blog < /dev/random

May 24, 2012

What to do with the local Administrator account?

After my last post with the local Administrator randomization script got some attention from John Strand (@strandjs), Tim Medin (@timmedin), and Tim Tomes (@LaNMaSteR53), I realized the issue what to do with local Administrator accounts was considerably more complicated. Here’s my attempt to map out the different possibilities.

As background, be sure you know that resetting a local Administrator (or bypassing it entirely) is trivial given physical access to a machine (via NT Password Reset, Kon-Boot, or similar utilities). Offline registry attacks assume there’s no drive encryption in place. The two types of attackers I’m assuming below are external (as in a penetration tester or malicious hacker) and internal, as in employees or contractors. I assume the external attackers don’t have physical access to each machine in the domain, as that would defeat any of the recommendations below.

In order of least to most secure, here are the basic options I see:

Standardized local Administrator password on all domain-joined machines. While convenient, this is a horrible idea security-wise. Brief physical access to any domain-joined machine to acquire the hashes gives Administrator access to all machines in the domain via passing the hash. Though this is exactly what I’m trying to combat, it’s a likely situation in many shops. Some will mitigate this slightly by having a different desktop password than the server login, but that doesn’t help for long. At some point, a Domain Administrator will be logged on to a desktop, and stealing his/her token will result in Domain Admin privileges. Please, please don’t choose this option.
Standardized on a local Administrator password, but also set SeDenyNetworkLogonRight on that account. Make sure to still set a reasonable length (15+ characters) password on that account. In this situation, any employee who was told this password (say, a remote laptop user) could then abuse that privilege on any machine he/she can get physical access to until the password is changed. I’ve been to many places where the local Administrator “break-glass” password is fairly common knowledge among end users. I urge you to not choose this option, either.
Individualized (not randomized) local Administrator passwords. Set SeDenyNetworkLogonRight for the local Administrator as in #2, but also include individual passwords for each machine. This prevents a single password having rights throughout the domain, but adds complexity. I don’t know of any shops going this route, but it seems reasonable.
Randomized local Administrator passwords. Setting SeDenyNetworkLogonRight should be unnecessary, but is a harmless additional precaution. This was the focus of my previous blog article. In order to use the account at this point, you’ll need to either reset the password using NT Password Reset (or similar), or bypass it entirely using Kon-Boot. Do note that this is the same method an attacker would use to get local Administrator privileges. Disabling the account is optional, but precludes Kon-Boot (which bypasses the password, but respects whether or not an account is enabled). The biggest downside I’ve experienced thus far is the lack of a way to help a remote (i.e., not domain-connected) user who needs administrative access to their machine.

Do you need to access machines remotely using the local Administrator account? Since we’re discussing domain-joined Windows machines, the use cases for this requirement are small. The two situations I see this need are machines that aren’t connected to the domain (assuming Domain Admin credentials aren’t cached, which is a topic for a different blog post), and accessing machines that are infected or untrusted (as the domain token could be stolen and re-used elsewhere).

If so, be careful! This is where most people get into trouble. Standardizing on a local Administrator password means that anyone with brief physical access to any one of those machines can use those same credentials (without cracking the password hash, even) on all machines in the network. If this is both scary and new information, look up “Pass the Hash” attacks.

If you’re still sure you need remote access to machines using the local Administrator accounts, you’ll need to ensure the same password isn’t used across all machines in your domain. In other words, we’ll need to make those passwords individualized to each machine. These individualized passwords can be created using the output of a hashing algorithm seeded with some unique identifier of the machine together with a secret padding. If we can guarantee the padding isn’t disclosed, we’ll have a fairly secure password. The output of the SHA-1 algorithm is 160 bits, expressed as 40 hexadecimal characters. Plugging that output into Jason Fossen’s password complexity spreadsheet gives us an output of 1,157,804,805,602.22 years to crack an average password of that length directly, with 1,000 machines each generating 200,000 hashes per second. Needless to say, an attacker would be far better off trying to discover the method used to create the passwords (including the secret padding) than to attack each password individually.

The biggest concern for individualized passwords is setting them. My preferred approach, Group Policy, would show the secret padding, as it would have to be in the script. Accordingly, we’ll need to push out the individualized passwords from a trusted computer, setting the passwords on each remote machine. Unless I get requests otherwise, I’ll leave the actual individualized password script as an exercise for the reader.

1 comment

December 6, 2011

Delicious RSS Feed

I’ve recently started putting my bookmarks into Delicious. I have categories for Systems Administration, Security (mostly pen-testing), and Forensics.

This should obviate the need to put up “look, a shiny new link!” posts up, which has been otherwise quite tempting.

Here are a few examples of bookmarks to look at:

Solving the NIST Hacking Case with RegRipper

Configuring a Power Plan with Group Policy Preferences

10 Immutable Laws of Security

If you’re interested, you can add my feed to your RSS reader of choice.

October 25, 2011

Review of Top-Down Network Design Posted

Amazon has just posted my five-star review of Top-Down Network Design (3rd Edition).
.

From the review:

Whereas most other networking books focus on one technology or one aspect of network design, Oppenheimer really does guide the reader through designing a network in a top-down (gathering requirements to documentation) fashion. Overall, the book takes you from a 30,000 foot view to about a 2,000 foot view. Despite Oppenheimer’s Cisco-focused background and being published by Cisco Press, her book admirably avoids plugging Cisco as the end-all-be-all solution. Overall, I would recommend this book for all parts of network design, and recommend others for the actual IOS/device configuration (which Top-Down Network Design avoids).

As others have identified, the books is divided into four sections. The section titles are descriptive enough, so I’ll just point out the highlights by chapter instead.

The first chapter covers an introduction to network design, including analyzing business goals and constraints. It emphasizes the need for the network design to make “business sense,” as in justify the business itself. Constraining the network design to the budgetary and staffing constraints of the customer is also important — after all, what good is a highly-reliable, highly-complex network to a CCENT-level network engineer who can’t make necessary modifications without taking down the network?

The fourth chapter relates to the network traffic of the existing network. By categorizing users into “user communities” based off job role (usage of sets of applications) and categorizing the traffic flows themselves, one can describe at a high level the network flow while still providing useful data for technical purchase decisions. The traffic flows are categorized into groups such as peer-to-peer, client/server, server-to-server, terminal/host, and distributed computing.The traffic is also displayed by frame size, broadcast/multicast/unicast type, and error rate to give useful data. QoS requirements for voice and other sensitive applications are also discussed, as are different service categories based off the Asynchronous Transfer Mode Forum definitions.

I appreciate this model, as without these abstractions it’s tough to talk about network flow at a high level without losing specificity.

In chapter six, there’s a sizable section on naming schemes, especially in the Windows world. The “Guidelines for Assigning Names” section is full of solid advice, though the section on WINS can probably be safely removed in the next edition.

Chapter seven is mostly focused on the actual switching and routing protocols, but also covers the creation of decision trees to assist with protocol selection. Table 7-5 on page 230 is a *very* handy summary of the routing protocols covered in the text.

In the last chapter, number 14, Oppenheimer gives a summary of top-down network design by going through the steps of the design methodology, which I found very useful. She also highlights the importance of the network design document, details how to respond to client RFP’s, and then goes over the sections of the network design document in detail.

I found this to be an extremely useful book for its intended purpose. Top-Down Network Design will be a text I refer to for any network design needs I encounter in my future.

Full disclosure: I do know Priscilla Oppenheimer. I have taken several classes from her in networking and network forensics.

October 3, 2011

Randomizing the Local Administrator Account Password

UPDATE: Upon further discussion with information security professionals, I’ve expanded on the subject of local Administrator accounts here.

As systems administrators, we sometimes need access to a given machine without domain credentials. But, in all honesty, how often do we really need access in this fashion? In a proper environment Most of the rationale behind “standardizing” on a local Administrator password I’ve seen has been to support other bad practices, like giving out the password to end-users to solve a one-time or letting service accounts run as a named user.

Below I’ve included a sample VBScript to randomize the local Administrator password. If you don’t use the local account in any day-to-day work, you may as well not leave this gaping security hole out there. Try placing this script in a Group Policy machine startup script. Just copy-paste the full code into a new Notepad instance, click save, then put “password.vbs” INCLUDING quotes into the path. This is necessary to retain the non-default extension (as otherwise Notepad puts the standard .txt extension on the file). Remember the path, then add it to an existing Group Policy Object or create a new one. Once you’ve opened the GPO, the full path is Computer Configuration -> Policies -> Windows Settings -> Scripts -> Startup. Click Add, Browse, point to the script, and press OK on the two screens. Close the GPO, apply it to a test OU, and you’re well on your way! If you have any issues you can always back out of the changes.

' A simple script used to randomize the local Administrator account password
' and disable/enable the account
'
' Written by Jeff McJunkin (@jeffmcjunkin, jeffmcjunkin.com)
' May be reused without permission, as long as the original source is attributed

Set WshNetwork = WScript.CreateObject("WScript.Network")
strComputer = WshNetwork.ComputerName

strComputer = "."
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")

intHighNumber = 255
intLowNumber = 1

password=""

For i= 1 to 120
	Randomize
	intNumber = Int((intHighNumber - intLowNumber + 1) * Rnd + intLowNumber)
	password = password & Chr(intNumber)
Next

objUser.SetPassword password

' If you use something like Kon-Boot instead of NT Password Reset,
' it can be useful to leave the account enabled. In that case,
' set the following line to False

objUser.AccountDisabled = True
objUser.SetInfo

1 comment

Follow “blog < /dev/random”