Securing Credentials for Privileged Access

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

 

Hello, Paul Bergson back again. I have been on the road a bit more than normal doing security training/POC deliveries (POP-SLAM *1) for our customers related to Pass-the-Hash and credential protection. I have noticed an alarming trend in how credential protection is thought to resolve a customer’s credentials from being compromised. Enterprises that are investing in vaulting software, and not ensuring the users of this vault have workstations that are isolated from internet and e-mail, are being lulled into a false sense of security!

Credential randomization and vaulting software has begun to expand; this is a great step as enterprises move to protect their assets from exposure but accessing the vault, from an insecure workstation, bypasses the protective steps taken to secure these credentials. “Securing privileged access is a critical first step to establishing security assurances for business assets in a modern organization.” *2

By randomizing passwords, the task for an administrator to use these credentials requires them to open the vault and check them out.  As soon as an insecure workstation connects to the vault any of the credentials retrieved can no longer have their integrity assured.  Making matters worse, I have seen administrators want to reduce their trips to the vault by foreseeing possible future activity and copying ALL their privileged accounts to their desktop at the start of their day and pasting them in the clear to an open application such as Notepad.  Capturing pasted credentials to the clipboard or an application is trivial on a compromised workstation.

If an enterprise allows administrators to use their workstation for both unprivileged activities that have public e-mail & internet browsing available as well as remote administration they have NOT increased their credential protection.  All the labor and expense that has been committed to vault and protect credentials has been wasted.

Looking at the example at the end of this document you can see that an engineer without a protected/isolated workstation, that is saving their password locally, can easily have their secrets harvested.  Even if a user is safe and brings up a browser and only reads their password (never placing on the clipboard or into a text based app) the result is the same, the password can be harvested.

An engineer’s workstation should be isolated and protected from any potential malware threats.  Microsoft has a published a document that guides our customers on how to configure their engineer’s workstation.  The guidance is called Privileged Access Workstation (PAW *3).  Customers can use this guidance without any further assistance from Microsoft, to secure their workstations.

A Microsoft PAW implementation won’t require any additional hardware, as long as the current hardware can run a virtualization stack such as Windows 10. So, there should be no new net expense just a requirement to rebuild the user’s/Administrator’s workstation.  If the current workstation is using Win10, it should be fully licensed for the Win10 guests of a PAW implementation, at no additional cost.

“Any user of a Licensed Device, or any device used by a Licensed User; may remotely access up to four Instances of the Software Running in Virtual OSEs or one Instance of the Software Running in one Physical OSE on (a) device(s) dedicated to Customer’s use.”  *4

Why a dedicated workstation?

“The current threat environment for organizations is rife with sophisticated phishing and other internet attacks that create continuous risk of security compromise for internet exposed accounts and workstations.

This threat environment requires an organization to adopt an “assume breach” security posture when designing protections for high value assets like administrative accounts and sensitive business assets. These high value assets need to be protected against both direct internet threats as well as attacks mounted from other workstations, servers, and devices in the environment.”  *5

As a part of protecting credentials within a vault, “Credential Tiering” should also be deployed.  Credential Tiering is a configuration where credentials are only allowed to be used within a predefined Tier.  Tiering will compliment network isolation when the isolation isn’t effective by restricting what administrators can control and where they can log on.

“The Tier model is composed of three levels and only includes administrative accounts, not standard user accounts”.  *6

· Tier 0 – Manage the identity store and a small number of systems that are in effective control of it

o DC’s, PKI, Radius, etc…

· Tier 1 – Manage enterprise servers, services, and applications

· Tier 2 – Manage enterprise desktops, laptops, printers, and other user devices

PAW workstations should only be allowed to extract credentials and manage assets of a single Tier.  This protects against Tier escalation via what an account can manage and control.

Attack scenario example below:

It is trivial to retrieve the password from memory using a debugger, once a host has been compromised.

clip_image001

1. What the heck is a POP-SLAM?

a. https://channel9.msdn.com/Blogs/Taste-of-Premier/Proactively-Secure-your-IT-Environment-from-Credential-Theft-with-POP-SLAM

2. https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access

3. Plat blog on PAW

a. https://blogs.technet.microsoft.com/askpfeplat/2016/03/14/secure-administrative-workstations/

4. http://download.microsoft.com/download/9/8/D/98D6A56C-4D79-40F4-8462-DA3ECBA2DC2C/Licensing_Windows_Desktop_OS_for_Virtual_Machines.pdf

5. https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

6. https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM

Hopefully this has sparked some thought and gotten you to understand that simply purchasing a vault product (Or using our free LAPS tool) isn’t enough to protect your secured credentials. I would suggest folks that aren’t following this guidance to form a plan to protect any workstations that have access to credentials.