Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security [email protected] | .
-
Upload
jade-pamela-lester -
Category
Documents
-
view
220 -
download
0
Transcript of Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security [email protected] | .
Kerberos Underworld
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com
AN INTRODUCTIONKerberos Underworld
The topics
• The hell of windows authentication mechanisms• Basic, NTLM, Kerberos• Certificates and smart cards or tokens
• How they work differently
• What is better or worse
• Weird and weirder things that you may not know
And the environment
• Windows 2000 and newer
• Active Directory domains
• Maybe some trusts or multidomain forests
• Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers
NETWORK INTERACTIONSKerberos Underworld
Local Logon
DC2000+
Client2000+
KerberosLDAPSMB
TGT: User
GPO List
GPO Download
TGS: LDAP, CIFS
CTRL-ALT-DEL Password
• Password is stored in memory only• LSASS process
• In the form of MD4 hash• never given out
Authentication Interactions in General
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
DC2000+
SMBD/COMTGT: User
In-bandTGS: Server
NTLM Occasional PAC
Validation
TGS: Server
D/COM Dynamic TCP
NTLMPass-through
The three authentication methods
• Basic• plain-text password• results in Kerberos authentication
• NTLM• hashed password (MD4) method from the past• LM (DES), NTLM (DES), NTLMv2 (MD5)
• Kerberos• hashed password (MD4) plus RC4/DES or AES• mutual authentication and delegation• can use certificates instead of passwords
Basic and RDP Network Logon
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
In-bandclear text
KerberosTGT: User
NTLM Network Logon
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
SMBD/COM
In-bandNTLM hash
Pass-through NTLM hash
D/COM Dynamic TCP
Kerberos Network Logon (basic principle)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
TGT: User
In-bandTGS: Server
TGS: Server
Kerberos Network Logon (complete)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
DC2000+
SMBD/COMTGT: User
In-bandTGS: Server
Occasional PAC
Validation
TGS: Server
D/COM Dynamic TCP
PERFORMANCE COMPARISONKerberos Underworld
NTLM Network Logon
DC2000+
Client2000+
Server2000+
DC2000+
60 % CPU
55 % CPU
Kerberos Network Logon, no PAC Validation
DC2000+
Client2000+
Server2000+
DC2000+
60 % CPU
0 % CPU
Kerberos Network Logon with PAC Validation
DC2000+
Client2000+
Server2000+
DC2000+
60 % CPU
0 % CPU 14 % CPU
Basic Authentication
DC2000+
Client2000+
Server2000+
DC2000+
5 % CPU
0 % CPU
NTLM Performance Issues
DC
Client Server
7 concurren
t
ClientClient
Client
Client
Client
Client
40 sec.
NTLM Trusts
DC B
D\User A\Server
DC A
DC CDC D
Kerberos Trusts
DC B
D\User A\Server
DC A
DC CDC D
WE WANT KERBEROS, SO WHAT?Kerberos Underworld
Basic Facts
• Do not use IP addresses
• Configure SPN (service principal name)
• Have time in sync
• Use trusted identities to run services on Windows 2008 and newer• instead of AD user accounts• no PAC validation
• Enable AES with Windows 2008 DFL
Trusted Identities – Network Service
Trusted Identities – Service Accounts
Trusted Identities – AppPoolIdentity
Trusted Identities – Managed Service Account
IDENTITY ISOLATION FOR SERVICES
Kerberos Underworld
Identity Isolation
• Services on a single machine
• Services that access other back-end services
Windows Identities
Identity Password PAC Validation
Local Isolation
Network Isolation
Operating System
SYSTEM randomchanged 30 days
no Administratorsno isolation
no 2000
AD User Account administratorchanged???
yes Usersisolated
yes 2000
Network Service randomchanged 30 days
no Usersno isolation
no XP
Local Service no network credentials
no Usersno isolation
no XP
Service Account randomchanged 30 days
no Usersisolated
no Vista2008
Managed Service Account
randomchanged 30 days
no Usersisolated
yes 72008 R2
SMART CARD LOGONKerberos Underworld
Smart Card Logon
DC2000+
Client2000+
KerberosPKINIT
Server2000+
App Traffic
DC2000+
TGT: User
TGS: Server
Smart Card Logon and NTLM
DC2000+
Client2000+
Server2000+
NTLM Hash
DC2000+
TGT: User
TGS: Server NTLM Hash
Smart Card Logon and NTLM
DC2000+
Client2000+
Server2000+
NTLM Hash
DC2000+
TGT: User
TGS: Server NTLM Hash
NTLM Hash
DELEGATIONKerberos Underworld
Basic Delegation
ClientFront-End
Server
Back-End
Server
DC
Password
TGS: Back-End
TGT: User
Kerberos Delegation Options
Kerberos Delegation (Simplified)
DC
Client
TGT: User
TGS: Front-End
Front-End
Server
Back-End
Server
DC
TGS: Front-End
TGS: Back-End
Protocol Transition
ClientFront-End
Server
Back-End
Server
DC
TGS: Back-End
Nothing
Kamil
GROUP MEMBERSHIPKerberos Underworld
Group Membership Limits
• AD Group in forest with 2000 FFL• 5000 direct members limit
• AD Group in forest with 2003+ FFL• unlimited membership
• Kerberos Ticket• network transport• limited to 8 kB on 2000 and XP• up to 12 kB on 2003+
• HTTP.SYS header limits• 16 kB of Base-64 encoded tickets
• Access Token• local representation of a logon• up to 1025 groups including local and system
Kerberos Ticket (PAC)
Kamil S-1-5-Prague-1158
Prague Marketing Global 3082 8 Bytes
Prague Sales Global 3083 8 Bytes
Paris Visitors Domain LocalParis
S-1-5-Paris-2115 40 Bytes
Roma IS Domain LocalRoma
S-1-5-Roma-1717 40 Bytes
Prague Documents Domain LocalIDTT
S-1-5-Prague-3084 40 Bytes
Business Owners UniversalIDTT
3085 8 Bytes
Employees UniversalParis
S-1-5-Paris-2116 40 Bytes
TAKEAWAYKerberos Underworld
Takeaway
• Kerberos is most secure, flexible and performance efficient
• Don’t be afraid and play with them!
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com
Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!