Microsoft is bringing new and much asked for improvements to locking down and narrowing privileged access in the corporate network with Windows Server 2016 and Windows 10.

When reading about major attacks against services in the past years, most of them have been about credential theft. Hackers focus on the weakest link, which is unfortunately the human being. This is even more severe when it's the admins credentials in question.

A common attack has three phases

1. Initiate: The attacker will search for freely available information (read: social media) to gain a foothold in the organization.

2. Escalate: Gaining momentum inside the network with pass-the-hash and pass-the-ticket.

3. Payload: Now that the hacker is free to roam, he/she might launch an "in your face" ransomware, or worse, mine and extract sensitive data for months - maybe even years.

So, what to do?

As said, MS is bringing much asked for tools for mitigating hacker roaming inside the network. MS suggests that you put your energy into phase two. Phase one is supposedly too money consuming. I wouldn't be too sure about that.

Blocking Phase #1 (research and preparation) is extremely difficult and requires an inordinate amount of procedures, discipline and training that is likely only practical for government agencies with an organizational culture of secrecy.

I believe that education is key in all application of security inside the organisation. As said, us human beings are the weakest links, so steps should always be made in the organisation to force out bad habits, e.g. bad passwords. Still, there's always the possibility of something like what happened in Turkey: Massive leak of personal data.

Daddy has some new tools!

So what are the exiting new tools to detect hacker roaming inside the corporate network and make lateral movement difficult.

  • Just-in-time administration. Limits the time that a user or group has administrative rights
  • Just enough administration. Remove static and wide reaching administrative permissions, and assign only specified group of tasks to admins. Though, this is something that has been done in the past and not a very new concept.
  • LAPS. Or "Local Admin Password Solution". Generate a random local admin password for server and end user hardware.
  • Credential guard. My personal favorite and a direct challenge to pass-the-hash and pass-the-ticket attacks. Credential guard protects NTLM hashes and Kerberos tickets by providing a closed virtualized environment (Local Security Authority or LSA) to store secrets. The LSA is only accessible from the host OS indirectly through remote procedure calls that the LSA uses. The drawback is that, Credential Guard requirements are pretty extensive. Keeping in the mind the SMB organisations. Especially the need for a Windows 10 Enterprise license can be turn off.

All-in-all, I'm excited to see these tools come into play. I find the lateral prevention especially important, and something that we really haven't seen in MS based domains before. I'm definitely going to put on my tightest tinfoil hat in my next customer audit meeting.