Hardening Microsoft Environments

From March 14, 2016 to March 15, 2016

Credential theft attacks can be described as a technique in which account logon credentials are captured from a compromised computer, and then used to authenticate to other systems on the network. Attack techniques which fall in the categories of "Credential Theft" or "Credential Reuse" have grown in the last few years into one of the biggest threats to Microsoft Windows environments.

In recent months, this development was promoted by the significant improvement and wide distribution of attack tools, such as mimikatz and Windows Credential Editor. This led to theoretical attacks being actually possible in real world scenarios with the application of the aforementioned methods. Once an attacker gains initial foothold on a single system in the environment it takes often less than 48 hours until the entire Active Directory infrastructure is compromised.

But how can such a threat be handled?

In this intensive two-day seminar we will present various technical and organizational measures to protect both individual critical Microsoft Windows systems, as well as the entire Active Directory. The goals in mind are to prevent credential theft in the first place, but also to protect against and detect unauthorized use of stolen credentials as early as possible.

Day 1

Introduction
- Relevancy and actuality of Credential Theft und Credential Reuse
- Basics of Windows Authentication
- Security Subsystem Architecture in Windows
- Local Security Authority Subsystem Service
- Local authentication
- LM/NTLM network authentication
- Kerberos network authentication
Credential Theft & Reuse Attacks
- Introduction into mimikatz
- Pass-the-Hash
- Pass-the-Ticket
- Overpass-the-Hash/Pass-the-Key
- Golden & Silver Ticket
- PtT in Ubuntu and Mac OS X

Practical Exercises for All Mentioned Attack Techniques

First Overview of Relevant Measures to Reduce Risk
- Reorganization of the Active Directory structure and best practice for administration
- Technical and Credential-Theft-specific measures
- Security monitoring & logging

Day 2

Detailed Examination of Relevant Measures to Reduce Risks
- Requirements
- Organizational and design measures (Admin Tiering, ESAE Forest)
Technical measures
- Secure administration hosts
- Secure configuration of domain controllers and members
- Credential-Theft-specific measures
Active Directory Monitoring
- Overview of Windows Event Logging
- General monitoring measures
- Centralized logging
- Basics of Advanced Audit Policy
Specific monitoring measures
- Events to audit:
  - Account usage
  - Software installation
  - Service installation
  - Registry auditing
Detection of PtH, PtT and Golden Tickets

Practical Exercise to Create an Advanced Audit Policy

Introduction to Enhanced Mitigation Experience Toolkit (EMET)
- Requirements
- Technical possibilities
- Use in businesses
- Configuration
- Experiences & recommendations

REQUIREMENTS:

Bring your own laptop.
We provide the possibility to connect via a RDP connection to a virtual test environment
Connection is done via an Ethernet cable

TARGET GROUPS:

IT Security Officers
Windows & Active Directory Administrators
Project Managers with security focus
Infrastructure and system architects
System integrators
Head of IT & Data Protection Supervisors

Friedwart Kuhn

Friedwart Kuhn is a renowned expert for Active Directory security and has performed a huge number of projects both in the concept and design space and in the pentesting and incident analysis field.

Heinrich Wiederkehr

Heinrich Wiederkehr is a Security Consultant at ERNW and part of the Microsoft security team. He focuses on research, conception und assessment in various areas of Windows-based environments. Apart from security trainings, his work concentrates on audits and pentests of large-scale enterprise networks with emphasis on Active Directory. A wide variety of projects for different customers give him a solid awareness of the practical realities and an eye for essentials. Heinrich holds a Bachelor degree in Corporate & IT Security at University of Applied Sciences Offenburg.