This webcast was originally published on August 13, 2018.
In this video, Kent and Jordan discuss effective practices for securing Active Directory and preventing common penetration testing exploits. They explore techniques like establishing strong password policies, disabling outdated protocols, and implementing system monitoring to enhance security. The speakers provide practical insights into how organizations can protect their network environments from attackers and improve their overall security posture.
- The importance of toughening password policies to mitigate risks from pen testers and attackers
- The value of deploying tools like LAPS for managing local admin passwords and reducing risk across multiple systems
- The necessity of keeping software and systems up to date to utilize the latest security features like device guard and code integrity policies
Highlights
Full Video
Transcript
Sierra
I am “Sierra.” For those of you just joining us, we have Kent and Jordan here, two of our testers, who also do SysAdmin stuff.
Jordan
Pleasure. Happy to be here. Happy to have you all. Indeed. So really what this is based out of is, Black Hills information’s efforts toward building, configuring, maintaining and being better at just about everything we do, right.
It’s something we have to do on a daily basis. So we’re asked to come up with some training modules. So we come up with a wireless training module and then we all tie that back into domains and how our customers operate.
Right. So we can walk into a network and we can review your wireless, but it really all comes down to and boils back into active directory, right. And how that infrastructure is configured and how it’s deployed and how it’s managed.
So what we’re trying to do today is talk about the things our customers do in active directory that work, that slow us down as pen testers.
Kent
And bear in mind, we’re probably not making friends with our coworkers today. Majority of what we do is, and you’ll find on our blog posts and our webcasts are, it’s really red team engagements.
It’s, trying to be the attacker and trying to exploit all the things. And this is just the opposite of that. So it’s a little bit outside of the typical niche for Bhis, but at the same time, we hope you like it.
Jordan
So, yeah, throughout the slides, most like mostly what Ken says is we are going to be talking about the blue side of things. However, we talk about where our standard attacks come into play.
Like John’s Attack Tactics series, we use some of those things to demonstrate how to fix and solve those problems in acupuncture. Director, as he says, easy to make things hard, not hard to make things easy.
So there’s a lot of things you can do to solve some of these problems. Some of them you deal with the politics of long passwords, right? I mean, that’s a huge one.
And it more than anything, slows down pen testers. If I’m approaching the outside of your network, if I’m approaching the inside of your network, all these things are based on credentials. And if you make it hard for me to guess the passwords your user population has, then, well, we’re frustrated.
Kent
And it’s also another side of that is when you get into an, engagement with pen, test, there’s some things that we do very quickly within the first hour of the engagement, and it’s not uncommon to get wins immediately following that.
And we call that kind of low hanging fruit. It’s stuff that, is helpful for us because it allows us to get a quick win, but at the same time, it’s stuff that we kind of expect anymore. And it’s something that’s relatively easy to mitigate.
And we call it the low hanging fruit. And if we can get it out of the way, it’s stuff that’s easy to turn off. We’re not talking about a million dollar solution to do it. So.
Jordan
Slow slideshow today, maybe. Do you have enough ram on there?
Kent
Yeah, m I got plenty of Ram. All right, so we are not going to sell you a security solution today. we are going to frustrate our coworkers or the attackers. That said, if you would like to have a pen test, the, address right below is consulting at Black Hills information security.
Jordan
I’m not shameless.
Kent
Or am I?
Sierra
I am going to pause you guys for just a second. Jordan, would you mind moving the mic just slightly that way?
Jordan
I can definitely do that.
Sierra
We just need it facing cat just a little more.
Kent
I can do that. do I need to speak up?
Jordan
I think that’s all right. How’s that?
Sierra
How’s that, guys?
Kent
Much better.
Jordan
Brilliant. Thank you. So yeah, as we say here, almost everything we do in this slide deck is based on things you can do now today in your active directory, whether it’s server 2008, forest, server 2012, forest, and like we deploy in the next couple slides, server 2016.
Kent
So Gerald, kind of let you talk about how you set the infrastructure for doing this webcast. We kind of set up an environment that we could test some things out and I’ll let you talk about that.
Jordan
Sure. Absolutely. We have a lab that we maintain physically that we can’t even begin to compete with, Amazon’s layers of protection. So we deployed an AWS quickstart for this, which is a one click 1 hour deployment thing, asks you for a couple of passwords, restore mode, m new admin user, and you click and then in an hour, voila, we have a beautiful brand new shiny, which you’ll see throughout here, multi availability zone deployment of Windows Server 2016 domain controllers, remote desktop gateway.
And that is the environment we configure for these best practices. Right. We get a go test, play with, learn, and then try to exploit.
Kent
So you kind of talked about that active directory inside of Amazon. Obviously, most environments probably wouldn’t be set that way for their enterprise, environment. They might be. I think that your point here is that you can do this, but more importantly maybe for your blue team is that they can go develop this in an hour and they can deploy and then modify these settings.
We’re going to talk about and see what the result is. Right?
Jordan
Oh absolutely. How many domain migrations have you successfully, executed in your time as a systems admin?
Kent
Painlessly. Yeah.
Jordan
Right. I don’t think, I didn’t. I think taking a step back, if you’re going to upgrade your domains and your functional levels and your forests, I almost at this point recommend starting clean.
No, like Amazon offers so many layers of protections and so many advantages, over the standard on prem deployment of hardware, of monitoring of physical security, of compliance and all those things that with a couple clicks, if I can spin up a new domain, set up a VPN and link my workstations to this environment, it’s hard for me to keep recommending that people build their own on prem solutions.
Kent
So now I did, I think I did mention that we’re not going to sell a million dollar product. Right. But we should also mention here that your environment that you set up wasn’t necessarily cheap. Right. It was pretty hot.
Jordan
Yeah, it’s running hot for sure. I think John told me I’ve got a week to burn it to the ground.
Kent
Sounds like it’s getting expensive.
Jordan
This is definitely the cadillac of base deployments, but depending on budgets and size of environments this might make sense. I think, I think we’re looking at a four or $500 a month spend with this.
We’ve got single remote desktop, gateway, multi availability zones, we’ve got the elastic load balancing in front of stuff. We’ve got a lot of these products.
But anyway this one runs a.
Kent
Little hot, yes, but it’s secure.
Jordan
for this deployment, just to talk about Tobias question. For this deployment, this is as quick online as possible and then tear down as quick as possible. So we haven’t managed custom configuration files, we haven’t implemented things like OsSec or ansible things like that.
But that’s what we do for our production systems that we use. So basically Amazon hates pen testers and there’s a lot of reasons for that.
They run so many multi tenant models of firewall, protections of load, balancing that they really are nervous when people come in and start breaking things or attacking things and they don’t know about it.
Not that there aren’t people all over the Internet who attack systems on AWS. It’s just as a pen tester representing a firm that could be sued by Amazon.
You need to be careful when you approach these things and definitely not skip pen test authorization forms or not skip, even if you’re testing yourself. Right.
So there’s a lot of dangerous situations you can get in on Amazon if you’re testing.
Kent
So I think the idea there is if you’ve got a web app and you’re testing it, your own web app, you’re testing it from Amazon to the web app hosted Amazon. If you, if you find a chink in that web app that maybe you designed, Amazon’s very concerned about how that Waf or that CDN reacted, to your ability to manipulate and exploit, that, chink.
So as much as it is, your application and you built it, they’re also very concerned about how their application are securing those. And if you were able to get an exploit, they’re curious about whether or not that exploit is available everywhere in a similar fashion or if it’s just on your application because of a certain thing.
And that’s why they are very curious about those, authorization forms. And they want those filled out because they want to know when something, that something gets exploited, they want to know how and why.
Jordan
Yes, absolutely. Right. So that’s where that pen test form covers your organization, your entity from potential legal liability with Amazon.
Sierra
We do have a couple questions.
Jordan
Yeah. So when we talk about XSS, that’s fine. If you are testing your own application and you aren’t identifying an XSS flaw in Amazon’s, load balancer or Amazon’s web app firewalls or some layer of that process where they go multi tenant.
Right. We have an application, but we put a woff in front of it. And in front of that woff is a load balancer. And if I hit something along that chain where I have identified a flaw in Amazon’s load balancer, that is a big problem across all the tenants of that service.
So that’s what we’re saying here.
Kent
That’s what Amazon’s going to be really concerned about, including not just on web applications, but in the deployment of active directory as well. if you are able to exploit something, they’re going to want to know why and how.
Jordan
So, yes, cover yourself.
Kent
So that aside, that was, how we configured our baseline environment in Amazon. And we’re going to talk about some of the stuff in active directory that you can do to really slow down an attacker.
And this list is not necessarily comprehensive. There’s a lot of things you can do out there, but these are things that you can start from the beginning of a deployment app or you can, add to a deployment that you’ve already had.
A, very mature environment could still benefit from some of these things. You’re going to have some, change processes that you have to worry about there. But things that we’ll go through today are going to be naming conventions, some of the group policies, attack tactics that are out there.
We discuss application whitelisting, some interesting things with Sysmon and also some, labs, which we’ll get into later.
Jordan
And rich does have an interesting question which we addressed during our pre show banter. And we talked about even this morning before finishing the slide deck. And that is, what are we actually addressing here? What are we talking about?
So we are talking about active directory best practices that we know as pen testers and attackers that work in customer environments to slow us down.
So we are saying active directory best practices maybe not per Microsoft standards, but per pen tester standards. So how do we frustrate ourselves as we wander through networks?
Sierra
And just for clarification, Don would like to know why you’re showing a dead horse.
Jordan
This is the same stuff we preach in all our webcasts, across all environments, across all our reports. We say the same things. You have a weak password policy. Why? Because we guessed passwords on your networks.
We use the same attack tactics almost universally in order.
Kent
This sounds like you’re beating a dead horse. Is that okay?
Jordan
Does that make sense?
Kent
Yeah, it does. You’re definitely beating that poor horse.
Jordan
All right.
Kent
Oh no, we gonna go back, man. Okay, so let’s talk about active directory in the domains. you’ve got an active directory domain set up, you’ve got users in it. And the key thing that I want to point out here is inside the forest, you’re going to have multiple domains.
You’re going to have functional levels inside that forest. and you’re going to have schema that has different attributes for users, computers, policies. All that’s going to be stored in the schema.
You’ve got domains that you maybe need to migrate, need to upgrade them. These are things that you need to all be, I guess I want to say worrisome of, and the idea behind that is that never do anything in active directory that you didn’t think about.
because ultimately anything you do that you don’t think about is going to snowball into something that you’ll have to think about later. And it can definitely be problematic a good example of that is if you’ve got a file share and you put a single user on that file share, a decade from now, you’re going to have that file share with two or 300 sids in there that don’t relate to a username anymore and you’re going to have a hard time cleaning all that up.
So we’re going to kind of go through some ideas there that might help that out from an administrative perspective. but the idea here is just that the overview on domains is don’t do anything without at least considering the goods, the bads.
what it looks like in five years, what it looks like tomorrow. So getting right on with that. Naming conventions now, naming conventions, I’m not going to give you a, this is how you should do it because it’s going to vary in every single circumstance.
What I will say about it though is that you need to think about how you’re going to do it and you need to be consistent with it. Now, from an attacker’s perspective we’re going to say, why could this be painful for an attacker?
Well, I give you a really good example. from a help desk perspective, this needs to be simple. You’d want to cut down administrative overhead. However, from the attacker’s perspective, if you can do something like making the UPN username that’s logged on.
yeah, typical one, right, is like first name, last name, but what if it was first name, last name, hyphen, and then a four digit random code. Now that sounds really complicated from maybe, an attacker’s perspective because now they have to guess what that four digit code is.
but that would be actually part of the username, not the password. And the idea there is to make it so that you can’t just guess what a username is based off the context of knowing someone. similarly with groups, it’s useful to have groups that have a consistent name.
An example of that are security groups could be SeC and then what the context of the security group is. But you could also make sure that those groups could be obscured to mean something other than what they say, but still have an obvious meaning to the help desk.
There are some really great applications out there as well that basically put a database front end, in front of a lDAP backend. And it allows you to have group names in active directory that are completely meaningless, just completely arbitrary within the database front end.
That gives a web app view to the groups can actually drive that and make it more meaningful from the web front end perspective. And those are things that can be devised that really help out with that.
Jordan
So we just got an awesome question. Yeah. John is asking why not deploy a bastion forest in ad? And I said I am reading about it now.
I have literally zero experience deploying advanced ad forests.
Kent
Absolutely. And bear in mind that we did kind of talk about things. We’re going to be talking about things here that are like quick things that you can do, either. Now obviously some of these aren’t going to be quick if you’re ten years matured in the environment.
They’re going to be things that if you were setting up, a new environment, you could set these up relatively easily without too much risk. But yeah, it’s an excellent point. There are a ton of things that you could do to make life just miserable for attackers.
And the whole reason we as pen testers, we don’t want them to be miserable for us, but at the same time we do because it is kind of boring. If we just pull the low hanging fruit and that’s our results, we want to be much more difficult than that.
And it’s also a lot more fun when we get to look at things that are not just low hanging fruit when we get in there and actually get to exploit things and write code and that type of stuff. at the same time though, it’s things that we get in here and we’re going to look at it and there’s things you’re going to say we can’t do that, there’s no way we can get the change management processes for that.
And you’re going to have to balance that. There’s that risk and payoff reward there that you’d have to definitely look at.
Jordan
Yes, gordon, we’re going to address some of those questions with lapse in a little bit.
Kent
So naming conventions and users, again, login and UPN, they don’t have to be tied to, a specific person. My username does not have to be Kent Eichler. It could be Kent Eichler.
Dash 523179. I will remember that. 523179. And that’s all I have to remember for my username because it’s Kent Eichler. But a pen tester now is going to have a really difficult time trying to enumerate all those, user accounts, especially when we go to use things like recon and gain.
And we’re going to go check out LinkedIn and try to find email addresses of, users that are on the website. If you make it so that your email address is not your log on. And bear in mind, this is McsT 2003.
They would have told you, no, no, no, make it all the same. Make sure your email address is the same as your user account because that’s going to be wonderful for employees and it is wonderful for employees. It’s excellent.
it’s not wonderful for security though. So if you think about that 15 years later, now we’re looking at and saying, okay, we want to publish this email address on the website, but we don’t want that email address also to be the username that user needs to log in with.
And that’s where that context, between that UPN comes in and active directory, make sure that, administrators, you want to be able to identify what an administrator account is for the help desk’s sake, for the administrative overhead.
But at that same time, the key piece here is the last bowl on this page, which is the admin does not equal the standard user. So if I were an active directory admin, over the entire environment, I would want to have a user account that I check my email with, that I run my helpdesk tickets with, that I work with HR with, that absolutely is not going to be the same account that has any sort of administrative privileges.
Jordan
And then pick your other platform, any platform on earth now, right? If you’re looking at Dropbox, you’re looking at box, you’re looking at Google, you’re looking at Azure, all these, I will pay for the extra license every single time to have an obscured administration.
Kent
Absolutely. So, yes. And someone’s going to say, well wait, does that mean you’re going to have a shared account that is an administrator? yes, no, I mean, there’s things you could do with password management, solutions that can help with that, but the key thing there is that standard user is not equal to admin user and vice versa.
Also be able to identify who your contractors are, your vendor accounts and service accounts. You want to be able to identify those for the help desk perspective. Now there’s that question, does that really help or hinder the pen tester?
it really doesn’t. I don’t think help or hurt too much, really what you’re going to gain in the help desk, being able to have a better, environment for them to work in is going to help and allow them to focus on the security aspects of their job as well.
Jordan
Okay, well said, sir.
Kent
I kind of want to let Jordan talk about this one.
Jordan
Yeah. So we’re kind of working on our own container of honey data, right? Because if you’re going to go and execute a pen test or you’re going to go execute a training or something else, you need this giant chunk of data.
And rarely on customer environments do we find cleanly laid out data. So we want to build our own. And basically the convention here is file shares are applied via ACL.
right. So we want acls to flow down. And Ken is exceptionally well versed in the management of user acls, security acls and even file migrations.
But this is, file shares can be so messy. So we are even working on our own chunk of data that people can come and try to pen test down the chain.
Kent
Bear in mind, you should be able to look in your environment, and look at a piece of data that’s on your file share and say you should be able to answer who owns it, who’s the primary point of contact for, and who needs access to it.
And if you can answer those things in not so much terms of a person, like a name like Jordan, but if you can put, it into the context of this data is owned by the HR department, its point of contact is the HR department director.
And if I need to make changes to this document, I need to contact x person who might be the liaison, for the IT department and the HR department.
Jordan
Then we take a step back and we go back to our previous slide where we talk about users and we say, okay, so we had a user who goes into an ACL for marketing. That’s all we have to do. This person is marketing, he is marketing.
He gets all the file privileges flowing downward. As soon as we disable his account, we don’t have to go trace, where he may have been individually applied permissions on a file or a file share.
Kent
And we’re going to kind of get into that. And it’s something I call job functional security roles, which is for better, for worse, a huge platform, but we’re going to get into that. still on naming conventions, we’re going to talk about groups now.
So we’ve got user groups, security groups, distribution groups, mail enabled security groups, and then this weird like quasi thing that Microsoft has on domains called domain local groups, global groups and universal groups.
And I think the majority of people, they understand the top four pretty easily, right? They know what those are for. User groups hold users, security groups are used for security and distribution groups are used for email.
but when you come down to what’s the difference between domain local global and universal. again, I’ll talk about MCSE 2003 because that’s what I am. I haven’t updated my search since then, which is funny because it’s 15 years old.
back in 2003, there was a maximum number of objects you could put in the active directory environment, and the number was relatively small. So it meant if you had a very large number, of users in your organization, you had to have multiple domains, and each domain could have a set number of objects.
so if you had a lot of employees, you had a lot of domains. And inside that, all those domains were lid together inside that forest. it’s not so much that much anyway. So now when we see domain forests with more than one domain, it’s typically the result of a couple things.
One is legacy. So that’s something that came back in 2003 and they’re still fighting this process in multiple domains. that is one possibility. there was some best practices back in the day for having multiple domains based off geographic locations, and it kind of helped with replication strategies and that type of thing of active directory.
Those still exist. the other place that we see it now is in a lot of acquisitions. So you’re going to have a large firm that acquires a smaller entity, and the way they incorporate that into their existing active directory environment is to build a forest trust and then bring that domain into their forest.
All that really doesn’t need to exist so much anymore in 2018. just because the way active directory works, you can put billions of objects in there and it doesn’t matter, if you hit that 22,001st employee, it doesn’t mean you have to create a new domain, which is what it used to mean, so a lot different.
All right, so that last slide said, go for the jugular. And I know someone’s going to say, what is that? All right, so the jugular is something that needs to be really clever.
And so it’s, an acronym, is that right?
Jordan
You created it, you tell me. Okay, so I think there’s a difference between acronyms and.
Kent
Yes. so I think what we need to point out here is I did not create this. This was, a very low key idea that I had in school, that my instructor told me about.
And I can’t remember who, when, where or what. So props to him for creating it. I can’t remember. But the idea is if you look at your group replication strategy in your group nesting, strategy in the form of jugular, the j is just to remember it.
So that’s all it is. And then you’ve got users, global groups, universal groups and local access to resources. So at the very top you’re going to have users, okay? And those users should be in, we’re going to talk about job functional security roles, right?
So a new employee should have access to what they need to do their job, but nothing more. So the idea here is that a user group, our user account is in a user group. That user group is about a job functional level.
Something like the marketing department supervisor, right? And then that global group could be inside of another global group called marketing department and so on and so forth. But the idea here, and the really key piece of this is at the very bottom it says resources.
And those are ACL. So they’re file shares, printers, remote desktop, VPN, etcetera. The idea here is that you never ever put a user account into an ACL.
Now there’s several reasons for that, but one of them is that if you have a user that employment is terminated, the accounts removed from active directory, you’ve now got a sid listed inside that ACL that is forever gone and it’s always going to be a pain in the butt.
But if you look at it from this perspective, you put user accounts into groups and you put the groups into security groups which are domain local, then you can now apply those domain local groups to the security context, to the acls.
And you never again have to go to the scenario that you’re giving a single person access to a single file. It’s always going to be justified by some sort of HR mandate, such as the marketing department needs access to marketing files, they don’t need access to accounting files.
Or if they do need access to accounting files, it’s already been predescribed because they’re working on a project together. And it gets away from the perspective of one person having access to a single file because, because, And I will have to have a huge blog post on this because it’s much more involved in that.
the jugular actually came from how replication strategies worked in active directory, where you would replicate only the minimal amount of data across a low bandwidth link to still utilize forest trust.
So that’s kind of where it all started. In today’s environment, you can use it if you have a single domain just like this where you’re applying access control list to users through groups.
So best practice helps with the help desk. And from the pentest perspective, if we can find a username on a file, it kind of helps us, but if we have to go start looking through groups, it just becomes a pain in the butt.
Even if they’re well named, it really starts to make pain for us.
Jordan
So if we leave an active directory account disabled permanently, do we strip group membership? Does that, remove them from the ACL if the account is compromised and re enabled in some way?
Kent
Sure. Well, it would strip their physical access. It stripped their access because the accounts disabled and active directory wouldn’t be able to authorize them access to the accounts.
But at the same time, more importantly, what that does is it removes all the replication traffic from having to push that ACL and all those groups around. So, disabling an works.
I think the big point there’s a best practice about when you disable a user account due to employment termination, you remove all your user groups and security groups. And the reason for that was if someone accidentally re enabled that account, for whatever reason, it, would get re enabled in a very minimal security context where the user might be able to access, they might be able to log in and that’s it.
the idea there is that they wouldn’t have access to files because their account got re enabled. So that is definitely something that, and that’s usually listed in like policies, procedures for HR and IT department, how they handle offloading.
Jordan
Okay, we’re about halfway through on time.
Sierra
Jeff has one more question. If there is a single domain, would it be better to use Ag DLP and just discard universal groups altogether?
Kent
You can discard universal groups. there is a caveat there. the big caveat is exchange. So if you’ve got on prem exchange, or if you’re not using ad fs to sync your azure ad and your on prem id, you’re going to run into some problems.
exchange works with the gal. The Gal stores all act or all universal groups. So if you’ve got a group membership that’s nested inside of universal groups, you’re good in exchange. But if you’re using exchange and you try to load like a domain local group for a security context, it won’t work.
The reason it won’t work is it’s because exchange references legal. They don’t reference action directory directly.
Jordan
Awesome.
Kent
Oh, this one’s me again, isn’t it?
Jordan
Yeah, I’ll absolutely tear it up, man.
Kent
Okay, you might have to speed up group policies. So, this is a really great one that I did not come up with. Same class that I took earlier, LSD ou. it’s funny because it has LSD in it.
I don’t know. so the idea here is local site domain ou and the idea is when you apply a group policy, this is the way they’re going to flow down and the way that they’re going to get applied and reiterated and replaced.
So if you apply a group policy, a local group policy at the local level, that can be replaced, or overridden by a group policy that’s listed at the site, and then the domain and then the OU and then any other ous that are nested inside that.
So it’s just a really quick way to remember, how those group policies are applied. They apply at the start, which is the local machine, and then the site and active directory, the domain ou and the nested OU.
So LSD Ou, lsdou is really important when you start making computer policies and user policies and how those apply in active directory specifically for group policies and then things like look back processing mode and how password policies all roll together and things like that.
So it’s just a really great way if you’re able to apply your group members or your group policies at the highest level as appropriate. It cuts down on administrative overhead and from the attacker’s perspective, it’s really not going to slow us down that much because we don’t spend too much time looking at group policies.
Jordan
With exception to one thing.
Kent
I’m going to let you cover this one.
Jordan
Yeah, default domain policy. This should be very skinny, right? We configure this to only cover our password and account lockouts. That’s all that matters in this policy. That’s all this policy should cover.
You can do a lot more in here, but Microsoft’s best practices here are what is stated here. And I would keep going. We’re going to cover this more and we’ve got a lot of slides.
Kent
So GPP group policy preferences, pre, 20140, two five from Microsoft. those passwords are stored in group policy preferences in a very insecure way, or not in very insecure, but insecure.
So an attacker could look at a group policy and if you had a password specified there to do a certain action like run a script or create a user account, we could essentially go and grab that password and yay, Winfront.
Jordan
It was a low hanging fruit. So if those preferences existed prior to this with the passwords, you could still apply the patch and not solve the problem. This is something you should go do as a system administrator.
If you have old legacy domains things that have been migrated updated over time, make sure you don’t have GPP lying around. It’s the first thing, I mean, first or second thing we check on your network.
Kent
Absolutely.
Jordan
Generally what, we launch Llmnr and then go look for GPP?
Kent
Yes. Two, two very easy wins if they’re there. and with those good policies, if you have legacy ones that have good policy preference passwords in them, I think the best idea there is to delete them and create the new policy, after Ms fourteen zero two five.
And that will get you a more secure way of storing that password, inactive directory for your policies. The, lower right hand of that window there is metasploit. And to give you an idea how easily we just pull passwords out of there, we just run that metasploit m.
Jordan
Command and goes and looks at Sysvol in the environment.
Kent
That’s it. Yeah.
Jordan
So again, this is where we deployed Windows Server 2016. Brand new. And the defaults are still not good enough. They’re just not. I think we get to a slide that covers the password policies that are on by default.
Not good enough. Windows defender, okay, not good enough. No application whitelisting in place. So there’s all kinds of awesome new protections in server 2016.
Llmnr still on by default, across the board multifactor authentication, not enforced, not forced. So I mean, this is the latest domain controller offering we’ve got.
Still not good enough. It’s time.
Kent
Getting there.
Jordan
Yeah, it’s getting there. It’s getting better.
Kent
So, this is, I love this, it’s the, your device is being protected and. Oh really? is it good enough or is that default that you’ve got that set up?
So bear in mind, default settings are not enough and we definitely want to take a look at that. Anytime you try to deploy something, make sure you look at those settings and make sure they’re confirmed and built the way you want.
I love this screenshot because it’s the Windows firewall from XP. Both sides are the screenshot from XP, in fact. and it’s kind of interesting. Windows firewall, for better, for worse, right?
It’s actually a lot better than it used to be. I think now even at the default deployment it’s still pretty useful. I think the key piece though is that it’s not as user friendly as other products out there.
So it prompts up and says, hey, you’re on a network, what should I do? And then you have to force users to read it and figure out what they’re supposed to do. Try to figure out what the best answer is.
use a group policy, throw in the domain, say, hey, you’re in a Starbucks coffee shop. I’m not even going to let you on the wireless network, and that’s okay. Or, force a VPN in that process as well.
Jordan
So turn on host based firewalls.
Kent
Bottom line, the point here is turn on your host based firewall. It needs to be on everywhere, it needs to be on. Your servers only allow ports that you expect communication, to occur on.
Jordan
We do have a question here that’s worth addressing. Right. Why is Defender just not quite good enough? And really it’s not quite good enough because it’s like any other AV product. You turn it on, but are you capturing alerts?
Are they going to your central repositories? Do you have audit enabled on the system? Are you doing the things that make antivirus important to help? Desk. Right. Are you good?
Kent
I will say that defender can be enough, if it’s configured properly. So the key thing here is you can’t just turn it on and forget about it. I mean, that might work in certain environments, but it’s not going to be very strong.
We’re talking about turning it on. Go look through and make sure that you’ve got it configured for how your environment needs to, to be configured securely, such as report that stuff to a sim so that you can have someone look at that later on.
By default, defender’s not going to do that. It’s not going to have anywhere to send those to. So have them enabled and do things like that, that configure defender to be more useful.
Obviously there’s hundreds of other products out there, very large name products, that can do very similar things that are more turnkey and they’re more turnkey and that’s why they’re additional, third party products.
Jordan
Defender is okay. It’s as good as anything else. Theoretically. Some things that you pay lots of money for can be shinier and better.
Kent
I think we can invoke John’s, antivirus statement there.
Jordan
Toilet paper.
Kent
Toilet paper like it’s a commodity.
Jordan
You have to have it. Something.
Kent
It doesn’t really matter what kind it is, but you have to have it.
Jordan
Some is better than others. So minimum password requirements. This is out of the box.
Sierra
Again, we have one more question. so where can you find a doc about proper defender config?
Kent
awesome. We can link one out.
Jordan
Yeah, we’ll find something.
Kent
We might write a blog for it.
Jordan
There you go. Brilliant blog ideas.
Sierra
All right.
Jordan
Okay, so yeah, again, brand new server 2016 out of the box, open the default domain policy, go look at the password setting. And what do we have they’re still recommending? Well, I don’t know if this is a recommendation of Microsoft or just a decision they’ve made to leave things in a state where it’s, it’s easy to guess domain passwords.
Seven. It’s not enough. It’s not enough.
Kent
So I’ve included a screenshot there of, the hash cat cheat sheet that I wrote a couple months ago. and one of the interesting things here, this is key space exhaustion at 229 gigahash a second.
big terms, right? But the point here is that seven characters, it’s going to take us 35 seconds to generate all different hashes based off all lowercase characters. And that’s pretty impressive. That means if your password is seven, lowercase letters, we’re going to guess it in less than 35 seconds.
the same thing said though, if it’s 20 alphanumeric characters, this is 2.2 trillion solar orbits around the center of the Milky Way, which is a really big number.
and it’s interesting to take a look at that because of how that progresses into something that is so awfully huge. And obviously we wouldn’t be able to crack it in 35 seconds. Right.
Jordan
There’s a Monty Python reference galaxy song in there, how far you travel.
Kent
So the point here is that, seven characters, not enough. If someone asks what is enough? We will typically say 2020, alphanumerics. And here’s the great thing is if you say 20 alphanumerics and someone makes it 20 lowercase characters, that’s 20 characters long, it’d be really great if they added a one there because that’s really going to confuse you all over again.
Jordan
So. Absolutely.
Sierra
So someone asked, is 23 still considered the borderline for uncrackable?
Jordan
Presently, I think at, 15, you’re into the septillions, right? If you’re looking at key space, right? And you take 15 characters and all of them could be any of the four.
Kent
Right?
Jordan
our lower, upper numeric and specials. That key space at 15 is septillions.
Kent
Yeah. And uncrackable means a lot of different things. Right. So the way passwords are typically stored is with a hash value. And when you enter your password into windows, it’s going to take the password that you entered and create a hash from it, and then it’s going to compare those two hashes to make sure they’re the same.
so the way most password cracking techniques works is they just create all the possible hashes and once they find one that matches, they know what the password is. that said, what we’re really talking about here is offsetting the limited security context that’s in the low seven character password.
And we’re going to try to offset that by making it really long. But then the next low hanging fruit piece for password becomes where passwords are stored in plain text. Or, if I know someone really likes, a, certain football team, I can make a word list based off that.
Jordan
Football team dictionaries are everything when we crack now, I mean, that’s just so.
Kent
We talked about, 20 alphanumeric characters are, it’s impossible to break if it’s truly randomized characters. But on the case of, if it’s a word list and all the words are more than, seven characters long, we’re talking about three words.
And we might have a list of 400 words to work out. we’re going to do it really quickly and that kind of comes into then you got to take your word list and you got to make sure that you have, words, you’re spelled wrong and that type of stuff.
Just be caution of that. And this is the staple horse. Something, something. Next, Casey.
Jordan
All right, so yes, they have definitely upgraded the minimum, the maximum value for minimum password length, right. You can now force at server 2016 for a functional level across the board, 20 character minimum.
You could do 15 character minimum, right. And then you can also go disable the Landman storage thing because if you’re less than 15, right. It’s stored in LM and LM is easy.
And so there’s all kinds of other fun features in server 2016 worth investigating. Some of them are mentioned here. The code integrity check policies also allow you to or force integrity checks on the code that runs in your environment so that Windows doesn’t trust code that isn’t signed, generally speaking, across the board.
Kent
And you just use Windows for that. You don’t need like a third party product.
Jordan
Absolutely not. Group policy.
Kent
That is super awesome. So, we’re going to talk about some of the key terms here, like Landman. If you’re not familiar with that, check out our blog search landman. On our blog post you’re going to find a lot about and all the detail you need to know about why it’s a bad thing.
So moving forward, so we talked about the password policy. and why those need to be longer passwords. you’ve got a blog post there. Kind of talk about more detail for pre 2016 force levels.
so that’s out there as well. And, yeah, length, complexity, blah, blah, horse here. 2 trillion orbits around the. Something, something.
Skipped one. There we go. So, do not store landmasses. We talked about that one, too.
Jordan
Yeah. Oh, absolutely. Don’t do that. And I just show that location of that slide.
Sierra
we do have a couple more questions.
Kent
Yeah, yeah, go ahead. Sure.
Jordan
Swank.
Sierra
Okay. what if you have weak passwords, but, the ability to detect abuse is good enough to pick this up quickly. For example, if you run proc dump, it can be quickly picked up.
Or if you run ll, m and.
Kent
R. Yes, that sounds like a reactive policy. That’s very reactive.
Jordan
Oh, absolutely.
Kent
better would be not to allow someone to guess that password as a. To allow them to guess it and then react to them having guessed it, which I think is pretty. It’s kind of obvious, but,
Jordan
So running Llmnr isn’t really the thing. It’s running a tool that exploits Llmnr. So if you leave systems on your network at default, they will communicate with Llmnr.
When they can’t resolve names, then we jump in and say poison. So you need to catch the execution of, obfuscated powershells that run things like inva or, responder.
These are the things you need to trigger on. On your network. So.
Sierra
So Matthew also wants to know, can you enforce multiple password policies based on ou?
Kent
Yes, you can? Yes. 2008 plus function levels can, I believe that it’s called fine grained password policies.
you will find them in the active directory off, look it up. But it is definitely there. It’s not done in the typical, group, policy structure, management console.
You have to do it in a separate section of active directory, but they could do it in 2008. So, pre 2008, yeah, you could have one group policy or, sorry, one password policy for the entire domain. It is much different now, based off, ous and also based off your membership.
So you can do a different.
Jordan
I sent that privately, unintentionally.
Kent
So some of these, different things that attacker will typically use. Things like mail, sniper, Hydra, one of you a brute force. The idea here is that you want to limit the exposure to that.
And something that I will still say is, you can have your email behind a VPN and that will freak some people out. But say you need to access email remotely. well, it’s behind a VPN.
How do I get it on my phone if it’s behind a VPN? Okay, there’s solutions for that. You can install, a VPN certificate on the phone so that that mail application on the phone utilizes the VPN. But the key thing here is, user on the Internet can’t scan your network and find the OTA portal and start password spraying all of your user accounts.
So it’s kind of a key thing there. and these are things that attackers look for. And if we find, owa portal, we’re going to try to brute force against it.
Whether or not that is password we found in, public breaches or passwords that we’ve been able to build from.
Jordan
A word, listen, all those things and integrate like, and take that attempt of NTLM and gather domain information, you expose that portal to the Internet, we can go learn about your internal domain just by you exposing Owa.
Kent
So, yeah, I mean, you definitely want to have some knowledge of what’s happening here. If someone tries to do a password spray, you want to be able to identify that, but ultimately you’re able to mitigate a lot of that just by putting your services behind a VPN, obviously.
Again, that is painful, but there’s ways around it.
Jordan
Yes. So just the password policy has slowed every single one of these attacks down that we do, every single test. Depending on the test, one of these tools will be in play against your network.
Right. So extending your password policy will make it much less likely that we capture creds, like on the next slide, I think Mike says, I don’t know, it’s moving out there in the future. But anyway, creds are king as pen testers, as attackers.
If you make your passwords longer, it is factors more difficult for us.
Sierra
John wants to know, is there a checkbox to disallow the use of the same password for one’s regular domain account and their privileged admin account?
Jordan
Well, it wouldn’t be a checkbox because there’s no association between user and admin accounts.
Kent
You wouldn’t want there to be, a link between the two either. In fact, your admin account could just be a, random character admin, random characters. It’s meaningful to the help desk into the.
Jordan
It could be a six digit random string. It could be anything.
Kent
so, no, there’s not. Now, whether or not that sounds like a, sounds like a. Where’s the dice at? You’re busy going into policy for that.
Jordan
We also failed to mention cred defense, which is a tool, Brian Furman is working on, which is a brilliant piece of software that you install on your domain controllers. Right. Nobody likes to install things on their domain controllers, but it does protect your environment from passwords that you don’t like.
You define the list you don’t like. It can also analyze passwords and compare user, passwords. How many people are reusing hashes? How many people are, But this, again, that would go back to Landman because Landman hashes aren’t salted, they’re all stored exactly the same.
If I use password and he uses password, the hash is exactly the same.
Kent
Less salted. But yes, in Landman they would be absolutely the same. So, you might be able to find that if the characters are less than, or if it’s less than 14 characters long and Landman is enabled. But ultimately, it’s going to be one of those things.
What you could do that might help is make your, use different password policies, one with that has a longer length requirement and that’d be okay. And that would be a quick way to probably mitigate that.
But ultimately, if they’re using the same password, I don’t think that’s necessarily such a bad deal. As long as you’ve got passwords. the password policy that makes sure those are long enough that they’re really insignificant, that the risk is mitigated.
So.
Jordan
Absolutely agree.
Sierra
So how are we doing on slides? Do you have time for more questions? You want to wait till the end?
Jordan
Yeah, we better keep going.
Kent
Yeah, we’ll run through these. So, lmnr, we just kind of talked about it. Disable it. It’s a super easy thing to disable. Typically doesn’t break anything, but if you’ve got a ten year old legacy environment, you want to look into it first.
But if you’re setting up a new environment, first step, shut it off on your domain. we’ve got a blog post there that tells you how to do that with some screenshots. Super, super easy to do. And, journal. Let’s talk about labs.
Jordan
Excellent. Love this tool. this is something that you should deploy now, there’s no reason not to. And whether or not your environment is ready for this, basically you run a Powershell script that extends your schema by these two attributes.
We are going to. In the next slide, go ahead and go. We are going to deploy that installer via group policy, which we saw in the previous. We’re going to extend the schema by two attributes.
We’re going to allow systems in a container we like, whatever container we’re applying laps to, to write back into those attributes and then we are going to limit access to the attributes, make them confidential, right, to everyone except our privileged group.
So that’s what we’re doing here. Then we can go to our laps UI and say I need the ad password for, or I apologize, the administrator password, local administrator password for this computer.
Boom, there it is, done, problem solved.
Kent
The other side of that is you’d have a group policy that set a local administrator password and username for all the workstations in an environment, right? And then the attacker only needs to find that one password and they immediately have local admin on all of those workstations.
what Laps does instead is it creates those user accounts and those passwords and allows those passwords to rotate all the time. No longer can an attacker get one password and potentially have attacks on all the systems across the entire domain based off local security, access.
So application whitelisting is somewhat controversial, but it’s still coming more mainstream. The really cool part is you don’t need extra products to do it, but extra products might make it more helpful or easier to use user friendly.
So there’s products out there that already exist in Windows app lockers out there. you can also do things like hash based signatures, code signing from windows itself without other products.
Give more on that.
Jordan
Well, yeah, no, I don’t think so. Sub T is too good to let this slide roll by without mentioning Yes, we know you can gain execution in about 3000 different contexts.
I think he’s probably figured out how to use calc to run code. So regardless, our point here is it’s time to think about application whitelisting.
It’s time to layer our defenses, which is required. there’s some more slides coming up, I think the next slide go ahead. Where we talk about actually identifying the executables we don’t want to run and not necessarily by the name and location, which is easily bypassable, but by the publisher.
So these are rules we configured. It makes it so much more difficult on a pen test or as an attacker to gain a foothold if I can’t get to command exe, if I can’t get to Syswow 64 PowerShell ise exe, which is nice when it’s there, but if you’re restricting it in this way, it’s factors more difficult.
Kent
Yeah, and the idea here is to apply multiple attributes for your whitelisting. So that an example is a lot of antivirus software and they’re looking for, for malware. If they find Powershell, inside of an application and like, oh, that could be bad.
But if you make it power and then break it to the next line and then shell, it allows it right through because it doesn’t recognize it as Powershell. So things like that, you want to use the multiple attributes to identify your whitelisting.
And I think that would help out.
Jordan
I have renamed Powershell Exe and bypassed. I think it’s the restrictions, software restrictions or something. So it just depends on how it’s configured and deployed.
Kent
So you had a recent engagement where Sysmon was used and oh my gosh.
Jordan
There wasn’t a single thing we executed on this environment that the customer wasn’t like, hey, I see you running long Powershell scripts. Hey, I see you attempting to bypass our firewall with ssh.
I mean it’s amazing. So we’re mentioning Sysmon because it can provide a layer of visibility to your workstations and your environment that you may not have now. So the script or the configuration, file linked at the bottom of this slide covers almost everything, is well maintained and is very interesting, curious,
Kent
What’S the quote on Sysmon? How much, how many thousands of dollars is that?
Jordan
I assume this is a joke. You’re being sarcastic again. I think we’re at $0 so far. Besides the AWS environment, you gotta pay for Windows.
Kent
Oh, actually in Amazon, the really cool part that you told is the licensing for Windows is baked into their solution. so that’s kind of covers user.
Jordan
Cals, covers remote access, covers windows licensing, everything.
Kent
All right, so moving on. Sessions left lying around. This is really cool and it kind of brings back to bloodhound and how that all works. But I’ll let you.
Jordan
Sure, yeah, I mean, the goal of a pen tester, the goal of an attacker is to extend access in any possible direction they can. Right. If I find a user, I’m going to use bloodhound to see if that user can see other things in the environment.
Yes. As the user, I’m generally handed on a pivot. I have domain context, so I can go use bloodhound to identify interesting sessions that may be around the environment and where even my account might have administrative access.
But something Mike says, creds are king, right? We want more creds. We want to be able to get further. We want to find systems where I’m a local administrator where there’s a DA session so we can meet cats.
Kent
Absolutely. And, that brings in, limit your local administrators and obviously, so.
Jordan
We’Re talking about the, inactivity timer group policy, right? That’s what we’re talking about.
Kent
Yeah.
Jordan
I was waiting for that. No, we are not. It’s hard to log out inactive domain admin, accounts. It’s hard to log out any account that is inactive on a system where the system is still on.
Kent
Yeah, so I think I’ve seen environments where you have to like have an application running that looks for user input, and if it doesn’t have it, even if the session is already locked, after an additional set of time, finally it actively logs that session out.
And that’s like not super easy. Yeah.
Jordan
So, Martin’s asking an interesting question. Is MFA a good mitigation against password spraying? If we went back to the ATT and ck tactic slide where we show burpees I’m going to send credentials and intercept them with burp to your authentication portal.
Then I’m going to run an entire list of users against a password that I’ve chosen. I can tell the accounts that I have valid credentials for based on response. So the response changes on an account.
I go, look, it says successful authentication. Now, MFA, we have valid credentials, but we don’t have access yet.
Kent
It just also mailsniper, will bypass.
Jordan
MFA on Owa, assuming you leave Ews lying around.
Kent
Yes. Thank you. There’s two pieces to that.
Jordan
Yes.
Kent
The key thing here is just layer it like an onion, right?
Jordan
Yes. So the slide we have here talks about, hackery for systems. So you deploy an application on all your systems that monitors inactive sessions and yes, then they get logged off.
So to address your question, Tim.
Kent
All right, so this is our last slide too, and I’ve got some last minute things to bring up. get a pen test, scan, clean up, repeat consulting a black hills information security, awesome.
But again, the point here is get a pen test, scan yourself, clean up, and do it over again. And do it over again. And do it over again, and do it over again. that will make your security posture just continually to get better and better.
don’t disclose internal network knowledge externally. So if you’ve got owa set up, if you’ve got a web server set up that you’re hosting, on the Internet, go run that through burp. Make sure that you’re not, having your local ips in there or your local domain names, anything like that you don’t want to, expose that, exchange is a whole other basket of low heat fruit cough mail, sniper, Bitlocker, all the things empower your support team and help desk.
So my background is, I ran a helpdesk for quite a while. empower them, get them in touch with HR, let them work with HR, let them understand and work through the business policies and procedures.
Let them make your security posture better. Don’t just think that they’re there to answer the phone calls. They are your eyes and ears on the ground in security context, and they’re gonna be the ones that are there first. So make sure you utilize them and empower them.
Jordan
Yeah, don’t expose ews. I might not understand all the technical back end of exchange, but I don’t believe it needs to be exposed for exchange to function properly on the Internet.
Kent
I have a process that requires manager confirm password resets of direct reports. So the example is that, hey, I forgot my password. The next thing should be, I need to go talk to my supervisor, and the supervisor needs to talk to it, or HR or whatever.
It, should not be that I just call helpdesk and get my password reset. There’s, a lot of products out there that actually utilize multiple forms of authentication and identification to allow a single user to reset their own password.
It can work, but ultimately, if you have that stopgap in there where you’re requiring a supervisor to do it, it’ll do two things. Increase your security posture, and it might help your employees remember their passwords because they don’t want to have to go to their supervisor and ask, hey, I forgot my password.
That’s never fun. All right, I think there was some questions we want to go over.
Sierra
There were, and I’m not sure if you just answered part of this because I was responding to somebody, but, Robert was wondering, obviously, any suggestion of securing aws?
And is there any real difference with ews and Ms Cloud versus on, prem client accessor?
Kent
So you don’t need ews exposed for typical mail flow, right. You need ews for, web services on, like your phone, to use owa, things like that.
but just to receive mail to your mail server and to be able to send a mail, you don’t need those services turned on or at least not exposed to the external Internet. That said, if you tell someone, hey, yeah, you can’t actually check your email on your phone or on your laptop because you’re not inside the, on premise network.
That’s kind of painful, right? And it’s not conducted to business. But look at setting up VPN, looking at set up mobile device management. Some mobile device management applications will allow you to take the outlook application on the phone and say this application must use this VPN.
So then you’re allowing to basically shut off ews entirely and you’re going to utilize that VPN for that application to access those mail services and get emailed that way. you could technically in that way completely remove your exposure of mail to the Internet, and just utilize those VPN’s for those applications.
Jordan
So then I guess just a wrap, right? There’s going to be some more questions, but what we’re saying here is the basis of everything we do as pen testers can be slowed down. Are we red teaming your organization, improve your password policy?
do things like don’t expose owa. are we doing a wireless pen test? How long are your passwords? Are we going to be able to crack them? Assuming we do trick one of your users in connecting to our evil aP.
are we doing an internal pen test where we scan everything and you give us access? Improve your password policy. Right. Everything we do generally boils down to the length of the passwords on your network and whether we can extend our access easily or not.
Kent
real quick, John asked if a domain admin could scan domain user passwords hashes and compare them to main admin password hashes. Landman. Yes. However, if you’re not storing landman password hashes, no, because active directory salts, those user account or those patches.
So you wouldn’t be able to do that. they wouldn’t match left, to right. You’d have to be able to salt them and compare the salts.
Sierra
All right.
Jordan
And then you would have to unsalt them.
Kent
You’d have to unsult them or salt your check. Yes.
Jordan
Device guard has some awesome.
Sierra
Hold on. We have some people who will probably need to leave. So I just want to announce the winners of the cubicles and compromise and the t shirt.
So our first winner is Derek Burke. If you are here, let us know in the comments. Derek Burke is our first winner.
And then for our second winner we have Ken McFerrin. I hope I pronounced that correctly. So let us know if you’re here in the comments.
Derek Burke, Ken McFerron. And then in the meantime we do have a question from Martin. let me go back up and find this here.
Jordan
We also had someone named, I don’t want to register, please, blah. With a very good question.
Sierra
Well, go ahead with that.
Jordan
Okay, absolutely. So device, guard, again, is a server 2016 based deployment. It includes things like hypervisor monitoring. So you can now install windows server on virtualization platform of your choice and still have it monitor boot kernel processes in a meaningful way.
If I’m running malware and I have an opportunity to inject through the heap some kind of nasty thing into boot device guard can help. Are we going to deploy code integrity policy?
Yes. Check. Please do this. This is a, huge step forward for Windows. Now, I can’t run malware that I don’t sign on your environment. This is amazing. This is a huge step.
And yes, you can force this down to your Windows ten systems. I haven’t read enough about it to know if it goes backwards in time to Windows seven. But now if I’m looking at an upgraded domain, I definitely want to get to 2016 functional level across the board.
I mean, yes, it’s hard, but it’s worth it.
Kent
Jason had a quick question here. He said if currently, passwords are less than 15 characters, and they make them more than 15 characters, what happens to the Landman hashes gone while they stay?
I believe, and they will be. They’re gonna stay there, will they not? No, they windows wiped on the next password change.
Jordan
Yes. If you change your previously stored Landman hash to a, password of greater than 14, which is 15 or better, it will not be stored as Landman.
Kent
Correct. But the key thing there is the user does have to change.
Jordan
They stay in the history. That’s super interesting.
Kent
That, is very interesting.
Jordan
there was one more question about Llmnr I wanted to talk about where, somebody asked about the implications of, say, I run IPV six on an internal network and I disabled Llmnr.
Now, I don’t know the answer to that question, but it is a very interesting one. Right. If I’m using anycast to resolve my router, find routers on my network, I don’t necessarily need Llmnr to do that.
But the advertisements in DHCP v six are llmnr, and m my, I think, like if I understand. So I don’t know.
All right, that’s a very interesting question. Worth some time.
Sierra
Yes, we did have one winner. so I’m going to pick one more and give them another chance to win here. We’ve got Ryan Tucker. Let us know if you’re here in the comments.
And I don’t know if this was the exact question that you just answered. But, what about if you have a, legacy stuff like an as 400 that needs llmn?
Jordan
Yeah. And not turn that off? That happens.
Kent
yeah.
Jordan
So thank, thank you again, if any of you have to leave. Thank you so much for coming and joining us and listening. We want to share. We’re going to continue sharing. It’s just what the ethos of bhis. Yeah.
Sierra
And this will be recorded so you can always come back and watch it.
Kent
what is the status, the support status of an as 400 these days?
Jordan
That’s tough. I have no clue.
Kent
Yeah. I mean, I know as 400s are still around. I know they’re still used everywhere. And I was. People still use green screens on them. whether or not that correlates to using them as legacy and, how they can work with Windows 2016, it’s a great question.
Ultimately, if you have to use lMNr, excuse me, if you haven’t used as 400 and you have to use Landman hashes, to authenticate with it, that’s kind of a big hole.
it really is. we’ll maybe look at the couple million dollar project to move that into an AWS cloud. Yeah, that’s pretty tough. I mean, what I can say about that is you’re dealing with legacy and that, that’s the one thing I’ve brought up throughout this whole thing is that’s, that’s the key headache.
Right. This is easy to set up if you’re setting it up first time. It’s a lot more difficult if you’re looking at legacy stuff. And certainly with an as 400, you’re gonna, you’re gonna feel that pain. that said, I wouldn’t, I wouldn’t deactivate Landman hashes because you could potentially destroy, your authentication mechanism for the s 400.
But try it, get a, get a, development set up and try it, see what happens. I suspect it would probably fail if it’s reliant, on it.
But there also might be middle, tier services that you can put in there that allow a, military authentication service as a stopgap until you get that million dollar project pushed out to get that converted.
Jordan
There’s still a lot of people here. If you guys have more questions. We have time, definitely.
Sierra
We did get both of our winners. so thank you to those who let us know that you’re here. And also, there’s always next time. We, do have stickers. I don’t know, for some of those who aren’t here at the beginning, we have bhis stickers.
For those who didn’t win any prizes, just go to blackhillsinfosec.com stickers and then enter your info.
Kent
There’s a comment we’re gonna laugh at. We can’t repeat. Thanks, Christopher. You made us laugh.
There was a question. Tackles and sackles, I love.
Jordan
how about icackles? Let’s just swing.
Kent
Do it.
Jordan
I love this guy’s knowledge about Microsoft. Here we go.
Kent
Okay, so dackles, sackles, my cackles. what I would suggest is doing it all from command line because you can, and you can essentially enumerate, all permissions from icackles.
And bear with me. I’m thinking about seven, eight years ago when I did this last. So you have to bear with me, but write a loop inside of a batch file. export all of that to a CSV, import that CSV into access, and then you’re able to make sequel queries and access off your, Incredible.
So you can definitely do that. It’s really interesting. I haven’t heard anybody say those words in seven years, so thank you for that.
Jordan
God, that’s awesome. Yeah, I used to use, I remember our last domain migration. Icackles and all that magic.
Kent
Yes, absolutely. Look at. I know it’s silly, but look at command line stuff. Write a loop that goes out and looks at every file, share in every file, dump that, all those, all those acls to an, access database and then run queries off of them.
And, maybe put an intern on that and that will help.
Jordan
Appreciate you, Jose, thanks for joining, really.
Sierra
And if you guys have any more questions, go ahead and email us. go ahead and email Sierras co and we will get your questions answered. So thank you, Jordan.
Kent
Thank you, Ken, for, thank you, Sierra. Thank you guys so much. You’ve been awesome. Have a great afternoon.