Upload
shavonne-golden
View
213
Download
0
Embed Size (px)
Citation preview
Bezpečnost Windows pro pokročilé: zajímavosti a UAC
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |
Specialties and demos
Advanced Windows Security
Too many SIDs in access token
Access token can accumulate only up to 1025 More than that, user cannot log on
• cannot create the access token• 0xC000015A = STATUS_TOO_MANY_CONTEXT_IDS
But the Account Logon Event will appear on DC as Kerberos authentication works fine
Translating SIDs in PowerShell
'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principal.NTAccount')).Value } }
'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n = 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object Security.Principal.NTAccount $_).Translate([Security.Principal.SecurityIdentifier]).Value } }
$rxSID = '[Ss]-1(?:-\d+){1,}'[regex]::Match('This SID S-1-5-80-3964583643-2633443559-2834438935-3739664028-1580655619 has been detected', $rxSID).Value
Deleted domain user accounts
AD LDAP replication requires tombstone technology All deleted objects remain in the database
• tombstone lifetime• 60/180/360 days or anything configured manually
SID, samAccountName
Enumerating all users and groups in PowerShell
(1..10000) | % { "S-1-5-21-2533895723-4202532492-454630010-$_" } | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principal.NTAccount')).Value } } | ? { $_.Name -ne $null }
Example IIS app pool identity
Running IIS application pool under Network Service enables it to receive authenticated traffic from network
It also allows it to access network authenticated as the computer domain account
Running IIS application pool under Local Service prevents remote access
User Account Control
Advanced Windows Security
Restricted Users
Users often work as local Administrators• users on workstations/notebooks• local administrators on servers
We may want restrict their default permissions and rights• allow them to elevate if required
Does not apply for remote (network) connections
UAC Options on Windows 7
UAC Options on Windows 8
Only display settings You must use the policy
Restricting Local Administrators
Windows XP and newer can restrict local Administrators• enforced by default on Windows Vista+• must use Run As on Windows XP
LSASS can issue restricted access token• Administrators and Domain Admins groups are marked as
Deny• Only basic user rights enabled
LSASS maintains two separate Kerberos ticket caches
“Deny” Groups in Access Token
User is not member of the group for Allow ACEs• if something is granted to the group, it does not apply
User is member of the group for Deny ACEs• if something is explicitly denied to the group, it still applies• not a common case for Administrators, but still good to know
Deny Group in Access Token
UAC on Windows XP and 2003
Děkuji za pozornost
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |MCM:Directory | MVP:Enterprise Security | CEH: Certified Ethical Hacker | CHFI: Computer Hacking Forensic Investigator
[email protected] | www.sevecek.com |