Active Directory... a critical technology, present in many companies... but long ago designed.

  Many companies configured it by default. You install DNS, run the old DCPROMO, define some administrators, and you can start working. Different companies, with different needs... but ending with the same default installation... which is highly insecure.

   Active Directory was designed with a clear security approach in mind : the enemy is outside my network.

   But nowadays, this is only partially true.

  Besides classical hackers, attacking our systems from the outside, we can find other attacks and issues :

    - Legit Administrators, inside our domains, but who sometimes make mistakes. Maybe unintended, but with devastating effects.

     - Users who run malicious code in our domains. Maybe unaware of the fact... or not.

    -  The Enemy Inside : Users who are formally in our payroll... but who are in fact working for our competitors, for a foreign government or agency, or for a criminal organization... inside our premises.

 

       Undercover, infiltrate workers, sleeper IT terrorists...  companies seldom talk about these, but they are much more frequent than it seems. If you want to devastate a company, it is much easier to bribe or infiltrate an Administrator, than attacking from the outside.

 
  If we promote a user to be an Administrator, is there a way to limit his/her actions ? Can we control and limit all their activities ? Can we separate the right, needed admin tasks, from errors or attacks ?  Can we log all their activities and movements ? Can they delete these logs ? Can they create new accounts for their 'friends' ? How to avoid they run some malicious code which would destroy the company the day he's ordered to do so ?

 

     Do we know all our Admins ?  Do we really trust all of them ?

    What if they are not persons but service accounts ? Or users with the DEBUG privilege ? Developers in the Production environment ?

    Will the best Antivirus save us... if the user is running code as Administrator ?  Is the Antivirus a solution, or maybe a part of the problem ?

    Do we have any users with local permissions to their computer, and a good knowledge of the latest attacks ?

 

Any user with physical access to their computer (any Local Admin, Developer, subdomain Administrator) can read and reuse other users' credentials as they could be stored into its memory... and even become Enterprise Admin.

This is now a trivial process (as many scripts already do it for you), and opens many doors to other attacks.

 

Is there any effective solution, which does not imply migrating all my computers to Windows 10 and 2016 ?

---

   This intensive course is dedicated to Active Directory security, and the protocols and mechanisms used in Windows.

   But being primarily focused on insecurity. We cover, amongst others, the latest vulnerabilities which affect the whole design of Active Directory, allowing every local administrator or developer to become Enterprise Administrator.
 
   Old, misleading concepts and frequent misconceptions are also discussed. Security configurations which might be in place several years ago, but are no longer valid nowadays.

   The course covers the different protocols and their relationships, the security architecture (both Windows and AD), some ways and tools to attack them, the Persistent Threat approach, and some possible mitigations.

   We reuse the experience acquired in some other large companies which are already implementing these countermeasures.

   The course is entirely face-to-face, and as usual, combines theory, concepts, demos, practical exercises taken from real life, discussion on the possible options, doubts and questions.

   Taught by Juan Carlos Ruiz. Computer Science Engineer, and highly skilled trainer, with a huge experience in training in the Windows environment. Previously PFE Master Trainer in Microsoft Corporation, has collaborated in the creation of similar workshops, and taught them a number of times, to Premier customers across all EMEA, and other trainers inside Microsoft. 

Knowledge and practical experience on Windows, Active Directory, and their management.

Some of the examples will use PowerShell, as attackers will also use automated tools. A minimum knowledge of this scripting technology is not necessary but highly recommended. If you are interested we can arrange a small introductory session based on the “PowerShell concepts” course.

To be determined, depending on the company needs and student level. (Orientative : 2 to 4 days)

• 1. Introduction.
  • Assumptions on the AD environment. Limits. Forests, Domains, Trusts.
  • AD Refresh. Components. AD as a service.
• 2. First Demo: Stealing the password of another administrator.
• 3. Basic Security Concepts.
  • Windows Access Model. Security Principals,
  • Logon, SIDs, Tokens, ACLs, Impersonation, UAC, Token Size, Permissions and Rights…
  • Single Sign On. LSASS. Security Providers.
• 4. Hacker's point of view. DEMO : WDIGEST attack and its mitigation.
• 5. NTLM.
  • Protocol, how it works, risks.
  • Attacks (Pass-The-Hash, cracking passwords).
  • Usage evaluation. Mitigations.
• 6. Kerberos.
  • Protocol, how it works, implementation.
  • Attacks (Overpass-The-Hash, Pass-The-Ticket, Golden Ticket, Silver Ticket)
  • Mitigations.
  • SPNs.
• 7. Demo : Some diverse attacks (Recent ones, Fall 2015)
• 8. Mitigation Possibilities.
  • Strategy, Best Practices
  • Configuration
  • Accounts, passwords…
  • Improvements in latest Windows versions. Usage in Windows 7.
  • Considerations on Smartcards. 2FA and 3FA
  • PAM tools. MIM
  • RODC
  • Jump Servers. Remote Desktop Gateway
  • Restricted RDP
  • Antivirus
  • Windows Update
  • Virtualization and its Risks
  • Miscellaneous
• 9. Demo : Constrained Endpoints and JEA. One solution using PowerShell.
• 10. Appendix. Reference, next steps...

More detailed information under demand.