Credentials harvesting should not unlock your network!
A hacker / cyber-criminal, having gained access to a system network, will begin to explore that network, looking to identify resources and acquire privileges to gain access. A good place to start is the machine on which the hacker is connected – harvesting account credentials from the credential manager, registry, active memory, windows vault, caches of browsers, and so on. It is not necessary for a hacker to have remote control over a target PC – well designed software carried in through a phishing web page or attachment will suffice.
This blog is focused an administrative model designed to prevent caching of credentials of privileged accounts on any computer located on the user network, such that management information gleaned by the hacker is not useful. Further, no management role has the rights to grant elevated rights to a user account, further restricting the options of a hacker.
Four management roles will be defined, with enforcement of use restrictions such that it becomes very difficult for a hacker to gain access to an account with useful administrative rights. There are two topics to discuss, then: i) the particulars of the four management roles; ii) enforcement of these policies.
Tiered Logon Protocol does work hand-in-hand with a segmented network. All on-site and remote access should terminate on a endpoint network – that network to which end-user PCs are connected in the office and on which VPN connections terminate. The endpoint network should be segmented from servers and all other network resources such that access requires traversal of a firewall with granular restriction to allow access only to those services and servers required.
Four management roles are defined. Two are permitted only on the end-user network, two only on restricted networks such as the server network, enforced by policies.
- Domain management, with rights to manage user accounts, Group Policy Objects, DNS, and DHCP. This role can create, modify and delete user accounts and assign non-management security groups – for instance assign rights to access a particular file share. The domain management account should most restricted, and never used to logon to a server or PC.
- Server management – a member of the local administrators group of servers and computers located on the server network. Accounts with this role are used to log onto any computer on the server network, and have full rights to perform any server work. Server work includes installation, configuration and removal of applications, services, and Windows roles and features to the server, creation and management of file shares, management of NTFS security.
- Workstation management – a member of the local administrators group of computers located on the endpoint network – primarily PCs and workstations. Accounts with this role should never be used to log onto any computer. These accounts can be used with the runas or similar mechanism when needed to install, configure or remove software or other local machine management tasks.
- Workstation user account – used to log onto any computer on the endpoint network. This account has only domain user rights – no access to any other system resources.
Enforcement. This particular discipline, TLP, is directed at ensuring that a hacker is unable, having gained access to the corporate network, to create a new user account and grant that account management rights, and, further, to prevent that hacker from obtaining credentials of an account that already has management rights. To accomplish this, TLP is deployed with a framework of these rules:
- No accounts in general use have Domain Admin rights, or Enterprise Admins or Schema Admins rights.
- No management roles are permitted to grant management rights to other accounts. This prevents a hacker from elevating rights of another account.
- All privileged NT security groups are placed in a restricted OU, not accessible by any management role.
- An administrator’s server management accounts must never be cached on any computer on the endpoint network, and the administrator’s perimeter management accounts must never be cached on any computer on a restricted network. These policies may be enforced by logon restrictions and group policies controlling behavior of caching on all computers.
With TLP in place, a hacker that is able to gain access to the perimeter network now has limited options. They can harvest credentials from any compromised computer on the perimeter network, and come up empty for any account that has logon rights to any computer on any restricted network, and for any account that has network management rights. In the end, it should be the case that there is precious little they can do with any of the credentials available on the endpoint network, and now available credentials that permit access to restricted networks.
Frequently Asked Questions
The harvesting of account credentials by cyber-criminals, via phishing techniques and malware has become an important means by which corporate networks have been compromised. One important defense is to ensure that management credentials are never cached on endpoint computers, via implementation of Tiered Logon Protocol (TLP). This may be done by assigning network administrators several user accounts, each restricted to certain management roles ranging from user only privileges to a high level of management rights – tiered accounts. Use of these accounts is typically restricted – for example, logon by an administrator to an endpoint computer would be restricted to an account with user only rights.
Two-Factor Authentication requires an end-user provide a password and a code from a physical device. The term Multi-Factor Authentication (MFA) has taken the place of two-factor authentication, simply because the technology deployed initially for two-factor authentication has evolved, such that the implementation has become much broader than the initial systems for two-factor authentication, while retaining the requirement of authenticating with both something memorized and something obtained from a physical device.
All computers connected to a network are able to communicate directly with each other. That network might be divided into two, with PCs connected to one and servers connected to the other – and now PCs can communicate directly with other PCs but will be unable to reach servers. The network can be viewed as two segments – one for PCs, one for servers. Each of the two network segments might be connected to a firewall, such that traffic between the segments can be inspected and controlled – now adding security. Corporate networks typically have many segments – perhaps including PCs, general servers, VoIP for IP phones, wireless, management cards of network devices, and so on. The tools available to a hacker with access to the PC network are greatly diminished once it becomes necessary to cross a firewall to access central resources.
An endpoint device is taken to be any device that is used by an end-user to connect to a network – a PC, Mac, laptop, netbook, and so on. An endpoint network segment is taken to be a local network to which only endpoint devices are connected. The endpoint network segment will be connected to a firewall, such that access to other networks can be inspected and secured. Company servers and services might be located on a secure server network.