely because it is easier to use. It is always a best practice to use a security mechanism that is built into the active directory itself which allow you to delegate the permission at the granular level.
When it comes to Active Directory, especially on a global deployment the access must be properly plan which will reflect back to their roles and responsibilities.
No comments:
Post a Comment